Edit tour

Windows Analysis Report
01_extracted.exe

Overview

General Information

Sample name:	01_extracted.exe
Analysis ID:	1538176
MD5:	4af13587ab5e2b2b7a19282da972396f
SHA1:	638deb78a4feba29c2efd1e4d3d168ac8c30528b
SHA256:	a53c7b06ef5d3fd8bd441323f55e201cef90753849674d8cfa3e8b2f626f4f19
Tags:	exeuser-Racco42
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

01_extracted.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\01_extracted.exe" MD5: 4AF13587AB5E2B2B7A19282DA972396F)

WerFault.exe (PID: 1900 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 01_extracted.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: 01_extracted.exe

Joe Sandbox ML: detected

Source: 01_extracted.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C8449B
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C8C7E8
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8C75D FindFirstFileW,FindClose,	0_2_00C8C75D
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F021
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F17E
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8F47F
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C83833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83833
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C83B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83B56
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8BD48

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C92404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C92404

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C9407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C9407C

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C9427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C9427A

Source: C:\Users\user\Desktop\01_extracted.exe

0_2_00C9407C

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C8003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C8003A

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00CACB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CACB26

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00C23B4C
Source: 01_extracted.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 01_extracted.exe, 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2ab603ed-b
Source: 01_extracted.exe, 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_2dcf8300-e
Source: 01_extracted.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c86d27c2-8
Source: 01_extracted.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_9d491f07-2

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C8A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00C8A279

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C78638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C78638

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C85264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C85264

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C2E800	0_2_00C2E800
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C2E060	0_2_00C2E060
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C34140	0_2_00C34140
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C42345	0_2_00C42345
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C56452	0_2_00C56452
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00CA0465	0_2_00CA0465
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C525AE	0_2_00C525AE
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4277A	0_2_00C4277A
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00CA08E2	0_2_00CA08E2
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C36841	0_2_00C36841
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C569C4	0_2_00C569C4
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C38968	0_2_00C38968
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C5890F	0_2_00C5890F
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C7E928	0_2_00C7E928
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C88932	0_2_00C88932
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4CCA1	0_2_00C4CCA1
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C56F36	0_2_00C56F36
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C370FE	0_2_00C370FE
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C33190	0_2_00C33190
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C21287	0_2_00C21287
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4F359	0_2_00C4F359
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C43307	0_2_00C43307
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C35680	0_2_00C35680
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C41604	0_2_00C41604
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C358C0	0_2_00C358C0
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C47813	0_2_00C47813
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4DAF5	0_2_00C4DAF5
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C41AF8	0_2_00C41AF8
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C59C35	0_2_00C59C35
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C2FE40	0_2_00C2FE40
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00CA7E0D	0_2_00CA7E0D
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C41F10	0_2_00C41F10
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4BF26	0_2_00C4BF26

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: String function: 00C48A80 appears 42 times
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: String function: 00C40C63 appears 70 times
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: String function: 00C27F41 appears 35 times

Source: C:\Users\user\Desktop\01_extracted.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 652

Source: 01_extracted.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.evad.winEXE@2/6@0/0

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C8A0F4 GetLastError,FormatMessageW,

0_2_00C8A0F4

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C784F3 AdjustTokenPrivileges,CloseHandle,		0_2_00C784F3
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C78AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C78AA3

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C8B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C8B3BF

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C9EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C9EF21

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C984D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00C984D0

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C24FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C24FE9

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7096

Source: C:\Users\user\Desktop\01_extracted.exe

File created: C:\Users\user\AppData\Local\Temp\indivisibility

Jump to behavior

Source: 01_extracted.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\01_extracted.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 01_extracted.exe

ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\01_extracted.exe "C:\Users\user\Desktop\01_extracted.exe"
Source: C:\Users\user\Desktop\01_extracted.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 652

Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Section loaded: wldp.dll	Jump to behavior

Source: 01_extracted.exe

Static file information: File size 1564160 > 1048576

Source: 01_extracted.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 01_extracted.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 01_extracted.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 01_extracted.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 01_extracted.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 01_extracted.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 01_extracted.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 01_extracted.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 01_extracted.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 01_extracted.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 01_extracted.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 01_extracted.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C9C104 LoadLibraryA,GetProcAddress,

0_2_00C9C104

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C702D4 push ecx; ret	0_2_00C703D0
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C703D6 push ecx; ret	0_2_00C703D8
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C703D2 push ecx; ret	0_2_00C703D4
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C88538 push FFFFFF8Bh; iretd	0_2_00C8853A
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4E88F push edi; ret	0_2_00C4E891
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4E9A8 push esi; ret	0_2_00C4E9AA
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C48AC5 push ecx; ret	0_2_00C48AD8
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4EB83 push esi; ret	0_2_00C4EB85
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4EC6C push edi; ret	0_2_00C4EC6E
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C311AD push cs; ret	0_2_00C311AE
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C311B0 push cs; ret	0_2_00C311B6
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C31118 push cs; ret	0_2_00C3111E
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C31120 push cs; ret	0_2_00C311AA
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C354D4 push edx; ret	0_2_00C354EA
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C3548B push ebx; ret	0_2_00C354A6
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C354A7 push eax; ret	0_2_00C354B6
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C35474 push ebx; ret	0_2_00C3548A
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C35404 push ebx; ret	0_2_00C35436
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C35543 push ebx; ret	0_2_00C3554A
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C3554B push ebx; ret	0_2_00C3554E
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C35501 push edx; ret	0_2_00C35516
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C35518 push eax; ret	0_2_00C35542
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C317E3 push ss; ret	0_2_00C317EC
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C317ED push ss; ret	0_2_00C317F0
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C317FD push ss; ret	0_2_00C31800

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C24A35
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00CA53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CA53DF

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C43307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C43307

Source: C:\Users\user\Desktop\01_extracted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\01_extracted.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C8449B
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C8C7E8
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8C75D FindFirstFileW,FindClose,	0_2_00C8C75D
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F021
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F17E
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8F47F
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C83833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83833
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C83B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83B56
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C8BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8BD48

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C24AFE

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\01_extracted.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C9401F BlockInput,

0_2_00C9401F

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C23B4C

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C55BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C55BFC

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C9C104 LoadLibraryA,GetProcAddress,

0_2_00C9C104

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C781D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C781D4

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00C4A2D5
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C4A2A4 SetUnhandledExceptionFilter,		0_2_00C4A2A4

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C78A73 LogonUserW,

0_2_00C78A73

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C23B4C

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00C24A35

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C84CCE mouse_event,

0_2_00C84CCE

Source: C:\Users\user\Desktop\01_extracted.exe

0_2_00C781D4

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C84A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C84A08

Source: 01_extracted.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 01_extracted.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C487AB cpuid

0_2_00C487AB

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C55007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C55007

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C6215F GetUserNameW,

0_2_00C6215F

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C540BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C540BA

Source: C:\Users\user\Desktop\01_extracted.exe

Code function: 0_2_00C24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C24AFE

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Source: 01_extracted.exe	Binary or memory string: WIN_81
Source: 01_extracted.exe	Binary or memory string: WIN_XP
Source: 01_extracted.exe	Binary or memory string: WIN_XPe
Source: 01_extracted.exe	Binary or memory string: WIN_VISTA
Source: 01_extracted.exe	Binary or memory string: WIN_7
Source: 01_extracted.exe	Binary or memory string: WIN_8
Source: 01_extracted.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C96399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00C96399
Source: C:\Users\user\Desktop\01_extracted.exe	Code function: 0_2_00C9685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C9685D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	51 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Process Injection	21 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	2 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	15 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
01_extracted.exe	58%	ReversingLabs	Win32.Trojan.AutoitInject
01_extracted.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538176
Start date and time:	2024-10-20 18:16:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	01_extracted.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@2/6@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 41 Number of non-executed functions: 287
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: 01_extracted.exe

Simulations

Behavior and APIs

Time	Type	Description
12:17:15	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_01_extracted.exe_82751c43976783803cb27442748f3d308a5a22_13b12cd7_f8022c4e-ad0c-49a2-a959-75bd881bc8f0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8874379147041797
Encrypted:	false
SSDEEP:	96:mJFyd7k03es/h3oI7JfPQXIDcQvc6QcEVcw3cE/v+HbHgFe8BRTf3TFYe5PTEz6F:uUd7k03et0BU/ojJ6czuiF4Z24IO8Hs
MD5:	27E525E9A832862EC5EE1020E90A011B
SHA1:	A62103EC62A163CE3E730FC73EDB54D73A0C3E09
SHA-256:	E188AFC3C52B9BCB610A7C25E0983BD211DFD6D43E47A370FDB7197E5F59F5CF
SHA-512:	00CB6BE87F5268A20DD5FE40588F39021F6529B231BA650AA60D8DA582E7398C13442F314E1A78C8EA355F2D800B5795B557447F398DCD5F7152B3EB5534FA85
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.9.1.4.6.2.8.8.2.9.9.4.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.9.1.4.6.2.9.3.2.9.9.4.3.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.0.2.2.c.4.e.-.a.d.0.c.-.4.9.a.2.-.a.9.5.9.-.7.5.b.d.8.8.1.b.c.8.f.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.2.4.d.3.7.c.-.2.d.d.2.-.4.b.f.6.-.8.e.1.5.-.8.a.f.6.a.5.2.0.8.4.0.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.0.1._.e.x.t.r.a.c.t.e.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.8.-.0.0.0.1.-.0.0.1.4.-.d.c.b.4.-.b.4.8.2.0.b.2.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.2.c.f.2.1.c.2.e.4.0.f.0.1.b.3.8.e.b.b.6.a.d.c.3.2.5.c.c.a.9.0.0.0.0.0.9.0.8.!.0.0.0.0.6.3.8.d.e.b.7.8.a.4.f.e.b.a.2.9.c.2.e.f.d.1.e.4.d.3.d.1.6.8.a.c.8.c.3.0.5.2.8.b.!.0.1._.e.x.t.r.a.c.t.e.d...e.x.e.....T.a.r.g.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER35AF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 20 16:17:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	184094
Entropy (8bit):	0.9337560195582066
Encrypted:	false
SSDEEP:	384:Dpjs98THl7Bny/jR/EotF9f8ueGSDncjd:Dq9QHl7RybR/Eovh8u/a8d
MD5:	EF8BD627A58D42E755E47A5E781E1CB9
SHA1:	AAA50D27A2DE0438906947ED1AF7ADE6D92A4A26
SHA-256:	59029AF9C1980F90F2E462AD986EDE012BEE6A216D05B7C111221E1C40A28F6A
SHA-512:	3B12E9E2E2A025C0B180F1553150F645A7DE68134F5E421CFA1E43F172D631F642AE09A6CC28E84EC974A08C5AAFD898FAA98D4236F35394AEB905ED01C02A46
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........-.g........................x...........$...0-..........T.......8...........T...........x...............D...........0...............................................................................eJ..............GenuineIntel............T............-.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36E9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8356
Entropy (8bit):	3.698529511672116
Encrypted:	false
SSDEEP:	192:R6l7wVeJrz6Itz6Y9vSU9G4gmffSprH89b9Vsfpfm:R6lXJ/6Itz6Y1SU9G4gmfff9ufs
MD5:	C387928DC724864DC0BF5C11F2E8F7ED
SHA1:	01827E27412FA168C9207518FE41688DCA2E7AF8
SHA-256:	5860465882353C36D710C3F66E083902B95EE57BCA92E2A7BD36D9DC9F8F8847
SHA-512:	082211600DFE3F183431C9F91046EB01FDB897154A393C687260441001D60064FAA6BBFCF3E9F71F71C001E4B98C5DD0FD9B101BD2D52963025C28D84B0AB08A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3709.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4634
Entropy (8bit):	4.48247100752367
Encrypted:	false
SSDEEP:	48:cvIwWl8zssJg77aI9UvWpW8VYEYm8M4JCqFNk+q8HUHmHWu93d:uIjfqI7S+7VoJ+HHmHWy3d
MD5:	BD1368006E9FF71D652110760F3068E6
SHA1:	2FCDF832E14F0962FD93E962BB5230F9B4756259
SHA-256:	94F12A125524294657A7746311C945EDB1797A5E6B86C4D89B803ADF020E6C20
SHA-512:	39D44BB6160AB63D96A61AB00B177432AB455573F648FC95052F4B231896DD03490F27DB9482EFDD75E9D94C5891D4492598F8BDB602AF003329801BCDFE540D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="551959" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\indivisibility

Download File

Process:	C:\Users\user\Desktop\01_extracted.exe
File Type:	AmigaOS outline font
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.994040822080327
Encrypted:	true
SSDEEP:	6144:yC+Qqah2kjTSg5rYU/m3zjXae0TSx51oppOMHIwCfCQB:yCdqaNSglY/bv0mojlo
MD5:	2C562AD1ACF3F577C4759FCF9945A73B
SHA1:	A5419E009B17B31EE5F9D67C6A0689E90A2B1023
SHA-256:	FD3F28FFEEDEDD264CA12AEFCDDFDA862607F0E7FE814AABA7DABCAFCBA5786F
SHA-512:	87FA0AC36B674DE8825D0E7E9C713C36AC413612AEF86870E0624265CCDB2D27196D0FBEBAB29B3636109A30A24A13A7E10A866EDCBC422A9AC2272AD0697285
Malicious:	false
Reputation:	low
Preview:	..s..BUQM..<.....WA...aA]...TN5M3HY8MWBY6HIBUQMPTN5M3HY8MW.Y6HG]._M.]...2....?+.8;-2#,=t-T#]'-./2b+C&i+;q...nX"W-w5@]fY6HIBUQ4Q]..-T.dX..9Q.S...w03./.eX*.X...u"2..97&.-T.Y8MWBY6H..UQ.QUN.c..Y8MWBY6H.BWPFQ_N5.7HY8MWBY6H.QUQM@TN5=7HY8.WBI6HI@UQKPTN5M3H_8MWBY6HI2QQMRTN5M3H[8..BY&HIRUQMPDN5]3HY8MWRY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN.9V0-8MW6.2HIRUQM.PN5]3HY8MWBY6HIBUQmPT.5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MWBY6HIBUQMPTN5M3HY8MW

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465423977313325
Encrypted:	false
SSDEEP:	6144:nIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNsdwBCswSby:IXD94+WlLZMM6YFHi+y
MD5:	4A49A35AEAE112A41359DCA7E80F0AA6
SHA1:	09255849C4CDED113894F2AE82072AAB3D22C880
SHA-256:	7B73EFDAB96A86520F725199830CBE4D0068D5F46F214D4971A5BBF158C2E6DE
SHA-512:	0290B138742D8673B25407D4E9165207183F13491523ACD800184ECF923A78901D974A19286FBF0DB5F17E5527735AB42DD6F70D04EB8CAB7D70729C80D80ABA
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr....#...............................................................................................................................................................................................................................................................................................................................................c..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.458236277046196
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	01_extracted.exe
File size:	1'564'160 bytes
MD5:	4af13587ab5e2b2b7a19282da972396f
SHA1:	638deb78a4feba29c2efd1e4d3d168ac8c30528b
SHA256:	a53c7b06ef5d3fd8bd441323f55e201cef90753849674d8cfa3e8b2f626f4f19
SHA512:	e4fd6c24fa97283c4cb09e4988c3b938cf1e15bab2ddc304585d2121fc705b9ac7e07897d535520424bd9e3091dc97638c05c4debf413001f1e95c513e58e4ee
SSDEEP:	24576:fCdxte/80jYLT3U1jfsWaX0vCrS6QlmGMt7CXbE98vN8AJaJjUPcH3wpMrQ:+w80cTsjkWaXt7GmyWAUJYP2wp1
TLSH:	A375D02273DDC370CB769173BF6AB7012EBB7C614630B95B1F880D79A950262162DB63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427f4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6711EE75 [Fri Oct 18 05:13:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F3008D766FDh
jmp 00007F3008D694C4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F3008D6964Ah
cmp edi, eax
jc 00007F3008D699AEh
bt dword ptr [004C31FCh], 01h
jnc 00007F3008D69649h
rep movsb
jmp 00007F3008D6995Ch
cmp ecx, 00000080h
jc 00007F3008D69814h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F3008D69650h
bt dword ptr [004BE324h], 01h
jc 00007F3008D69B20h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F3008D697EDh
test edi, 00000003h
jne 00007F3008D697FEh
test esi, 00000003h
jne 00007F3008D697DDh
bt edi, 02h
jnc 00007F3008D6964Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F3008D69653h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F3008D696A5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0xb5444	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17d000	0x7130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dd2e	0x8de00	c2c2260508750422d20cd5cbb116b146	False	0.5729952505506608	data	6.675875439961112	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	4513b58651e3d8d87c81a396e5b2f1d1	False	0.3353340955284553	OpenPGP Public Key	5.760731648769018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	c2de4a3d214eae7e87c7bfc06bd79775	False	0.1017530487804878	data	1.1988106744719143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0xb5444	0xb5600	0d802df1466d9e8b34bfdcb8cdc355dd	False	0.9636605681426602	data	7.963652357983153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17d000	0x7130	0x7200	1254908a9a03d2bcf12045d49cd572b9	False	0.7703536184210527	data	6.782377328042204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0xac70a	data			1.0003199710043975
RT_GROUP_ICON	0x17bec4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x17bf3c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x17bf50	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x17bf64	0x14	data	English	Great Britain	1.25
RT_VERSION	0x17bf78	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x17c054	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	12:17:08
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\01_extracted.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\01_extracted.exe"
Imagebase:	0xc20000
File size:	1'564'160 bytes
MD5 hash:	4AF13587AB5E2B2B7A19282DA972396F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:17:08
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 652
Imagebase:	0x4f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	1858
Total number of Limit Nodes:	125

Executed Functions

Function 00C23B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C23B7A
IsDebuggerPresent.KERNEL32 ref: 00C23B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00CE52F8,00CE52E0,?,?), ref: 00C23BFD

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Part of subcall function 00C30A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C23C26,00CE52F8,?,?,?), ref: 00C30ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00C23C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CD7770,00000010), ref: 00C5D3EC
SetCurrentDirectoryW.KERNEL32(?,00CE52F8,?,?,?), ref: 00C5D424
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CD4260,00CE52F8,?,?,?), ref: 00C5D4AA
ShellExecuteW.SHELL32(00000000,?,?), ref: 00C5D4B1

Part of subcall function 00C23A58: GetSysColorBrush.USER32(0000000F), ref: 00C23A62
Part of subcall function 00C23A58: LoadCursorW.USER32(00000000,00007F00), ref: 00C23A71
Part of subcall function 00C23A58: LoadIconW.USER32(00000063), ref: 00C23A88
Part of subcall function 00C23A58: LoadIconW.USER32(000000A4), ref: 00C23A9A
Part of subcall function 00C23A58: LoadIconW.USER32(000000A2), ref: 00C23AAC
Part of subcall function 00C23A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C23AD2
Part of subcall function 00C23A58: RegisterClassExW.USER32(?), ref: 00C23B28

Part of subcall function 00C239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C23A15
Part of subcall function 00C239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C23A36
Part of subcall function 00C239E7: ShowWindow.USER32(00000000,?,?), ref: 00C23A4A
Part of subcall function 00C239E7: ShowWindow.USER32(00000000,?,?), ref: 00C23A53

Part of subcall function 00C243DB: _memset.LIBCMT ref: 00C24401
Part of subcall function 00C243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C244A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00C5D3E4
runas, xrefs: 00C5D4A5

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 552fa4581517543344b7846765113dee4982b7431d1ea607cdaabb28b58efede
Instruction ID: 6095337cbfa458b10e73c381f8ac9d39d6f4b99307eb4d296cdd3a59236e54b7
Opcode Fuzzy Hash: 552fa4581517543344b7846765113dee4982b7431d1ea607cdaabb28b58efede
Instruction Fuzzy Hash: EB5128719042D8AECF12EBF4FC85BFD7B74AF05308B004269FA51BA5A1DA744746EB21

Function 00C24AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C24B2B

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

GetCurrentProcess.KERNEL32(?,00CAFAEC,00000000,00000000,?), ref: 00C24BF8
IsWow64Process.KERNEL32(00000000), ref: 00C24BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C24C45
FreeLibrary.KERNEL32(00000000), ref: 00C24C50
GetSystemInfo.KERNEL32(00000000), ref: 00C24C81
GetSystemInfo.KERNEL32(00000000), ref: 00C24C8D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: ea1d364f8e2af6a3e5b82fe4e0b9b2cd855edc4ebe08b6fc73fcc2cbfff1446d
Instruction ID: b31b3a8b558d5ff65e38df6733d22d2a0abe51fad35d6ca2fcbdf98b74c8e2fb
Opcode Fuzzy Hash: ea1d364f8e2af6a3e5b82fe4e0b9b2cd855edc4ebe08b6fc73fcc2cbfff1446d
Instruction Fuzzy Hash: 3D91F63154ABD0DFC735CB68A4512AAFFE5AF26300B484A9DE4DB93E01D230EA48D75D

Function 00C24FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C24EEE,?,?,00000000,00000000), ref: 00C24FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C24EEE,?,?,00000000,00000000), ref: 00C25010
LoadResource.KERNEL32(?,00000000,?,?,00C24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C24F8F), ref: 00C5DC90
SizeofResource.KERNEL32(?,00000000,?,?,00C24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C24F8F), ref: 00C5DCA5
LockResource.KERNEL32(00C24EEE,?,?,00C24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C24F8F,00000000), ref: 00C5DCB8

Strings

SCRIPT, xrefs: 00C25006

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a8c037809707dd8f0f290b57a88e76dd4a832f8b7fe24ff8f85aa84d3b5ad259
Instruction ID: 59e828a1de066463479609ba76adee0e027502f3fc3a868b701edcfd47a457b9
Opcode Fuzzy Hash: a8c037809707dd8f0f290b57a88e76dd4a832f8b7fe24ff8f85aa84d3b5ad259
Instruction Fuzzy Hash: 8E117075240701BFD7218B65EC48F6B7BB9EBCAB15F10426CF416C7650DB71EC418660

Function 00C2E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C641BB

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: b12f938cc9f134317058f8ef62f317653b7ae0754aa8b245421e44fd32250c3b
Instruction ID: fd9bfbc2609cd310e83b3d557aa230ae136ca5f945a7d47133dbc6747d9d5a0e
Opcode Fuzzy Hash: b12f938cc9f134317058f8ef62f317653b7ae0754aa8b245421e44fd32250c3b
Instruction Fuzzy Hash: FBA28074A00229CFCB24CF99D4C0AAEB7B1FF59310F648069E916AB751D775ED82CB90

Function 00C30B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C30BBB
timeGetTime.WINMM ref: 00C30E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C30FB3
Sleep.KERNEL32(0000000A), ref: 00C30FC1
LockWindowUpdate.USER32(00000000,?,?), ref: 00C3105A
DestroyWindow.USER32 ref: 00C31066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C31080
Sleep.KERNEL32(0000000A,?,?), ref: 00C651DC
TranslateMessage.USER32(?), ref: 00C65FB9
DispatchMessageW.USER32(?), ref: 00C65FC7
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C65FDB

Strings

@GUI_CTRLHANDLE, xrefs: 00C6533D
@GUI_CTRLID, xrefs: 00C65293
@COM_EVENTOBJ, xrefs: 00C65849
@TRAY_ID, xrefs: 00C65AE8
@GUI_WINHANDLE, xrefs: 00C652E8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 24a2dfabe78246fc2226fd509107615ad4d1c2052b29a4c48db70d7112c91509
Instruction ID: db87bbb0d1acfd5ae481a5fc4fc14267068fcbe6004f9f380a5ecaae6e023653
Opcode Fuzzy Hash: 24a2dfabe78246fc2226fd509107615ad4d1c2052b29a4c48db70d7112c91509
Instruction Fuzzy Hash: D2B2EC70618741DFDB38DF24C894BAEB7E4BF84304F24491DE59A8B2A1CB71E945DB82

Function 00C23023 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23074
RegisterClassExW.USER32(00000030), ref: 00C2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
LoadIconW.USER32(000000A9), ref: 00C230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

+, xrefs: 00C2305D
AutoIt v3 GUI, xrefs: 00C23090
0, xrefs: 00C23056
TaskbarCreated, xrefs: 00C230A4

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b31b101fca8de878ac807be79d44bd085b03afda47573e74b9d7507c04b47a95
Instruction ID: 075fdc07850b3897c135ccfa83da66501955b54eb9dbaf6505fb6b601b001bb3
Opcode Fuzzy Hash: b31b101fca8de878ac807be79d44bd085b03afda47573e74b9d7507c04b47a95
Instruction Fuzzy Hash: 6031F6B1841359AFDB508FE4E888BCDBBF4FB09318F10412AE580EA2A0D7B54586CF90

Function 00C23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23074
RegisterClassExW.USER32(00000030), ref: 00C2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
LoadIconW.USER32(000000A9), ref: 00C230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

+, xrefs: 00C2305D
AutoIt v3 GUI, xrefs: 00C23090
0, xrefs: 00C23056
TaskbarCreated, xrefs: 00C230A4

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d22585d15ac728ae695d2893bc5da48aa0c354f7fb2e952f5a4df25facec3f31
Instruction ID: 200d57ec7fbf9b4fcad532c01b9e683178e72307111b186fcb06fd0ab99d07b0
Opcode Fuzzy Hash: d22585d15ac728ae695d2893bc5da48aa0c354f7fb2e952f5a4df25facec3f31
Instruction Fuzzy Hash: E021C3B1D41258AFDB10DFE4E889B9DBBF4FB09708F00412AFA10EB2A0D7B145458F95

Function 00C271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C24864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CE52F8,?,00C237C0,?), ref: 00C24882

Part of subcall function 00C4068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C272C5), ref: 00C406AD

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C27308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C5EC21
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C5EC62
RegCloseKey.ADVAPI32(?), ref: 00C5ECA0
_wcscat.LIBCMT ref: 00C5ECF9

Strings

\Include\, xrefs: 00C272C5
\, xrefs: 00C5ED1C
Software\AutoIt v3\AutoIt, xrefs: 00C272FE
Include, xrefs: 00C5EC18, 00C5EC59

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 6aa9227cccc2502209d7fbc9ff274c89ffcf7a37539e0724fec158fad5fa8403
Instruction ID: 31ec64b046003d625d101fa211b1013281570ae9ab0df4f1ddaaa4e0e5249d67
Opcode Fuzzy Hash: 6aa9227cccc2502209d7fbc9ff274c89ffcf7a37539e0724fec158fad5fa8403
Instruction Fuzzy Hash: FF718F715193519EC704DF65E881A9FBBF8FFA4390F40092EF545CB1A0EB309A48DB55

Function 00C23A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23A62
LoadCursorW.USER32(00000000,00007F00), ref: 00C23A71
LoadIconW.USER32(00000063), ref: 00C23A88
LoadIconW.USER32(000000A4), ref: 00C23A9A
LoadIconW.USER32(000000A2), ref: 00C23AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C23AD2
RegisterClassExW.USER32(?), ref: 00C23B28

Part of subcall function 00C23041: GetSysColorBrush.USER32(0000000F), ref: 00C23074
Part of subcall function 00C23041: RegisterClassExW.USER32(00000030), ref: 00C2309E
Part of subcall function 00C23041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
Part of subcall function 00C23041: InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
Part of subcall function 00C23041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
Part of subcall function 00C23041: LoadIconW.USER32(000000A9), ref: 00C230F2
Part of subcall function 00C23041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

#, xrefs: 00C23B0D
0, xrefs: 00C23B06
AutoIt v3, xrefs: 00C23B17

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 33a4a1f1c14728b41b12e2d6af438750f8b2b44ffb05342312c5b5759753ec5e
Instruction ID: 6b62b1392f2703820bb2e95eb13029a1f996d83f9e8ee768cd1ef52a566acf6d
Opcode Fuzzy Hash: 33a4a1f1c14728b41b12e2d6af438750f8b2b44ffb05342312c5b5759753ec5e
Instruction Fuzzy Hash: A9212771D00358AFEB10DFA4EC89B9D7BB4FB08719F10012AF604EB2A1D7B55A519F94

Function 00C23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C236D2
KillTimer.USER32(?,00000001), ref: 00C236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C2371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C2372A
CreatePopupMenu.USER32 ref: 00C2373E
PostQuitMessage.USER32(00000000), ref: 00C2375F

Strings

TaskbarCreated, xrefs: 00C23725

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 91b562cfe85cff1e16e92a4761edfed12ff8500e6310baa631f9771c5119641e
Instruction ID: cff6857d0f59fa5b496b46613736988551bff81706c9e0911a750740ea0ffd1b
Opcode Fuzzy Hash: 91b562cfe85cff1e16e92a4761edfed12ff8500e6310baa631f9771c5119641e
Instruction Fuzzy Hash: D94146F22006E5ABDF245F68FD49B7D3759FB00304F140128FA12CAAE1CA798F41A761

Function 00C23778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 00C2388F
/AutoIt3OutputDebug, xrefs: 00C238A4
CMDLINE, xrefs: 00C23834
/AutoIt3ExecuteLine, xrefs: 00C238B9
/AutoIt3ExecuteScript, xrefs: 00C238CE
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00C237C0
CMDLINERAW, xrefs: 00C2380D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 7fd5147b075818c63334591ec06f5a2595f00d6a2b23579bd82cbec625a52685
Instruction ID: 3acaeda7e3321e5431eb2f313a06e81025849e626b44da0f57c07925f9b19e51
Opcode Fuzzy Hash: 7fd5147b075818c63334591ec06f5a2595f00d6a2b23579bd82cbec625a52685
Instruction Fuzzy Hash: 5CA16C72D102699ACF14EBA0EC96AEEB778BF14304F40052AF512B7591EF749A09DB60

Function 00C239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C23A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C23A36
ShowWindow.USER32(00000000,?,?), ref: 00C23A4A
ShowWindow.USER32(00000000,?,?), ref: 00C23A53

Strings

edit, xrefs: 00C23A30
AutoIt v3, xrefs: 00C23A0D, 00C23A12, 00C23A13

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b1e8b27d9fffafb6176d775da310171f66bad7f4a651df31066d10f648e5aeef
Instruction ID: 6ec02e9f94c0e65916433309f66d69fdceca039bcb295ff84acf3c6bba136bcd
Opcode Fuzzy Hash: b1e8b27d9fffafb6176d775da310171f66bad7f4a651df31066d10f648e5aeef
Instruction Fuzzy Hash: E6F017746002907EEA205763AC88F6F3E7DD7C7F58B01002EBA00AA171C6710841DAB0

Function 00C2410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C5D51C

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

_memset.LIBCMT ref: 00C2418D
_wcscpy.LIBCMT ref: 00C241E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C241F1

Strings

Line: , xrefs: 00C5D545

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 9b08846a662253e684c64ee7d56ff0141144eba907728bc451db26487c38d159
Instruction ID: 9ef3e6710cc816c56b83f1b74f7d66583a62a1bf45acf63e0fcc287c73221b45
Opcode Fuzzy Hash: 9b08846a662253e684c64ee7d56ff0141144eba907728bc451db26487c38d159
Instruction Fuzzy Hash: B5310271008364AFD725EBA0EC86FDF77E8AF44304F104A1EF295964A1EF70A658D792

Function 00C269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C24F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24F6F

_free.LIBCMT ref: 00C5E5BC
_free.LIBCMT ref: 00C5E603

Part of subcall function 00C26BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C26D0D

Strings

Bad directive syntax error, xrefs: 00C5E5EB
>>>AUTOIT SCRIPT<<<, xrefs: 00C5E392

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 9b70cca7aa3e3c7d4f93f84557d0c2d5e30350c6f69427cdda8845514627dbb9
Instruction ID: 2c3c59523f96be38fc8047f0b369ddbf871a754107cfaf9cc8657a7c0a3dfd31
Opcode Fuzzy Hash: 9b70cca7aa3e3c7d4f93f84557d0c2d5e30350c6f69427cdda8845514627dbb9
Instruction Fuzzy Hash: EB918171914229AFCF08EFA4D8919EDB7B4FF08314F104429F815AB2A1EB309A49DF64

Function 00C235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C235A1,SwapMouseButtons,00000004,?), ref: 00C235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C235A1,SwapMouseButtons,00000004,?,?,?,?,00C22754), ref: 00C235F5
RegCloseKey.KERNELBASE(00000000,?,?,00C235A1,SwapMouseButtons,00000004,?,?,?,?,00C22754), ref: 00C23617

Strings

Control Panel\Mouse, xrefs: 00C235D2

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9818bfb9cddc11c7c4293e9e39d454ca701b82b4a5c4660207cfb5545eb575d8
Instruction ID: 6f70d9ecd90f347b6fb930384128d87cdde285c0240ef6dec30a6d667b14a221
Opcode Fuzzy Hash: 9818bfb9cddc11c7c4293e9e39d454ca701b82b4a5c4660207cfb5545eb575d8
Instruction Fuzzy Hash: BD114571610268BFDB208FA8EC80AEEBBBCFF05744F018469F805D7210E2719F419BA4

Function 00C89604 Relevance: 6.2, APIs: 4, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C25045: _fseek.LIBCMT ref: 00C2505D

Part of subcall function 00C897DD: _wcscmp.LIBCMT ref: 00C898CD
Part of subcall function 00C897DD: _wcscmp.LIBCMT ref: 00C898E0

_free.LIBCMT ref: 00C8974B
_free.LIBCMT ref: 00C89752
_free.LIBCMT ref: 00C897BD

Part of subcall function 00C42ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00C49BA4), ref: 00C42EE9
Part of subcall function 00C42ED5: GetLastError.KERNEL32(00000000,?,00C49BA4), ref: 00C42EFB

_free.LIBCMT ref: 00C897C5

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 06f46c1fceb8d5b17a5c3841cb1f24f72943730a4dd95fd49ea67a1a9e5beba0
Instruction ID: 178d68710019c9a3bbcff1cf3cc64e938c8bc37b5bb1cf5367362b521425336d
Opcode Fuzzy Hash: 06f46c1fceb8d5b17a5c3841cb1f24f72943730a4dd95fd49ea67a1a9e5beba0
Instruction Fuzzy Hash: E25161B1D04218AFDF249F64DC81AAEBBB9FF48304F14049EF609A7251DB715A80DF58

Function 00C273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00C5ED92
GetOpenFileNameW.COMDLG32(?), ref: 00C5EDDC

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

Part of subcall function 00C40911: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C40930

Strings

X, xrefs: 00C5EDAA

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: bcc9eee24f93b264aff39ba8de6085a65687732c34db49b2830102d78e6b5c2d
Instruction ID: 58be64a6a207cd507c0f456bdfa9531df4dadc680be60f6a2e265d934a7fc729
Opcode Fuzzy Hash: bcc9eee24f93b264aff39ba8de6085a65687732c34db49b2830102d78e6b5c2d
Instruction Fuzzy Hash: FA21C371A002589BDF05DF94D845BEE7BF9AF48704F10401AE908AB342DFB45A8D9FA1

Function 00C9CBF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d10b218a1095188bead97fd718ced623cc48149a48c7eabf227fef4c5ea249
Instruction ID: 55c94727f41e4b3f28017725e337560ed69e1e6269a5ccd7ef60dfecb7aa8e5c
Opcode Fuzzy Hash: 05d10b218a1095188bead97fd718ced623cc48149a48c7eabf227fef4c5ea249
Instruction Fuzzy Hash: BEF13A715083019FCB14DF28C485A6ABBE5FF88314F54892EF89A9B351D731E945CF82

Function 00C2F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C402E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C40313
Part of subcall function 00C402E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C4031B
Part of subcall function 00C402E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C40326
Part of subcall function 00C402E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C40331
Part of subcall function 00C402E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C40339
Part of subcall function 00C402E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C40341

Part of subcall function 00C36259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C2FA90), ref: 00C362B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C2FB2D
OleInitialize.OLE32(00000000), ref: 00C2FBAA
CloseHandle.KERNEL32(00000000), ref: 00C64921

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c35fb5a7fa3795af7d107c6594a040e1241c1fe9f692d42b5754f242f17d3469
Instruction ID: 95095f12e492670b7bfb4bb3e574d058ac8473fd11c679b0e72feec9f1745e09
Opcode Fuzzy Hash: c35fb5a7fa3795af7d107c6594a040e1241c1fe9f692d42b5754f242f17d3469
Instruction Fuzzy Hash: 5781B8B1911BC08FC785DF7AA9C171D7AE5FB8830E750812EA519CF2B2EBB044858F61

Function 00C243DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C24401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C244A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C244C3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 29daaec7b051c95d3a4c5d974a7d35e33d1e99772d0a61575e7b17839baa37c9
Instruction ID: a7744f9a6f529b178d1586eda419e4412b2b275733e8aa5691b244405bceb80c
Opcode Fuzzy Hash: 29daaec7b051c95d3a4c5d974a7d35e33d1e99772d0a61575e7b17839baa37c9
Instruction Fuzzy Hash: 273181B0504751CFD725EF64E88479BBBF8FB49308F00092EF69A87641D771AA44CB92

Function 00C4588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00C458A3

Part of subcall function 00C4A2EB: __NMSG_WRITE.LIBCMT ref: 00C4A312
Part of subcall function 00C4A2EB: __NMSG_WRITE.LIBCMT ref: 00C4A31C

__NMSG_WRITE.LIBCMT ref: 00C458AA

Part of subcall function 00C4A348: GetModuleFileNameW.KERNEL32(00000000,00CE33BA,00000104,?,00000001,00000000), ref: 00C4A3DA
Part of subcall function 00C4A348: ___crtMessageBoxW.LIBCMT ref: 00C4A488

Part of subcall function 00C4321F: ___crtCorExitProcess.LIBCMT ref: 00C43225
Part of subcall function 00C4321F: ExitProcess.KERNEL32 ref: 00C4322E

Part of subcall function 00C48CA8: __getptd_noexit.LIBCMT ref: 00C48CA8

RtlAllocateHeap.NTDLL(01520000,00000000,00000001,00000000,?,?,?,00C40F53,?), ref: 00C458CF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7bd5ed9e546c934afd2dece9fb89e72478be3a0005203ecb3bd28714de343fe6
Instruction ID: cb2df1a0267a1e904f723ab695af89ba435b41037dfd0f1e405b23e63c15b03b
Opcode Fuzzy Hash: 7bd5ed9e546c934afd2dece9fb89e72478be3a0005203ecb3bd28714de343fe6
Instruction Fuzzy Hash: D9012432280B419BE6113BB5EC82B2E7358FF82770F100039F921AB1D3DFB59E016A61

Function 00C2AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C5FF5A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: df203fa877e8d5bceac4b70f14e198b82ee32aba745b441b90720692cbbf9a58
Instruction ID: 6ce381743e9a726fe21b3e9dd64d37e1e7ce45fd56b55296625a9eef7769b312
Opcode Fuzzy Hash: df203fa877e8d5bceac4b70f14e198b82ee32aba745b441b90720692cbbf9a58
Instruction Fuzzy Hash: 44225770508321CFDB28DF14D495B2AB7E1BF84304F24896DE89A9B761DB31ED85DB82

Function 00C24DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C24E1A

Strings

EA06, xrefs: 00C5DC25

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 100136aac0b9870431202864f210ae992a1882031298a01302e1ec52b77b41f2
Instruction ID: ea830b3cbbbe2e7fbea2f3685d36eb39230c6616dfa6c8ad9093e6f97ba3d02e
Opcode Fuzzy Hash: 100136aac0b9870431202864f210ae992a1882031298a01302e1ec52b77b41f2
Instruction Fuzzy Hash: 3E41B031A042785BEF299B64EC517BFBFA6AF41300F294074EC42DB582C6309E84D7E1

Function 00C27BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C27C0B
_memmove.LIBCMT ref: 00C27C76

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 79ae0bb1cd2abe0d9b669038cfbb43928e6be93af8b008abed3dc31d02f90a03
Instruction ID: 8e43b7d3502578a1564f38e05875da3b8102a44b3c145321d750b9d7e1b08a26
Opcode Fuzzy Hash: 79ae0bb1cd2abe0d9b669038cfbb43928e6be93af8b008abed3dc31d02f90a03
Instruction Fuzzy Hash: 3231F4B1604516AFC714DF78E8D1E69F3A8FF483207248729E925CB691DB70E920CB90

Function 00C2492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C24992

Part of subcall function 00C434EC: __lock.LIBCMT ref: 00C434F2
Part of subcall function 00C434EC: DecodePointer.KERNEL32(00000001,?,00C249A7,00C77F9C), ref: 00C434FE
Part of subcall function 00C434EC: EncodePointer.KERNEL32(?,?,00C249A7,00C77F9C), ref: 00C43509

Part of subcall function 00C24A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C24A73
Part of subcall function 00C24A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C24A88

Part of subcall function 00C23B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C23B7A
Part of subcall function 00C23B4C: IsDebuggerPresent.KERNEL32 ref: 00C23B8C
Part of subcall function 00C23B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CE52F8,00CE52E0,?,?), ref: 00C23BFD
Part of subcall function 00C23B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00C23C81

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00C249D2

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: ebba58f55e643ebdbdc318190e0404573e0a18e70adf03e22c89be808f3d76cc
Instruction ID: 9e214a407e55e42ac819c96dbb75327d9ac4a7285892a033741aed57b48220c8
Opcode Fuzzy Hash: ebba58f55e643ebdbdc318190e0404573e0a18e70adf03e22c89be808f3d76cc
Instruction Fuzzy Hash: 6C119D718143619FC300EF69E886B0EFFE8EB94754F10851EF1458B2B1DB709645DB92

Function 00C25DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00C25981,?,?,?,?), ref: 00C25E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00C25981,?,?,?,?), ref: 00C5E0CC

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ce271b3160769e3b0f4e0c554d7b362df0e05b61fa4ddefcd71a3de5e0391b8b
Instruction ID: f4801bb2b48305f121191be8a4394112bbfa6e797aa6a79dfcca1c8b5b6d2760
Opcode Fuzzy Hash: ce271b3160769e3b0f4e0c554d7b362df0e05b61fa4ddefcd71a3de5e0391b8b
Instruction Fuzzy Hash: 0401B570244718BEF7341E24DC8AF773A9CEB05768F108318BAF55A1E0C6B85F898B14

Function 00C40F36 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C4588C: __FF_MSGBANNER.LIBCMT ref: 00C458A3
Part of subcall function 00C4588C: __NMSG_WRITE.LIBCMT ref: 00C458AA
Part of subcall function 00C4588C: RtlAllocateHeap.NTDLL(01520000,00000000,00000001,00000000,?,?,?,00C40F53,?), ref: 00C458CF

std::exception::exception.LIBCMT ref: 00C40F6C
__CxxThrowException@8.LIBCMT ref: 00C40F81

Part of subcall function 00C4871B: RaiseException.KERNEL32(?,?,?,00CD9E78,00000000,?,?,?,?,00C40F86,?,00CD9E78,?,00000001), ref: 00C48770

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 69189aa6f2d6322d95f13c475f6fb442213ff479fd04807a9527df936c6ef936
Instruction ID: 73d4b3fc0d70efbf202b2d1e47fa7551a8d0ac04e1c8c0b1740e75b8ccaa1ad8
Opcode Fuzzy Hash: 69189aa6f2d6322d95f13c475f6fb442213ff479fd04807a9527df936c6ef936
Instruction Fuzzy Hash: 9AF0C87154421D66DB20FAE8EC129DE7BACFF00311F200876FE1896282EF709B58E6D5

Function 00C45516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C48CA8: __getptd_noexit.LIBCMT ref: 00C48CA8

__lock_file.LIBCMT ref: 00C4555B

Part of subcall function 00C46D8E: __lock.LIBCMT ref: 00C46DB1

__fclose_nolock.LIBCMT ref: 00C45566

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 055c527eeea99ac9fd9dacc53b1e5709626f4c9b1c7225ab951276bb714b2445
Instruction ID: 8f9789d517c917ca0c379eff0a018b4f3909462e4cb651572a73bf838c0546be
Opcode Fuzzy Hash: 055c527eeea99ac9fd9dacc53b1e5709626f4c9b1c7225ab951276bb714b2445
Instruction Fuzzy Hash: 54F05471901A059BD7107B75880677E77A27F41331F158209F425AB1C2CB7C4A45BF52

Function 00C2766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C2774A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 25640ea70a19961a3ee3642c4dd4939aa7249cf99a5976f617b39fe3c739ff9c
Instruction ID: 7675a2f6a20d52efd00ee684ec4306b127dd1eb46a291a71ab4ff0cef842e260
Opcode Fuzzy Hash: 25640ea70a19961a3ee3642c4dd4939aa7249cf99a5976f617b39fe3c739ff9c
Instruction Fuzzy Hash: FE31B479208A22DFD7249F19E4D1921F7E0FF09720714C66DE9998BB65E730EC81DB84

Function 00C60005 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C60010

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c036ef1eaadf1f8eee68999b243a32e8c818d0f689644625c73d7da54a2867cf
Instruction ID: 08dd8f7060d94ecb8729fa2a1342a6155fe70a9f4f875e0f0cf4e4fbd34295f3
Opcode Fuzzy Hash: c036ef1eaadf1f8eee68999b243a32e8c818d0f689644625c73d7da54a2867cf
Instruction Fuzzy Hash: B94109745083518FDB24DF14C484B1ABBE1BF89318F1988ACE9955B762C732EC46DF52

Function 00C27CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C27D13

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 45b44920c4107b42cced9378cf49f270fbc2b10c1b1e23699e3242c0b223a846
Instruction ID: 22dcbd81151b992ecb1fa30dde6b569d7e25c5639be920701715d16380274a37
Opcode Fuzzy Hash: 45b44920c4107b42cced9378cf49f270fbc2b10c1b1e23699e3242c0b223a846
Instruction Fuzzy Hash: 4D219772604A18EBDB188F22FC8176E3BB8FF54352F25852EE886C4491EB30C1D5D309

Function 00C24F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C24D13: FreeLibrary.KERNEL32(00000000,?), ref: 00C24D4D

Part of subcall function 00C453CB: __wfsopen.LIBCMT ref: 00C453D6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24F6F

Part of subcall function 00C24CC8: FreeLibrary.KERNEL32(00000000), ref: 00C24D02

Part of subcall function 00C24DD0: _memmove.LIBCMT ref: 00C24E1A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 32cdc4f1f9269c7f675d399e134914a9298aa5bcd58cb3ad46a5b73f68b9d7b8
Instruction ID: 94ddbb8a7b50c75cf2555d9a4e4fa285e5927d9b14988d6210247210803bff5f
Opcode Fuzzy Hash: 32cdc4f1f9269c7f675d399e134914a9298aa5bcd58cb3ad46a5b73f68b9d7b8
Instruction Fuzzy Hash: 2E110D31600325ABCF24BFB4ED16F6E77A59F40701F10842DF941975C1DA715A05A750

Function 00C600DE Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C600EA

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8eb715909a1b07ba5f1360de4389a9384ce8919321167e5df1aa7cef954ab971
Instruction ID: c4eae52c6436f2b4c747ee24fab63693acf2962927a5539677ff511099117e68
Opcode Fuzzy Hash: 8eb715909a1b07ba5f1360de4389a9384ce8919321167e5df1aa7cef954ab971
Instruction Fuzzy Hash: A4212FB0508311DFDB24DF54C884A1ABBE0BF88314F05896CE99A57B21D731E81ADB93

Function 00C27F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C27F82

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 30ae08df22f3e24278386962e51b07d78d9970315b294ff5bcc8b6b01ce6d83e
Instruction ID: f91bdd12264a8de01b1ebedb6cd7a38c6a3ce1ec2deefa05ba9b8b0ce44ee5a0
Opcode Fuzzy Hash: 30ae08df22f3e24278386962e51b07d78d9970315b294ff5bcc8b6b01ce6d83e
Instruction Fuzzy Hash: 9E01F9726487116ED7209F79DC02F67BBA4EF44760F10863EFA5ACA5D1EA31E5009B90

Function 00C24FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00CE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24FDE

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8e5d28e1fb1336096a9d3cdd8694b2cc41f41612effca6ed9f8ee2d6504e1ab8
Instruction ID: 4216a5dfa4fdd84f1832c3317f65a5cd3af35fcba0760dc646c4c0a32c7d710c
Opcode Fuzzy Hash: 8e5d28e1fb1336096a9d3cdd8694b2cc41f41612effca6ed9f8ee2d6504e1ab8
Instruction Fuzzy Hash: F3F03975505722CFCB389FA5E594826BBE1BF443293208A3EE1E683A10C731A940DF40

Function 00C40911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C40930

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 728f26c9250ba2126e0cfac7b49d07797b53fefe7e351994853bc35bb8d91f73
Instruction ID: e81f936b079b66d523df230c023f2ecab4c6ede12c4c263355e2c923f3aab5a4
Opcode Fuzzy Hash: 728f26c9250ba2126e0cfac7b49d07797b53fefe7e351994853bc35bb8d91f73
Instruction Fuzzy Hash: 6FE0CD3690512857C721D6989C05FFA77EDDFC9791F0402B5FC4CD7205D9705C819690

Function 00C8349E Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8339D: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,?,?,00C834AA,?,?,?,00C5DF90,00CD55C0,00000002,?,?), ref: 00C8341B

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00C5DF90,00CD55C0,00000002,?,?,?,?), ref: 00C834B8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 646a6a66b27f28374e650594519c48d94e495413cb9ce6fdc49e6cd7d38280ed
Instruction ID: e28d2441ad266a17ac70d600c35cc07a77bf928ba2a4de60e1483be535605b0d
Opcode Fuzzy Hash: 646a6a66b27f28374e650594519c48d94e495413cb9ce6fdc49e6cd7d38280ed
Instruction Fuzzy Hash: FFE04636400208FBDB20AF94D805FDAB7BCEB05320F00065AFA4082111DBB2AE24ABA0

Function 00C453CB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00C453D6

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: c8b071b3b8e4883a10bb0439cfb1d4e6c2e57f007fdaa16f7c286752cb2ce069
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 9EB0927654020C77CE012E82EC02A493B59AB407A4F408020FB0C185B2A6B3A660A689

Function 00C8D107 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00C8D28B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c10d6b8bd5aa3efeedf78c0fa6e7582bfeaf1a7a7c4553f677a22077d6537173
Instruction ID: ee7cfc1e3929fd54c95e9b92b9a6a82bc5131dcd110501712f32e7e7b6f6347e
Opcode Fuzzy Hash: c10d6b8bd5aa3efeedf78c0fa6e7582bfeaf1a7a7c4553f677a22077d6537173
Instruction Fuzzy Hash: 03716030204312CFCB14EF64D591A6AB7E0AF89718F04496DF4969B6A2DB30EE09DB56

Function 00C40D88 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00C40E37

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: cf4cb431ed6e6f8a084619502ea4bbff67855ea88c343cee1de911a1ff34a5dc
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5531F374A401059BC718DF59C480969FBB2FF89300B788AA9E54ACB355DB31EED1CB80

Function 00C25DCF Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00C25921,?,00C26C37), ref: 00C25DEF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 02ce40ec871343f666f0322561012ae47f0324f5f44c7a741080c03b034ad4ec
Instruction ID: c7b594654c469b01cb7b1a07fa9683d58aa40ad2f713f2131979729e132d4fd3
Opcode Fuzzy Hash: 02ce40ec871343f666f0322561012ae47f0324f5f44c7a741080c03b034ad4ec
Instruction Fuzzy Hash: B7E09279501A11CEC7314F1AE908426FBE4FEE13613204A2ED4E682A64D3B1598A8B50

Non-executed Functions

Function 00CACB26 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CACBA1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CACBFF
GetWindowLongW.USER32(?,000000F0), ref: 00CACC40
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CACC6A
SendMessageW.USER32 ref: 00CACC93
_wcsncpy.LIBCMT ref: 00CACCFF
GetKeyState.USER32(00000011), ref: 00CACD20
GetKeyState.USER32(00000009), ref: 00CACD2D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CACD43
GetKeyState.USER32(00000010), ref: 00CACD4D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CACD76
SendMessageW.USER32 ref: 00CACD9D
SendMessageW.USER32(?,00001030,?,00CAB37C), ref: 00CACEA1
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CACEB7
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CACECA
SetCapture.USER32(?), ref: 00CACED3
ClientToScreen.USER32(?,?), ref: 00CACF38
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CACF45
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CACF5F
ReleaseCapture.USER32 ref: 00CACF6A
GetCursorPos.USER32(?), ref: 00CACFA4
ScreenToClient.USER32(?,?), ref: 00CACFB1
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CAD00D
SendMessageW.USER32 ref: 00CAD03B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CAD078
SendMessageW.USER32 ref: 00CAD0A7
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CAD0C8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CAD0D7
GetCursorPos.USER32(?), ref: 00CAD0F7
ScreenToClient.USER32(?,?), ref: 00CAD104
GetParent.USER32(?), ref: 00CAD124
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CAD18D
SendMessageW.USER32 ref: 00CAD1BE
ClientToScreen.USER32(?,?), ref: 00CAD21C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CAD24C
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CAD276
SendMessageW.USER32 ref: 00CAD299
ClientToScreen.USER32(?,?), ref: 00CAD2EB
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CAD31F

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

GetWindowLongW.USER32(?,000000F0), ref: 00CAD3BB

Strings

F, xrefs: 00CAD29F
@GUI_DRAGID, xrefs: 00CACF06

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 3da6cfd617fc02641ddb5aa5895a00b7f5c68029e43604617f03517557a1b586
Instruction ID: 81a41be1d02aa3894f6bb0974fe22520e94fc79c012159cdc90a9cd643bb7614
Opcode Fuzzy Hash: 3da6cfd617fc02641ddb5aa5895a00b7f5c68029e43604617f03517557a1b586
Instruction Fuzzy Hash: 5A429F34604342AFDB20CF64D884BAABBE5FF4A318F14091DF566972B1C732D951DB91

Function 00C370FE Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C37323
_memset.LIBCMT ref: 00C37699
_memmove.LIBCMT ref: 00C3780C

Strings

Q\E, xrefs: 00C3812B
[:<:]], xrefs: 00C375D9
\b(?<=\w), xrefs: 00C73AC9
DEFINE, xrefs: 00C72459
[:>:]], xrefs: 00C375F2
\b(?=\w), xrefs: 00C73ABF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 23032218e18da3445ba738de33bba51e46dd0fdf3b4b7125a591e5733f5ec79c
Instruction ID: 592cdaff7c240052b96c357a39e157cb3651c74867d36d4b20d016ea7e1fe3fe
Opcode Fuzzy Hash: 23032218e18da3445ba738de33bba51e46dd0fdf3b4b7125a591e5733f5ec79c
Instruction Fuzzy Hash: 1093A275A00219DFDF24CF99C881BADB7B1FF48710F24816AE959EB291E7709E81DB40

Function 00C24A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00C24A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C5D9BE
IsIconic.USER32(?), ref: 00C5D9C7
ShowWindow.USER32(?,00000009), ref: 00C5D9D4
SetForegroundWindow.USER32(?), ref: 00C5D9DE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C5D9F4
GetCurrentThreadId.KERNEL32 ref: 00C5D9FB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C5DA07
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C5DA18
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C5DA20
AttachThreadInput.USER32(00000000,?,00000001), ref: 00C5DA28
SetForegroundWindow.USER32(?), ref: 00C5DA2B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5DA40
keybd_event.USER32(00000012,00000000), ref: 00C5DA4B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5DA55
keybd_event.USER32(00000012,00000000), ref: 00C5DA5A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5DA63
keybd_event.USER32(00000012,00000000), ref: 00C5DA68
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5DA72
keybd_event.USER32(00000012,00000000), ref: 00C5DA77
SetForegroundWindow.USER32(?), ref: 00C5DA7A
AttachThreadInput.USER32(?,?,00000000), ref: 00C5DAA1

Strings

Shell_TrayWnd, xrefs: 00C5D9B9

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8bfc43991665d7c86c86f1544b4e865b00cf3034b35b1fd687e6f7d2e3b0dc07
Instruction ID: 47e705db9363ac3b7bfe1848f046841b9673c671a0b71325369c4147791df264
Opcode Fuzzy Hash: 8bfc43991665d7c86c86f1544b4e865b00cf3034b35b1fd687e6f7d2e3b0dc07
Instruction Fuzzy Hash: D1315075A40318BAEB306FA19C49F7F7E6CEB45B51F104029FE05EB190DAB05941AAA4

Function 00C78638 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C78AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C78AED
Part of subcall function 00C78AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78B1A
Part of subcall function 00C78AA3: GetLastError.KERNEL32 ref: 00C78B27

_memset.LIBCMT ref: 00C7867B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C786CD
CloseHandle.KERNEL32(?), ref: 00C786DE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C786F5
GetProcessWindowStation.USER32 ref: 00C7870E
SetProcessWindowStation.USER32(00000000), ref: 00C78718
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C78732

Part of subcall function 00C784F3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C78631), ref: 00C78508
Part of subcall function 00C784F3: CloseHandle.KERNEL32(?,?,00C78631), ref: 00C7851A

Strings

default, xrefs: 00C7872D
, xrefs: 00C7868A
winsta0, xrefs: 00C786F0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 82b1b518c6a24eb51541bf9d429b1a76717a57f2786ffdf6000bb7b1716d88f2
Instruction ID: 9be7084c0315d919b1677f5a67c08596c815987f04789ade227579d2ad5f351a
Opcode Fuzzy Hash: 82b1b518c6a24eb51541bf9d429b1a76717a57f2786ffdf6000bb7b1716d88f2
Instruction Fuzzy Hash: 87816D71980209EFDF119FA4CC49AEE7B78FF05304F548169FA28A71A1DB318E19DB61

Function 00C9407C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CAF910), ref: 00C940A6
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C940B4
GetClipboardData.USER32(0000000D), ref: 00C940BC
CloseClipboard.USER32 ref: 00C940C8
GlobalLock.KERNEL32(00000000), ref: 00C940E4
CloseClipboard.USER32 ref: 00C940EE
GlobalUnlock.KERNEL32(00000000), ref: 00C94103
IsClipboardFormatAvailable.USER32(00000001), ref: 00C94110
GetClipboardData.USER32(00000001), ref: 00C94118
GlobalLock.KERNEL32(00000000), ref: 00C94125
GlobalUnlock.KERNEL32(00000000), ref: 00C94159
CloseClipboard.USER32 ref: 00C94269

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 8646feea5de1e1c497a64e740420ed44179ab5ac478718fef7b6affd39b7821c
Instruction ID: 92c56ce9f82198c45dbf8453963c5fbcc8c8517b27589fea5874179e9697b00b
Opcode Fuzzy Hash: 8646feea5de1e1c497a64e740420ed44179ab5ac478718fef7b6affd39b7821c
Instruction Fuzzy Hash: 30518D35204702ABDB14EFA0EC8AF6F77A8AB85B05F00452DF556D31E1DF70D9069B62

Function 00C8C7E8 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8C819
FindClose.KERNEL32(00000000), ref: 00C8C86D
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C8C892
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C8C8A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C8C8D0
__swprintf.LIBCMT ref: 00C8C91C
__swprintf.LIBCMT ref: 00C8C95F

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

__swprintf.LIBCMT ref: 00C8C9B3

Part of subcall function 00C43818: __woutput_l.LIBCMT ref: 00C43871

__swprintf.LIBCMT ref: 00C8CA01

Part of subcall function 00C43818: __flsbuf.LIBCMT ref: 00C43893
Part of subcall function 00C43818: __flsbuf.LIBCMT ref: 00C438AB

__swprintf.LIBCMT ref: 00C8CA50
__swprintf.LIBCMT ref: 00C8CA9F
__swprintf.LIBCMT ref: 00C8CAEE

Strings

%4d, xrefs: 00C8C959
%02d, xrefs: 00C8C9A7, 00C8C9B1, 00C8C9FF, 00C8CA4E, 00C8CA9D, 00C8CAEC
%4d%02d%02d%02d%02d%02d, xrefs: 00C8C916

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 24366e111528d97c54722bdffff680681b2cdaad8e7c0167079312f13a7e7a80
Instruction ID: b47a56d5aec6d62c9c50d5b32af143c8bf810f36810733c2aeecca06b2674e23
Opcode Fuzzy Hash: 24366e111528d97c54722bdffff680681b2cdaad8e7c0167079312f13a7e7a80
Instruction Fuzzy Hash: CCA13EB1408314ABC700FBA4D886EAFB7ECFF94704F404929F596C3191EA74DA08DB62

Function 00C8F021 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C8F042
_wcscmp.LIBCMT ref: 00C8F057
_wcscmp.LIBCMT ref: 00C8F06E
GetFileAttributesW.KERNEL32(?), ref: 00C8F080
SetFileAttributesW.KERNEL32(?,?), ref: 00C8F09A
FindNextFileW.KERNEL32(00000000,?), ref: 00C8F0B2
FindClose.KERNEL32(00000000), ref: 00C8F0BD
FindFirstFileW.KERNEL32(*.*,?), ref: 00C8F0D9
_wcscmp.LIBCMT ref: 00C8F100
_wcscmp.LIBCMT ref: 00C8F117
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8F129
SetCurrentDirectoryW.KERNEL32(00CD8920), ref: 00C8F147
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8F151
FindClose.KERNEL32(00000000), ref: 00C8F15E
FindClose.KERNEL32(00000000), ref: 00C8F170

Strings

*.*, xrefs: 00C8F0D4

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: e54aff53256c5f7d37bb308b2ecb3ecbf782cc4fe5cb720b1a869787d6bc4a75
Instruction ID: 1928fc13563af08f9038b48b16dd54c7e156af1b94834113ed44b8a77c4cfa45
Opcode Fuzzy Hash: e54aff53256c5f7d37bb308b2ecb3ecbf782cc4fe5cb720b1a869787d6bc4a75
Instruction Fuzzy Hash: 5231B632500219AADB10ABB4DC59BEF77ACAF49368F104179F955E31A0DB30DE46CB68

Function 00CA08E2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA09DE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CAF910,00000000,?,00000000,?,?), ref: 00CA0A4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CA0A94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CA0B1D
RegCloseKey.ADVAPI32(?), ref: 00CA0E3D
RegCloseKey.ADVAPI32(00000000), ref: 00CA0E4A

Strings

REG_SZ, xrefs: 00CA0B5B
REG_BINARY, xrefs: 00CA0DD8
REG_EXPAND_SZ, xrefs: 00CA0ABA
REG_DWORD, xrefs: 00CA0D0E
REG_QWORD, xrefs: 00CA0D8B
REG_MULTI_SZ, xrefs: 00CA0C05

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: ee387dc4aed5696b97d8395c44fa7613e6d1faeb20f907e104790a76f00bde2e
Instruction ID: 93200cc1d008cdba8776b9978fa2d3e1b19ca155740120e38622c4ee6532a96e
Opcode Fuzzy Hash: ee387dc4aed5696b97d8395c44fa7613e6d1faeb20f907e104790a76f00bde2e
Instruction Fuzzy Hash: FC02BF356006119FCB14EF24D881E2AB7E5FF89324F14895DF89A9B7A2CB31ED41DB81

Function 00C8F17E Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C8F19F
_wcscmp.LIBCMT ref: 00C8F1B4
_wcscmp.LIBCMT ref: 00C8F1CB

Part of subcall function 00C843C6: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C843E1

FindNextFileW.KERNEL32(00000000,?), ref: 00C8F1FA
FindClose.KERNEL32(00000000), ref: 00C8F205
FindFirstFileW.KERNEL32(*.*,?), ref: 00C8F221
_wcscmp.LIBCMT ref: 00C8F248
_wcscmp.LIBCMT ref: 00C8F25F
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8F271
SetCurrentDirectoryW.KERNEL32(00CD8920), ref: 00C8F28F
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8F299
FindClose.KERNEL32(00000000), ref: 00C8F2A6
FindClose.KERNEL32(00000000), ref: 00C8F2B8

Strings

*.*, xrefs: 00C8F21C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: d18a732327727cd4e4a9679186e958a16f33e7a4aef54cbee01c254c3f13d92e
Instruction ID: 8a28a2be0e0852d7256e1e8a0efa1ff0d64355aac523cb008f42af6979158d26
Opcode Fuzzy Hash: d18a732327727cd4e4a9679186e958a16f33e7a4aef54cbee01c254c3f13d92e
Instruction Fuzzy Hash: 2431E33650125A6ACF10ABA4EC58BDE73ACAF45328F10017AF950E31A0DB30DF47CB68

Function 00C8A279 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C8A299
__swprintf.LIBCMT ref: 00C8A2BB
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C8A2F8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C8A31D
_memset.LIBCMT ref: 00C8A33C
_wcsncpy.LIBCMT ref: 00C8A378
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C8A3AD
CloseHandle.KERNEL32(00000000), ref: 00C8A3B8
RemoveDirectoryW.KERNEL32(?), ref: 00C8A3C1
CloseHandle.KERNEL32(00000000), ref: 00C8A3CB

Strings

:, xrefs: 00C8A2DC
\, xrefs: 00C8A2D1
\??\%s, xrefs: 00C8A2B5

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: dc35a0ea7c6b7128be7dd37c9f235cf5ab7c78f2fb23259738a12a941438cf4a
Instruction ID: 21eff01233c3531d6a0aeffbbcaae81d02c0ea9e7b02ffc3a8d0c6bce481ebb3
Opcode Fuzzy Hash: dc35a0ea7c6b7128be7dd37c9f235cf5ab7c78f2fb23259738a12a941438cf4a
Instruction Fuzzy Hash: 4C319D75900109ABEB219FA0DC49FAF73BCEF89704F1041BAFA18D2160EB7097458B24

Function 00C781D4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7852A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C78546
Part of subcall function 00C7852A: GetLastError.KERNEL32(?,00C7800A,?,?,?), ref: 00C78550
Part of subcall function 00C7852A: GetProcessHeap.KERNEL32(00000008,?,?,00C7800A,?,?,?), ref: 00C7855F
Part of subcall function 00C7852A: HeapAlloc.KERNEL32(00000000,?,00C7800A,?,?,?), ref: 00C78566
Part of subcall function 00C7852A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7857D

Part of subcall function 00C785C7: GetProcessHeap.KERNEL32(00000008,00C78020,00000000,00000000,?,00C78020,?), ref: 00C785D3
Part of subcall function 00C785C7: HeapAlloc.KERNEL32(00000000,?,00C78020,?), ref: 00C785DA
Part of subcall function 00C785C7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C78020,?), ref: 00C785EB

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C78238
_memset.LIBCMT ref: 00C7824D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C7826C
GetLengthSid.ADVAPI32(?), ref: 00C7827D
GetAce.ADVAPI32(?,00000000,?), ref: 00C782BA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C782D6
GetLengthSid.ADVAPI32(?), ref: 00C782F3
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C78302
HeapAlloc.KERNEL32(00000000), ref: 00C78309
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C7832A
CopySid.ADVAPI32(00000000), ref: 00C78331
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C78362
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C78388
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C7839C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 088968e6078fc272b8e150ba6eb49787803fc42fe76ab61c29564b7d0814abef
Instruction ID: e0f270bbf05e8ce31aed2fc88494ba2c166524dd25cd08683e3ad7c0a589376a
Opcode Fuzzy Hash: 088968e6078fc272b8e150ba6eb49787803fc42fe76ab61c29564b7d0814abef
Instruction Fuzzy Hash: A4616E7194020AEFDF10CFA4DC49AEEBB79FF05705F048129FA29A7251DB359A09DB60

Function 00C36841 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00C7168E
LF), xrefs: 00C715FA
UTF16), xrefs: 00C71425
CR), xrefs: 00C715DD
CRLF), xrefs: 00C71617
UCP), xrefs: 00C71463
ANYCRLF), xrefs: 00C71651
NO_AUTO_POSSESS), xrefs: 00C71484
UTF), xrefs: 00C71450
ANY), xrefs: 00C71634
NO_START_OPT), xrefs: 00C714A5
LIMIT_RECURSION=, xrefs: 00C71552
LIMIT_MATCH=, xrefs: 00C714C6
BSR_ANYCRLF), xrefs: 00C71674

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: a2e27eaaa82228b003565479783a838fa226fa98a6884ea43760d08685678a06
Instruction ID: f550da8b0f238069a93cca09cf6d8418b4950208425020ee9e1dd23e4c31e274
Opcode Fuzzy Hash: a2e27eaaa82228b003565479783a838fa226fa98a6884ea43760d08685678a06
Instruction Fuzzy Hash: B9725F75E10219DBDF14CF59C8807AEB7B5FF44710F28816AE959EB290EB309E81DB90

Function 00CA0465 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FE38,?,?), ref: 00CA0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA0537

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CA05D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CA066E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CA08AD
RegCloseKey.ADVAPI32(00000000), ref: 00CA08BA

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 6ca06c71f33de6e4c38fb66283ab906cf8e1629121354be277aac6def636e3cd
Instruction ID: 9f2283eb8600c000b192929463ba314092bdd6d11660d1bb486affccddbd7bbf
Opcode Fuzzy Hash: 6ca06c71f33de6e4c38fb66283ab906cf8e1629121354be277aac6def636e3cd
Instruction Fuzzy Hash: 21E17E30604211AFCB14DF65C881E2ABBE4EF89758F14896DF45ADB2A2DB30ED01DB91

Function 00C8003A Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C80062
GetAsyncKeyState.USER32(000000A0), ref: 00C800E3
GetKeyState.USER32(000000A0), ref: 00C800FE
GetAsyncKeyState.USER32(000000A1), ref: 00C80118
GetKeyState.USER32(000000A1), ref: 00C8012D
GetAsyncKeyState.USER32(00000011), ref: 00C80145
GetKeyState.USER32(00000011), ref: 00C80157
GetAsyncKeyState.USER32(00000012), ref: 00C8016F
GetKeyState.USER32(00000012), ref: 00C80181
GetAsyncKeyState.USER32(0000005B), ref: 00C80199
GetKeyState.USER32(0000005B), ref: 00C801AB

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2bf9100fefa4fba4c3b10f659218be290a431b9ffb9c71a7d6323f088f81d3ac
Instruction ID: 36c967487e8cdcc2630a0050778fee1a50619ad2e592cf891d499f9e485066e3
Opcode Fuzzy Hash: 2bf9100fefa4fba4c3b10f659218be290a431b9ffb9c71a7d6323f088f81d3ac
Instruction Fuzzy Hash: B841EC34A047C96DFFB0AA6088183B9BEA06F1235CF28405DD5D6575C2DBA49FCCC796

Function 00C984D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

CoInitialize.OLE32 ref: 00C98518
CoUninitialize.OLE32 ref: 00C98523
CoCreateInstance.OLE32(?,00000000,00000017,00CB2BEC,?), ref: 00C98583
IIDFromString.OLE32(?,?), ref: 00C985F6
VariantInit.OLEAUT32(?), ref: 00C98690
VariantClear.OLEAUT32(?), ref: 00C986F1

Strings

Failed to create object, xrefs: 00C9858E, 00C98644
NULL Pointer assignment, xrefs: 00C985C8
Invalid parameter, xrefs: 00C9860F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: f2ec302c4685cf8ce7cc26bfbd4a3468d8a819bbf78224b25b610febf9c36889
Instruction ID: e10372ff32b1c0e010b483f8ec7dd1daaa3872c895a5bbb52f393dda6c51486e
Opcode Fuzzy Hash: f2ec302c4685cf8ce7cc26bfbd4a3468d8a819bbf78224b25b610febf9c36889
Instruction Fuzzy Hash: 27618C70208311AFDB10DF65C849B6EBBE8AF4A714F04491DF9959B291DB70EE4CCB92

Function 00C9427A Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C942A1
EmptyClipboard.USER32 ref: 00C942A7
GlobalAlloc.KERNEL32(00000002,?), ref: 00C942BC
CloseClipboard.USER32 ref: 00C9435B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8ccf865b689aede7ddd7c1b6cc8639641b18067f0a90178b569fe51c5ddc0703
Instruction ID: dc676224b2370115871706ccc9b2514c68058d5020d0b2ca1995e2a392028ab6
Opcode Fuzzy Hash: 8ccf865b689aede7ddd7c1b6cc8639641b18067f0a90178b569fe51c5ddc0703
Instruction Fuzzy Hash: D621D1352006209FDB14AFA0EC4AF6D7BA8FF05314F14802AF946DB2B1DB30AD02DB55

Function 00C83833 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

Part of subcall function 00C84AD8: GetFileAttributesW.KERNEL32(?,00C8374F), ref: 00C84AD9

FindFirstFileW.KERNEL32(?,?), ref: 00C838E7
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C8398F
MoveFileW.KERNEL32(?,?), ref: 00C839A2
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C839BF
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C839E1
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C839FD

Strings

\*.*, xrefs: 00C83892, 00C8389B, 00C838B0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6031e41ff4813ecba8692849289ba1c25d514a6f75e1d8738945573d4367a2a5
Instruction ID: 84686f0eaec8ad169ee960f7e244236f737a9db3fd791478ab35c9721728801e
Opcode Fuzzy Hash: 6031e41ff4813ecba8692849289ba1c25d514a6f75e1d8738945573d4367a2a5
Instruction Fuzzy Hash: B151AF318052599ACF15FBA0DD92AFEB778AF14704F644269E44277091EF306F09EB64

Function 00C8F47F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C8F4CC
Sleep.KERNEL32(0000000A), ref: 00C8F4FC
_wcscmp.LIBCMT ref: 00C8F510
_wcscmp.LIBCMT ref: 00C8F52B
FindNextFileW.KERNEL32(?,?), ref: 00C8F5C9
FindClose.KERNEL32(00000000), ref: 00C8F5DF

Strings

*.*, xrefs: 00C8F4B1

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 5f60a01febbd32e6cdaee435c3ba1dfc5b6e78eba58ee4e349f7e07af4e74346
Instruction ID: d768fc6a9ba3f03609bfcfad0c585c40984b6c48570615a5eb4b74c666000ac9
Opcode Fuzzy Hash: 5f60a01febbd32e6cdaee435c3ba1dfc5b6e78eba58ee4e349f7e07af4e74346
Instruction Fuzzy Hash: 0A41927190021AAFCF10EFA4CC59AEE7BB4FF05314F14416AE855A3291EB309F46DB64

Function 00C34140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00C3421F
VUUU, xrefs: 00C344ED
VUUU, xrefs: 00C344DB
VUUU, xrefs: 00C67A3B
VUUU, xrefs: 00C34520

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: f2301bf0e5b901123f36fd99f6b93365d007c83eed79d94396a2ab032495425b
Instruction ID: 05079993f01bfe4ebab0c7759c51739f76e1ae3767f02479a9443c3ac5df67d1
Opcode Fuzzy Hash: f2301bf0e5b901123f36fd99f6b93365d007c83eed79d94396a2ab032495425b
Instruction Fuzzy Hash: A4A2A070E1421ACBDF38CF58C9807ADB7B1BF55314F2486A9E865A7280D734AE85CF91

Function 00C358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C35A05
_memmove.LIBCMT ref: 00C35A55
_memmove.LIBCMT ref: 00C35ABB

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3425f9ea32eabc7da20043cde241721ae8305ed56fb02d836dce0e72ee2d0687
Instruction ID: 716d6748e992cc4349e9816e02657c4a1ddab674c025ac716c6f2a330029706b
Opcode Fuzzy Hash: 3425f9ea32eabc7da20043cde241721ae8305ed56fb02d836dce0e72ee2d0687
Instruction Fuzzy Hash: 2B12AC70A00609DFDF14DFA5D981AEEB7F5FF48300F208529E80AA7291EB35AE15DB50

Function 00C83B56 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

Part of subcall function 00C84AD8: GetFileAttributesW.KERNEL32(?,00C8374F), ref: 00C84AD9

FindFirstFileW.KERNEL32(?,?), ref: 00C83BCD
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C83C1D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C83C2E
FindClose.KERNEL32(00000000), ref: 00C83C45
FindClose.KERNEL32(00000000), ref: 00C83C4E

Strings

\*.*, xrefs: 00C83B9F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d515becd89abf56ae2f058dd670f5c359358da701cc06e00b267f116ccbea74e
Instruction ID: 59161ac2d6263e178d43096314dfb3357ee844745c7ac2b7d67c8d2ed7a22356
Opcode Fuzzy Hash: d515becd89abf56ae2f058dd670f5c359358da701cc06e00b267f116ccbea74e
Instruction Fuzzy Hash: 3D319E310093919BC305FB64D8959AFB7E8BE95708F444E2DF4E193191EB309B09D766

Function 00C85264 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78AA3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C78AED
Part of subcall function 00C78AA3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78B1A
Part of subcall function 00C78AA3: GetLastError.KERNEL32 ref: 00C78B27

ExitWindowsEx.USER32(?,00000000), ref: 00C852A0

Strings

, xrefs: 00C8528E
@, xrefs: 00C85293
SeShutdownPrivilege, xrefs: 00C85270

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: d02acaf7751cb7eccbf61813c11c2edc99e203b2c8de4aef6497edbcba3b7068
Instruction ID: aca19cbc8c74e3e0d2c13e84f8cd0f2e7b08a209677e5629ba21404a7f9da019
Opcode Fuzzy Hash: d02acaf7751cb7eccbf61813c11c2edc99e203b2c8de4aef6497edbcba3b7068
Instruction Fuzzy Hash: 8B012B31A906166BE72836B89C4BBBA7258EB0575AF240535FD57D20D2DEE05D0093DC

Function 00C96399 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C963F2
WSAGetLastError.WSOCK32(00000000), ref: 00C96401
bind.WSOCK32(00000000,?,00000010), ref: 00C9641D
listen.WSOCK32(00000000,00000005), ref: 00C9642C
WSAGetLastError.WSOCK32(00000000), ref: 00C96446
closesocket.WSOCK32(00000000,00000000), ref: 00C9645A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 753729d334655a58b66a8cdbc8b570ffa6df710e55ec7e600b2865e77cfaa552
Instruction ID: 978481d7ab3936651f4a2887048440894a9c1ed900d41b5e30e2f707c3082e10
Opcode Fuzzy Hash: 753729d334655a58b66a8cdbc8b570ffa6df710e55ec7e600b2865e77cfaa552
Instruction Fuzzy Hash: AC21DD306002109FDF10EFA4D949B2EB7E9EF45724F108168F86AA73D1CB30AD01EB51

Function 00C35680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00C40F36: std::exception::exception.LIBCMT ref: 00C40F6C
Part of subcall function 00C40F36: __CxxThrowException@8.LIBCMT ref: 00C40F81

_memmove.LIBCMT ref: 00C705AE
_memmove.LIBCMT ref: 00C706C3
_memmove.LIBCMT ref: 00C7076A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 080aa01f52b379324f269ab5b7b77db7332107bb0bd2a107d5afd6313693b198
Instruction ID: 6d6645505f542e1ada2cb47972de81bded41d8bc58659db3f8b630e924387125
Opcode Fuzzy Hash: 080aa01f52b379324f269ab5b7b77db7332107bb0bd2a107d5afd6313693b198
Instruction Fuzzy Hash: 6D02C270A10209DFDF04DF65D982AAEBBB5FF44300F24C069E80ADB295EB31DA55DB91

Function 00C21287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C219FA
GetSysColor.USER32(0000000F), ref: 00C21A4E
SetBkColor.GDI32(?,00000000), ref: 00C21A61

Part of subcall function 00C21290: DefDlgProcW.USER32(?,00000020,?), ref: 00C212D8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 611e0235860f575993c3d83084a9195329dd0e86f12350ca3db6cdee09779569
Instruction ID: 725047883da4b046660cb84dcd15dacdc6e1ffefdc45df5585cc71a34d48ea8b
Opcode Fuzzy Hash: 611e0235860f575993c3d83084a9195329dd0e86f12350ca3db6cdee09779569
Instruction Fuzzy Hash: D0A19C711015A5FFD738AB2A6C85F7F399DDB62346B1C0109FC22D69C1CE268E41B2B5

Function 00C8BD48 Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8BD72
_wcscmp.LIBCMT ref: 00C8BDA2
_wcscmp.LIBCMT ref: 00C8BDB7
FindNextFileW.KERNEL32(00000000,?), ref: 00C8BDC8
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C8BDF8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 5b3112e82715452e42ed288646d374cb18e21ba7dcd69cc00bd09b215995e611
Instruction ID: 56304aafd3a9ae95d74429900c61fcf013884d3c4a4d30ac9f598c350aacbacd
Opcode Fuzzy Hash: 5b3112e82715452e42ed288646d374cb18e21ba7dcd69cc00bd09b215995e611
Instruction Fuzzy Hash: 1C51AD356046029FD714EF68D490EAAB3E4FF49328F10462DFA6A873A1DB30ED05DB95

Function 00C9685D Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C97ECB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C968B4
WSAGetLastError.WSOCK32(00000000), ref: 00C968DD
bind.WSOCK32(00000000,?,00000010), ref: 00C96916
WSAGetLastError.WSOCK32(00000000), ref: 00C96923
closesocket.WSOCK32(00000000,00000000), ref: 00C96937

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 3fed6ea4e7ed4f0f7a0fbc331fcde6747e7eec9703875eab50d63402b0be7006
Instruction ID: e9fb5fddf06ca4a2239647f361717e970469797fd4fdf8481dbf72b11f8aa7f8
Opcode Fuzzy Hash: 3fed6ea4e7ed4f0f7a0fbc331fcde6747e7eec9703875eab50d63402b0be7006
Instruction Fuzzy Hash: 7641D675A00220AFEB10AF64EC86F6E77A9DF09724F04805CF95AAB3D2DA749D019791

Function 00CA53DF Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CA542E
IsWindowEnabled.USER32 ref: 00CA543C
GetForegroundWindow.USER32(?,?,00000001), ref: 00CA5449
IsIconic.USER32 ref: 00CA5457
IsZoomed.USER32 ref: 00CA5465

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7ad20040082b539b863aeca5a1177900f90ecbcf1c053503e5cf39b7ceb8716b
Instruction ID: 3dbd8a1593d3ba9b8ba7b1fbbb390475c1e510603690e502cf2e6e03c48f40fd
Opcode Fuzzy Hash: 7ad20040082b539b863aeca5a1177900f90ecbcf1c053503e5cf39b7ceb8716b
Instruction Fuzzy Hash: F811E731700A226FE7216F66DC44B6E7799FF4A726B04C42CF846D7251CB70DD82CAA5

Function 00C9C104 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C61CB7,?), ref: 00C9C112
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C9C124

Strings

GetSystemWow64DirectoryW, xrefs: 00C9C11E
kernel32.dll, xrefs: 00C9C10D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: bea2553c5db753dcbd17ed02c344276ade4aeac425eed7c40b33f3100b1538d0
Instruction ID: 8b863e742ec2c3f2202430969da316a8aa069333f359422049e8752dfe995260
Opcode Fuzzy Hash: bea2553c5db753dcbd17ed02c344276ade4aeac425eed7c40b33f3100b1538d0
Instruction Fuzzy Hash: 36E08C78200723CFDB205BA5D888B4A76E4EF09349B40843DE8A5C2260E774D882C724

Function 00C33190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 1a01160a9722ba63f30d97891145944854b4f273e927bd781a602bc03c55e193
Instruction ID: bcd26f670894b173e1901823f198ae6da65d6410dd721ba9b23c39621be95d49
Opcode Fuzzy Hash: 1a01160a9722ba63f30d97891145944854b4f273e927bd781a602bc03c55e193
Instruction Fuzzy Hash: 7822A9716183419FD724DF24C881BAFB7E4BF84304F104A2DF89A97291DB31EA05DB92

Function 00C9EF21 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C9EF51
Process32FirstW.KERNEL32(00000000,?), ref: 00C9EF5F

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Process32NextW.KERNEL32(00000000,?), ref: 00C9F01F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C9F02E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 8fa83036a2d9e71d68fe18f8dab4d1f0ec80da73b70b8fc0085a97cd968c4667
Instruction ID: a8eaec899da974805f346c3e32e3029e73a393f89100f94b8b7955fa3d3243b3
Opcode Fuzzy Hash: 8fa83036a2d9e71d68fe18f8dab4d1f0ec80da73b70b8fc0085a97cd968c4667
Instruction Fuzzy Hash: DC516C715083119FD710EF20DC86E6FB7E8EF98710F10492DF59597291EB70AA09DB92

Function 00C7E928 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C7E93A

Strings

|, xrefs: 00C7E96A
(, xrefs: 00C7E980

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: a81186c50fa935b5e5b9be88f62ec40e46b062f3323f98980438029440f3a39a
Instruction ID: c5f0ca21d1faecb47e2debdc53b98b8b1acdeebb882e293b51086101338d6d45
Opcode Fuzzy Hash: a81186c50fa935b5e5b9be88f62ec40e46b062f3323f98980438029440f3a39a
Instruction Fuzzy Hash: 65321676A006059FD728DF29C48196AB7F1FF48320B15C5AEE5AADB3A1E770E941CB40

Function 00C92404 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C91920,00000000), ref: 00C924F7
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C9252E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 031cff1705f118fbfc67ab65ae72e534782c2a10dd9622d91c820b5984605f30
Instruction ID: 95ceda761d46d21e1f4cd2d686d4f5ce0785d6f6c3600bd8939c722df6af29ef
Opcode Fuzzy Hash: 031cff1705f118fbfc67ab65ae72e534782c2a10dd9622d91c820b5984605f30
Instruction Fuzzy Hash: 0B41C471504209BFEF20DE95DC89EBFB7BCEB40724F10406EF685A7141EA709F41AA60

Function 00C8B3BF Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8B3CF
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C8B429
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C8B476

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0312f3afcb382e1de142d579795f2ef8d9a070a979b1de5262cf053c3313379e
Instruction ID: 828abb6b828f85e355890b33876a7ef17ae99ef0f91783c7aa099d4bd30d841c
Opcode Fuzzy Hash: 0312f3afcb382e1de142d579795f2ef8d9a070a979b1de5262cf053c3313379e
Instruction Fuzzy Hash: 89216035A00618EFCB00EFA5E881BAEBBB8FF49314F1480A9E905AB351DB319915DB51

Function 00C78AA3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C40F36: std::exception::exception.LIBCMT ref: 00C40F6C
Part of subcall function 00C40F36: __CxxThrowException@8.LIBCMT ref: 00C40F81

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C78AED
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78B1A
GetLastError.KERNEL32 ref: 00C78B27

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 3d4d162027a75a9187c81ca1737a0f7521eb4483f93105b921af4e606423668a
Instruction ID: 0ed177eb6ceda500ad4f030a52a7add4a73466b7e4f23bb07e8b9d1b91d68f88
Opcode Fuzzy Hash: 3d4d162027a75a9187c81ca1737a0f7521eb4483f93105b921af4e606423668a
Instruction Fuzzy Hash: 6411BFB1554205AFE7289FA4DCCAE2BB7B8FB44314B20C16EF55993241EB70AC05CA60

Function 00C84A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C84A31
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C84A48
FreeSid.ADVAPI32(?), ref: 00C84A58

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 85e113e7a4bc97a3f01f0bf28f0b36a143ac88231ccd3f3cd2400ba81029e45d
Instruction ID: 894f0665d584c00aa0c699329d2921f724216bf6e06edeacd8d6c4ae6632e530
Opcode Fuzzy Hash: 85e113e7a4bc97a3f01f0bf28f0b36a143ac88231ccd3f3cd2400ba81029e45d
Instruction Fuzzy Hash: F7F04975A5130DBFDF04DFF0DC89AAEBBBCEF08205F0044A9A901E3181E7706A049B50

Function 00C8449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C5E6F1), ref: 00C844AB
FindFirstFileW.KERNEL32(?,?), ref: 00C844BC
FindClose.KERNEL32(00000000), ref: 00C844CC

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7b26cd2ecd3adb3af32de3d48e59ab572508956c0ccf81126a262f61bbd9e76a
Instruction ID: a88d49d6b3e13e6874b3e47865a503b06db8e8e66cd8bb1d25da709acf055ecf
Opcode Fuzzy Hash: 7b26cd2ecd3adb3af32de3d48e59ab572508956c0ccf81126a262f61bbd9e76a
Instruction Fuzzy Hash: C5E0D832810401574214B778EC0D7ED779CAE4633DF100719F935C20E0E7745E108699

Function 00C2E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3003f38534618ff0ee17b9dde9852d93ec7a99896c51251d24a6a07f65b4f821
Instruction ID: c99ed3392bbb0114030d8cbf4287d69839ff2cf5d842b483591888529c7a0908
Opcode Fuzzy Hash: 3003f38534618ff0ee17b9dde9852d93ec7a99896c51251d24a6a07f65b4f821
Instruction Fuzzy Hash: 7E22C170900225DFDB24DF94E481ABEB7F0FF04310F148169E966AB751E374AE85DB91

Function 00C8C75D Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8C787
FindClose.KERNEL32(00000000), ref: 00C8C7B7

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c3013703e9943f982d7e386319e105dc49104b96b6bb1c21c8143fd3165e5feb
Instruction ID: 8e68bc7dbd4e7cbc485eddacc6dc109fab30407e2ab00a8c2e455889489a29c2
Opcode Fuzzy Hash: c3013703e9943f982d7e386319e105dc49104b96b6bb1c21c8143fd3165e5feb
Instruction Fuzzy Hash: C911A1326106109FD710EF69D885A2AF7E8FF84324F00851EF9A9D77A0DB30AC01DB91

Function 00C8A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C9957D,?,00CAFB84,?), ref: 00C8A121
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C9957D,?,00CAFB84,?), ref: 00C8A133

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e0161d236ed9ff5b03e6d7ce99e905a6874b3fd16387c74b6c0023fb6d365f44
Instruction ID: c8cca92f04d45b5f236a694a5928652f0bbb8a6453b0af98f0d5254865428ec0
Opcode Fuzzy Hash: e0161d236ed9ff5b03e6d7ce99e905a6874b3fd16387c74b6c0023fb6d365f44
Instruction Fuzzy Hash: 0AF0BE3510522DABDB10AAA4CC48FEE736CAF09362F00426AB90993180DA709940CBA1

Function 00C784F3 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C78631), ref: 00C78508
CloseHandle.KERNEL32(?,?,00C78631), ref: 00C7851A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 77bf5176b5a57ef9f636250b25b93ffc56f867779dd47a4a1d4c13f540dbc4b3
Instruction ID: 2ab9da9c76b98a8f9639f5a87a54e4aafebcb31c85324cd9a48ef9021ea90ea8
Opcode Fuzzy Hash: 77bf5176b5a57ef9f636250b25b93ffc56f867779dd47a4a1d4c13f540dbc4b3
Instruction Fuzzy Hash: A4E04F31014500AEF7212BA4EC09E7777A9FB40314720842DB99581430DB715C91DB50

Function 00C4A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C48ED7,?,?,?,00000001), ref: 00C4A2DA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C4A2E3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5eb7b0a60ce4fc28f2875a96dbb31379cccf7592c09c232226e7918044425d26
Instruction ID: 4e53ea655d0227f3e52aaf8b81d5d77004409a4d8e6c9e57cb63653d64a50a9d
Opcode Fuzzy Hash: 5eb7b0a60ce4fc28f2875a96dbb31379cccf7592c09c232226e7918044425d26
Instruction Fuzzy Hash: D1B09231055208ABCF002BD1EC59B8C3F68EB46AAAF404024F60D86070CBB254528A91

Function 00C4F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f4ab5f0fdcce883bf6cb04a5e74f2ef05149d992bae3cee1d7013ef2951645
Instruction ID: 9a1a4cac4ab9f2fc2dc9a24f335df4c1c93201d29f012fe8f7669912ccb583d8
Opcode Fuzzy Hash: d2f4ab5f0fdcce883bf6cb04a5e74f2ef05149d992bae3cee1d7013ef2951645
Instruction Fuzzy Hash: 7B320531D29F414EDB239635D83233AA649BFB73C4F15D73BE829B59A6EB28C5834101

Function 00C525AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d1c36ce49db769d8528405afb425ceb078f1c6f5abd5fff5ccd86964d941bc
Instruction ID: 96a93db656bef9743d7a579bafdf0ed0826da69c47704bf25b228441702d712b
Opcode Fuzzy Hash: a7d1c36ce49db769d8528405afb425ceb078f1c6f5abd5fff5ccd86964d941bc
Instruction Fuzzy Hash: D6B1F021D2AF404DD7239639883133ABA9CAFBB6C5F51E71BFC6674D62EB2185C34141

Function 00C88932 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00C88944

Part of subcall function 00C4537A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C89017,00000000,?,?,?,?,00C891C8,00000000,?), ref: 00C45383
Part of subcall function 00C4537A: __aulldiv.LIBCMT ref: 00C453A3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 3acb7befd1bc0a9172d913f5e702299646cd3960ad78cc0587bff9142f664900
Instruction ID: 968d05f821ee81014f194545bc6a2b1b6c885d89e0c2c15087735c6d4ac7c849
Opcode Fuzzy Hash: 3acb7befd1bc0a9172d913f5e702299646cd3960ad78cc0587bff9142f664900
Instruction Fuzzy Hash: 4B21B472635650CBC729CF25D881B66B3E1EBA5310B688E6CD1F5CF2D0CA74B905CB54

Function 00C9401F Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C9403A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1f7355b2e6d42b2f7572937d8813b721b8cc9aa277dfc931369641599d163a30
Instruction ID: 9f2b8319f6c8b778d10f9e6497737e8b1c02bd6ccbc4355fea6b4c990f32eb54
Opcode Fuzzy Hash: 1f7355b2e6d42b2f7572937d8813b721b8cc9aa277dfc931369641599d163a30
Instruction Fuzzy Hash: 56E048312002149FD714DF59E445E5AFBD9EF64760F008015FD4AC7751DA70E8419B91

Function 00C84CCE Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00C84CF1

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 7f6c20378bf7561c1ae5b448ec20614970a974d7e511f2a6ec0355fa13a4cb50
Instruction ID: 3b97d9b7746db600b145ddd106383f7e6720d94b617140ef91e1a230d0603117
Opcode Fuzzy Hash: 7f6c20378bf7561c1ae5b448ec20614970a974d7e511f2a6ec0355fa13a4cb50
Instruction Fuzzy Hash: 53D09EAD162607B9ED5C2760DD2FF76120CF30178EFA44149B112851C1DAA16D856239

Function 00C78A73 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C786B1), ref: 00C78A93

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 4ee6e3149753b9b78f78bcc46bc7805d201d4239552a996a3fe81e85d038e07d
Instruction ID: 9f353ecb36a79f4127ce251b1641cc1b252dda701583e4f55384ed5d9abb5e02
Opcode Fuzzy Hash: 4ee6e3149753b9b78f78bcc46bc7805d201d4239552a996a3fe81e85d038e07d
Instruction Fuzzy Hash: 7ED05E322A050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C60A1C775D835AB60

Function 00C6215F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C62171

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 892f5755f1e4af89ad0c58a63b6e5261c2305b3589307b4535f9bc5065fb6f7b
Instruction ID: e2a2f6c4fbf0a652252155739f36dc92920682c3a035f83d29cf64b21a6c2cc0
Opcode Fuzzy Hash: 892f5755f1e4af89ad0c58a63b6e5261c2305b3589307b4535f9bc5065fb6f7b
Instruction Fuzzy Hash: B7C048F1811509DBCB15DBE1DA88EEEBBBCAB08309F2840AAA542F2101D7749B449B71

Function 00C4A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C4A2AA

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b2bb3a47191434f22a200cc348037cc9ec2fa58b4dfd278eda713314872ef49e
Instruction ID: 70ca8e2b0b051b0975c6d36cc52265962e8e6f8a730e52bea7e507c43922f765
Opcode Fuzzy Hash: b2bb3a47191434f22a200cc348037cc9ec2fa58b4dfd278eda713314872ef49e
Instruction Fuzzy Hash: 94A0123000010CA78F001BC1EC045487F5CD6011947004020F40C41031873254114580

Function 00C38968 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0fed11ca0842a75d1544a0bf5b0918dec88cd23fb8ee7a2a431cdce09d2078
Instruction ID: 2129c5e8cffea258b84761cfb31c90f1079486e4251489153d9023ab508f4620
Opcode Fuzzy Hash: 0b0fed11ca0842a75d1544a0bf5b0918dec88cd23fb8ee7a2a431cdce09d2078
Instruction Fuzzy Hash: 4C223870910757CBCF388B29C89477CB7A1FB01308F68C46AF86A9B5A1DB749E89D750

Function 00C42345 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: a5f6117e501e938b88d48521c79641dc463bea8a7a96aada7d3bba12467c19b4
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: F5C174322150530AEB2D467A843513EBEB17AA27B239E175DF8F3CB1D5EF10C669D620

Function 00C4277A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: cd57d5b06af66cc177168d9b82fd2baa42e6b036a7ca48830bf6bc6e56e6d8dd
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: DAC1743221519309EB2D463A843513EBFA17AA27B239E075DF8F2DB1D4EF10C669D620

Function 00C41AF8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 76ec1d361a38806565623007f59dcbabdea25fa67543559d153cbbaa2a088f5f
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B5C183726451930DEB2D467A847413EBEA17AA27B235E075DECF2CB1C4EF20C6A99610

Function 00C9791B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C97970
DeleteObject.GDI32(00000000), ref: 00C97982
DestroyWindow.USER32 ref: 00C97990
GetDesktopWindow.USER32 ref: 00C979AA
GetWindowRect.USER32(00000000), ref: 00C979B1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C97AF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C97B02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97B4A
GetClientRect.USER32(00000000,?), ref: 00C97B56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C97B90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97BB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97BC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97BD0
GlobalLock.KERNEL32(00000000), ref: 00C97BD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97BE8
GlobalUnlock.KERNEL32(00000000), ref: 00C97BF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97BF8
GlobalFree.KERNEL32(00000000), ref: 00C97C03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97C15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CB2CAC,00000000), ref: 00C97C2B
GlobalFree.KERNEL32(00000000), ref: 00C97C3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C97C61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C97C80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97CA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97E8F

Strings

static, xrefs: 00C97B8A, 00C97CE1
, xrefs: 00C97E15
DISPLAY, xrefs: 00C97CF2
AutoIt v3, xrefs: 00C97B42

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 97e343fff29e78bbf7d64d720380d281f84ace29e4549227e05ac3841ef0c2b6
Instruction ID: 37cd3964562cfde68c6cc697c2ef006203e0351fa2077b2cc75c40b64f24eb54
Opcode Fuzzy Hash: 97e343fff29e78bbf7d64d720380d281f84ace29e4549227e05ac3841ef0c2b6
Instruction Fuzzy Hash: 7C023771910119EFDF14DFA4DC89FAE7BB9EB49314F148668F915AB2A1CB30AD01CB60

Function 00CA35D4 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00CAF910), ref: 00CA3690
IsWindowVisible.USER32(?), ref: 00CA36B4

Strings

EDITPASTE, xrefs: 00CA39C8
SETCURRENTSELECTION, xrefs: 00CA381F
ISCHECKED, xrefs: 00CA38A2
GETCURRENTLINE, xrefs: 00CA3956
SENDCOMMANDID, xrefs: 00CA3A43
GETCURRENTCOL, xrefs: 00CA3991
SHOWDROPDOWN, xrefs: 00CA3749
GETLINECOUNT, xrefs: 00CA392F
ISENABLED, xrefs: 00CA36D4
ISVISIBLE, xrefs: 00CA36A0
DELSTRING, xrefs: 00CA37B2
UNCHECK, xrefs: 00CA38EC
GETLINE, xrefs: 00CA3A04
GETSELECTED, xrefs: 00CA390C
CHECK, xrefs: 00CA38D6
ADDSTRING, xrefs: 00CA377F
CURRENTTAB, xrefs: 00CA3726
FINDSTRING, xrefs: 00CA37DF
GETCURRENTSELECTION, xrefs: 00CA384C
TABRIGHT, xrefs: 00CA3706
TABLEFT, xrefs: 00CA36F0
HIDEDROPDOWN, xrefs: 00CA3769
SELECTSTRING, xrefs: 00CA386F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 99253b8cabad3104272d73de438aeb590bb486fb3c72446d9d4080e34b9344aa
Instruction ID: 4dabe4afce1487722e15d4de59084ca747c027296b74a962a01c5919061fb9f5
Opcode Fuzzy Hash: 99253b8cabad3104272d73de438aeb590bb486fb3c72446d9d4080e34b9344aa
Instruction Fuzzy Hash: F3D1B674204352DBCB14EF10C4E1A6E77A1EF95348F148859F9965B3E2CB31DE0AEB82

Function 00CAA60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CAA662
GetSysColorBrush.USER32(0000000F), ref: 00CAA693
GetSysColor.USER32(0000000F), ref: 00CAA69F
SetBkColor.GDI32(?,000000FF), ref: 00CAA6B9
SelectObject.GDI32(?,00000000), ref: 00CAA6C8
InflateRect.USER32(?,000000FF,000000FF), ref: 00CAA6F3
GetSysColor.USER32(00000010), ref: 00CAA6FB
CreateSolidBrush.GDI32(00000000), ref: 00CAA702
FrameRect.USER32(?,?,00000000), ref: 00CAA711
DeleteObject.GDI32(00000000), ref: 00CAA718
InflateRect.USER32(?,000000FE,000000FE), ref: 00CAA763
FillRect.USER32(?,?,00000000), ref: 00CAA795
GetWindowLongW.USER32(?,000000F0), ref: 00CAA7C0

Part of subcall function 00CAA8FC: GetSysColor.USER32(00000012), ref: 00CAA935
Part of subcall function 00CAA8FC: SetTextColor.GDI32(?,?), ref: 00CAA939
Part of subcall function 00CAA8FC: GetSysColorBrush.USER32(0000000F), ref: 00CAA94F
Part of subcall function 00CAA8FC: GetSysColor.USER32(0000000F), ref: 00CAA95A
Part of subcall function 00CAA8FC: GetSysColor.USER32(00000011), ref: 00CAA977
Part of subcall function 00CAA8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CAA985
Part of subcall function 00CAA8FC: SelectObject.GDI32(?,00000000), ref: 00CAA996
Part of subcall function 00CAA8FC: SetBkColor.GDI32(?,00000000), ref: 00CAA99F
Part of subcall function 00CAA8FC: SelectObject.GDI32(?,?), ref: 00CAA9AC
Part of subcall function 00CAA8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 00CAA9CB
Part of subcall function 00CAA8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CAA9E2
Part of subcall function 00CAA8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 00CAA9F7
Part of subcall function 00CAA8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CAAA1F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 92cfdc8dc3286dd6f64a334c83247d30aaebc7225ecc89e0262e56b82b5e369d
Instruction ID: fc8142ea5b805b410f896359388a42375223a2837e14ce4930543b8efd60597c
Opcode Fuzzy Hash: 92cfdc8dc3286dd6f64a334c83247d30aaebc7225ecc89e0262e56b82b5e369d
Instruction Fuzzy Hash: A3916D71408301AFD7119FA4DC08B5F7BB9FB8A329F100B2DF5A2961A0D771D946CB52

Function 00C22C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00C22CA2
DeleteObject.GDI32(00000000), ref: 00C22CE8
DeleteObject.GDI32(00000000), ref: 00C22CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00C22CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00C22D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C5C5BB
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C5C5F4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C5CA1D

Part of subcall function 00C21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C22036,?,00000000,?,?,?,?,00C216CB,00000000,?), ref: 00C21B9A

SendMessageW.USER32(?,00001053), ref: 00C5CA5A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C5CA71
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C5CA87
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C5CA92

Strings

0, xrefs: 00C5C8B1

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 2b5b1e0153473fcd4dd8e7d688a967504cd09dc0f510f665df51e0f3a8d2f8d7
Instruction ID: d1829408c655ce5bda9ef143154c535c064f40488e1a5aa4e0652cd690b41d29
Opcode Fuzzy Hash: 2b5b1e0153473fcd4dd8e7d688a967504cd09dc0f510f665df51e0f3a8d2f8d7
Instruction Fuzzy Hash: D812AD34600211EFDB20CF24D8C4BA9BBE1FF09312F544569F8A5DB662CB31E986DB95

Function 00C975C0 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C975F3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C976B2
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C976F0
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C97702
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C97748
GetClientRect.USER32(00000000,?), ref: 00C97754
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C97798
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C977A7
GetStockObject.GDI32(00000011), ref: 00C977B7
SelectObject.GDI32(00000000,00000000), ref: 00C977BB
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C977CB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C977D4
DeleteDC.GDI32(00000000), ref: 00C977DD
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C97809
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C97820
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C9785B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C9786F
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C97880
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C978B0
GetStockObject.GDI32(00000011), ref: 00C978BB
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C978C6
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C978D0

Strings

static, xrefs: 00C97792, 00C978AA
msctls_progress32, xrefs: 00C97851
DISPLAY, xrefs: 00C9779D
AutoIt v3, xrefs: 00C97740

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2ef35ecd2f2a46c08338feeaec57a019a14eadb1515d7d3fbac25ed227c1027c
Instruction ID: 9cfb3b23ca0625a804db4919afd69a995c6ec20edff7016f7c91e9836faf62cd
Opcode Fuzzy Hash: 2ef35ecd2f2a46c08338feeaec57a019a14eadb1515d7d3fbac25ed227c1027c
Instruction Fuzzy Hash: 1FA162B1A40615BFEB14DFA4DC4AFAE7BB9EB45714F004218FA15AB2E0C770AD01CB64

Function 00C8AD9C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8ADAA
GetDriveTypeW.KERNEL32(?,00CAFAC0,?,\\.\,00CAF910), ref: 00C8AE87
SetErrorMode.KERNEL32(00000000,00CAFAC0,?,\\.\,00CAF910), ref: 00C8AFE5

Strings

Unknown, xrefs: 00C8AEA7, 00C8AF4B
USB, xrefs: 00C8AF7C
Fibre, xrefs: 00C8AF75
Removable, xrefs: 00C8AED9
SSA, xrefs: 00C8AF6E
FileBackedVirtual, xrefs: 00C8AFB4
SSD, xrefs: 00C8AF12
CDROM, xrefs: 00C8AEBB
iSCSI, xrefs: 00C8AF8A
Virtual, xrefs: 00C8AFAD
ATA, xrefs: 00C8AF60
SCSI, xrefs: 00C8AF52
Network, xrefs: 00C8AEC5
SAS, xrefs: 00C8AF91
SATA, xrefs: 00C8AF98
MMC, xrefs: 00C8AFA6
Fixed, xrefs: 00C8AECF
RAID, xrefs: 00C8AF83
ATAPI, xrefs: 00C8AF59
RAMDisk, xrefs: 00C8AEB1
PhysicalDrive, xrefs: 00C8AE33
1394, xrefs: 00C8AF67
\\.\, xrefs: 00C8ADFC

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: cbb3aa1fe89d4fa497df6dba4970ba0e92c3ee87d1b5dfaec27e911d271ba16d
Instruction ID: 6bc371c662493ce0f96d421407b187879325a4393b90f6eb019cd6a4764e8ac4
Opcode Fuzzy Hash: cbb3aa1fe89d4fa497df6dba4970ba0e92c3ee87d1b5dfaec27e911d271ba16d
Instruction Fuzzy Hash: AD5193B4648605BBDB00FB91CD9297DB370EB047087204467FB16A7290CB71DE46EB9B

Function 00C26A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C26A91
__wcsnicmp.LIBCMT ref: 00C26AA9
__wcsnicmp.LIBCMT ref: 00C26AC1
__wcsnicmp.LIBCMT ref: 00C26AD9
__wcsnicmp.LIBCMT ref: 00C26AF1
__wcsnicmp.LIBCMT ref: 00C26B09
__wcsnicmp.LIBCMT ref: 00C26B21
__wcsnicmp.LIBCMT ref: 00C26B35
__wcsnicmp.LIBCMT ref: 00C26B76
__wcsnicmp.LIBCMT ref: 00C26B8A
__wcsnicmp.LIBCMT ref: 00C26B9E
__wcsnicmp.LIBCMT ref: 00C26BB2

Strings

#OnAutoItStartRegister, xrefs: 00C26AD3
Cannot parse #include, xrefs: 00C5E749
#comments-start, xrefs: 00C26B1B, 00C26B70
Unterminated group of comments, xrefs: 00C5E75C
#include-once, xrefs: 00C26AEB
#comments-end, xrefs: 00C26B98
Bad directive syntax error, xrefs: 00C5E673
#include, xrefs: 00C26B03
#ce, xrefs: 00C26BAC
#cs, xrefs: 00C26B2F, 00C26B84
#pragma compile, xrefs: 00C26A8B
#notrayicon, xrefs: 00C26AA3
#requireadmin, xrefs: 00C26ABB

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a222d04a6c4fa6c836fea46d6e44498f6ebf13f531c33727fd8c3e163ff721f5
Instruction ID: 2abb78558aa9d051ac648eeba475a1f5994da40b57f9abc40f86d7fce1ad21bf
Opcode Fuzzy Hash: a222d04a6c4fa6c836fea46d6e44498f6ebf13f531c33727fd8c3e163ff721f5
Instruction Fuzzy Hash: 43814770644225BBCB24AF61EC83FAF7768AF25740F040035FD45AA582EB70DB55E2B4

Function 00CAA8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CAA935
SetTextColor.GDI32(?,?), ref: 00CAA939
GetSysColorBrush.USER32(0000000F), ref: 00CAA94F
GetSysColor.USER32(0000000F), ref: 00CAA95A
CreateSolidBrush.GDI32(?), ref: 00CAA95F
GetSysColor.USER32(00000011), ref: 00CAA977
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CAA985
SelectObject.GDI32(?,00000000), ref: 00CAA996
SetBkColor.GDI32(?,00000000), ref: 00CAA99F
SelectObject.GDI32(?,?), ref: 00CAA9AC
InflateRect.USER32(?,000000FF,000000FF), ref: 00CAA9CB
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CAA9E2
GetWindowLongW.USER32(00000000,000000F0), ref: 00CAA9F7
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CAAA1F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CAAA46
InflateRect.USER32(?,000000FD,000000FD), ref: 00CAAA64
DrawFocusRect.USER32(?,?), ref: 00CAAA6F
GetSysColor.USER32(00000011), ref: 00CAAA7D
SetTextColor.GDI32(?,00000000), ref: 00CAAA85
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CAAA99
SelectObject.GDI32(?,00CAA62C), ref: 00CAAAB0
DeleteObject.GDI32(?), ref: 00CAAABB
SelectObject.GDI32(?,?), ref: 00CAAAC1
DeleteObject.GDI32(?), ref: 00CAAAC6
SetTextColor.GDI32(?,?), ref: 00CAAACC
SetBkColor.GDI32(?,?), ref: 00CAAAD6

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 03f1b34f8555d2b82c945ac02c69a0e5720fd15dd461e76763ab79be2507fb1f
Instruction ID: 3f5ffd29970107d03968908c474cb02138b4a088f9e0d1b514c3114dc20e49ba
Opcode Fuzzy Hash: 03f1b34f8555d2b82c945ac02c69a0e5720fd15dd461e76763ab79be2507fb1f
Instruction Fuzzy Hash: 11514D71900209FFDB109FA4DC48FAE7BB9EF09324F114229FA11AB2A1D7719A41DF90

Function 00CA8A07 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CA8AF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA8B04
CharNextW.USER32(0000014E), ref: 00CA8B33
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CA8B74
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CA8B8A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA8B9B
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CA8BB8
SetWindowTextW.USER32(?,0000014E), ref: 00CA8C0A
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CA8C20
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA8C51
_memset.LIBCMT ref: 00CA8C76
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CA8CBF
_memset.LIBCMT ref: 00CA8D1E
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CA8D48
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CA8DA0
SendMessageW.USER32(?,0000133D,?,?), ref: 00CA8E4D
InvalidateRect.USER32(?,00000000,00000001), ref: 00CA8E6F
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CA8EB9
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CA8EE6
DrawMenuBar.USER32(?), ref: 00CA8EF5
SetWindowTextW.USER32(?,0000014E), ref: 00CA8F1D

Strings

0, xrefs: 00CA8E87

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 5e50b6760b34398ed0c77fc88715bfd64f61d72cfc968f77f9a5b5a41858b567
Instruction ID: 25a8a9dbda0c79aefeabd9316a0e953ef3d35d072acf8a74b532f69d59ee8499
Opcode Fuzzy Hash: 5e50b6760b34398ed0c77fc88715bfd64f61d72cfc968f77f9a5b5a41858b567
Instruction Fuzzy Hash: 4CE1827490120AAFDF209F91CC84EEE7B79FF06758F10815AFA259B190DB708A85DF60

Function 00CA48F8 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CA4A33
GetDesktopWindow.USER32 ref: 00CA4A48
GetWindowRect.USER32(00000000), ref: 00CA4A4F
GetWindowLongW.USER32(?,000000F0), ref: 00CA4AB1
DestroyWindow.USER32(?), ref: 00CA4ADD
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CA4B06
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA4B24
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CA4B4A
SendMessageW.USER32(?,00000421,?,?), ref: 00CA4B5F
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CA4B72
IsWindowVisible.USER32(?), ref: 00CA4B92
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CA4BAD
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CA4BC1
GetWindowRect.USER32(?,?), ref: 00CA4BD9
MonitorFromPoint.USER32(?,?,00000002), ref: 00CA4BFF
GetMonitorInfoW.USER32(00000000,?), ref: 00CA4C19
CopyRect.USER32(?,?), ref: 00CA4C30
SendMessageW.USER32(?,00000412,00000000), ref: 00CA4C9B

Strings

0, xrefs: 00CA49DE
tooltips_class32, xrefs: 00CA4AFF
(, xrefs: 00CA4C0C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: dd7600717cb4b8c82adacbe6d09a6ffcf6a71261e8e3efe00cceb478a376cac1
Instruction ID: f58cbadb792542f4fcd48f6e21416245d17dde7b7ed076ae80b948d75d54a235
Opcode Fuzzy Hash: dd7600717cb4b8c82adacbe6d09a6ffcf6a71261e8e3efe00cceb478a376cac1
Instruction Fuzzy Hash: D3B1AB70604301AFDB08DF64C888B6ABBE4FF89318F00891CF5999B291D7B0ED05DB96

Function 00C227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C228BC
GetSystemMetrics.USER32(00000007), ref: 00C228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C228EF
GetSystemMetrics.USER32(00000008), ref: 00C228F7
GetSystemMetrics.USER32(00000004), ref: 00C2291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C22939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C22949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C2297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C22990
GetClientRect.USER32(00000000,000000FF), ref: 00C229AE
GetStockObject.GDI32(00000011), ref: 00C229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C229D5

Part of subcall function 00C22344: GetCursorPos.USER32(?), ref: 00C22357
Part of subcall function 00C22344: ScreenToClient.USER32(00CE57B0,?), ref: 00C22374
Part of subcall function 00C22344: GetAsyncKeyState.USER32(00000001), ref: 00C22399
Part of subcall function 00C22344: GetAsyncKeyState.USER32(00000002), ref: 00C223A7

SetTimer.USER32(00000000,00000000,00000028,00C21256), ref: 00C229FC

Strings

AutoIt v3 GUI, xrefs: 00C22974

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f1bf786e9435abe04ee0667ac90cf2d301d9fd36c2feafcba01d9ebc4b3565b4
Instruction ID: 79d7f190d2765c98eb9d5d284596f4b8443b718301c03ee25069b373c0e24d8c
Opcode Fuzzy Hash: f1bf786e9435abe04ee0667ac90cf2d301d9fd36c2feafcba01d9ebc4b3565b4
Instruction Fuzzy Hash: 9EB17B75A0021AEFDB24DFA8DC85BAD7BB4FB08315F104229FA15AB2E0DB74D951CB50

Function 00C7A844 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C7A885
__swprintf.LIBCMT ref: 00C7A926
_wcscmp.LIBCMT ref: 00C7A939
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C7A98E
_wcscmp.LIBCMT ref: 00C7A9CA
GetClassNameW.USER32(?,?,00000400), ref: 00C7AA01
GetDlgCtrlID.USER32(?), ref: 00C7AA53
GetWindowRect.USER32(?,?), ref: 00C7AA89
GetParent.USER32(?), ref: 00C7AAA7
ScreenToClient.USER32(00000000), ref: 00C7AAAE
GetClassNameW.USER32(?,?,00000100), ref: 00C7AB28
_wcscmp.LIBCMT ref: 00C7AB3C
GetWindowTextW.USER32(?,?,00000400), ref: 00C7AB62
_wcscmp.LIBCMT ref: 00C7AB76

Part of subcall function 00C437AC: _iswctype.LIBCMT ref: 00C437B4

Strings

%s%u, xrefs: 00C7A920

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 5b5029fa9475e01de1d628875ab608d28b9bdbd13d9d2e41c9bbf4bbdcc81a9d
Instruction ID: edbb924590a8aa6c1e5f01b4655c9ac48865e4ff44b2b4087c1f720fae5f383b
Opcode Fuzzy Hash: 5b5029fa9475e01de1d628875ab608d28b9bdbd13d9d2e41c9bbf4bbdcc81a9d
Instruction Fuzzy Hash: B0A1CF71204606AFD718DF64C884FAEB7E9FF84354F108629F9ADC2190D730EA56CB92

Function 00C7B196 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C7B1DA
_wcscmp.LIBCMT ref: 00C7B1EB
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C7B213
CharUpperBuffW.USER32(?,00000000), ref: 00C7B230
_wcscmp.LIBCMT ref: 00C7B24E
_wcsstr.LIBCMT ref: 00C7B25F
GetClassNameW.USER32(00000018,?,00000400), ref: 00C7B297
_wcscmp.LIBCMT ref: 00C7B2A7
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C7B2CE
GetClassNameW.USER32(00000018,?,00000400), ref: 00C7B317
_wcscmp.LIBCMT ref: 00C7B327
GetClassNameW.USER32(00000010,?,00000400), ref: 00C7B34F
GetWindowRect.USER32(00000004,?), ref: 00C7B3B8

Strings

@, xrefs: 00C7B1BB
ThumbnailClass, xrefs: 00C7B2A2, 00C7B322

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: d921c1c9ac730d688a97011a52af78b16adb0c9d6feec0017720312da0195618
Instruction ID: 897efd9870b736d4239c77432e625985344f2b087c7644f3b4fdc40fa9110e00
Opcode Fuzzy Hash: d921c1c9ac730d688a97011a52af78b16adb0c9d6feec0017720312da0195618
Instruction Fuzzy Hash: D8819E710082469FDB04DF14C985FAA7BE8FF84318F04C56AFD999A0A6DB34DE46CB61

Function 00C7AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C7B03E

Strings

[ACTIVE, xrefs: 00C7B02B
[ALL, xrefs: 00C7B0E4
[REGEXPTITLE:, xrefs: 00C7B066
CLASSNAME=, xrefs: 00C7B07B
LAST, xrefs: 00C7B003
ACTIVE, xrefs: 00C7B019
[CLASS:, xrefs: 00C7B08E
HANDLE=, xrefs: 00C7B037
ALL, xrefs: 00C7B0D2
[LAST, xrefs: 00C7B0EB
[HANDLE:, xrefs: 00C7B04A
REGEXP=, xrefs: 00C7B053

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: ebe95bc89b6c0ddbe872a1a8a83785fb7db9a9c7c6cf59004ff431c7e064c070
Instruction ID: e2a2ce8446f0fe3e31540ebe6fee6646a22d007dd0329790b9c4e124ee07e6b4
Opcode Fuzzy Hash: ebe95bc89b6c0ddbe872a1a8a83785fb7db9a9c7c6cf59004ff431c7e064c070
Instruction Fuzzy Hash: 6831E131A48219AADB20FA60DD83FAF77A4AF20710F60062AF529711D2FF716F04E650

Function 00C7C2C0 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C7C2D3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C7C2E5
SetWindowTextW.USER32(?,?), ref: 00C7C2FC
GetDlgItem.USER32(?,000003EA), ref: 00C7C311
SetWindowTextW.USER32(00000000,?), ref: 00C7C317
GetDlgItem.USER32(?,000003E9), ref: 00C7C327
SetWindowTextW.USER32(00000000,?), ref: 00C7C32D
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C7C34E
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C7C368
GetWindowRect.USER32(?,?), ref: 00C7C371
SetWindowTextW.USER32(?,?), ref: 00C7C3DC
GetDesktopWindow.USER32 ref: 00C7C3E2
GetWindowRect.USER32(00000000), ref: 00C7C3E9
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C7C435
GetClientRect.USER32(?,?), ref: 00C7C442
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C7C467
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C7C492

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 4390f2eeb09dd2400ebaa73f06687c999b125fcfb08f53e0f907429fb950f02b
Instruction ID: 5106b7c5bc99964cba8ab6e6ec3b953765e24c65a46759925b49125d3be5f7e7
Opcode Fuzzy Hash: 4390f2eeb09dd2400ebaa73f06687c999b125fcfb08f53e0f907429fb950f02b
Instruction Fuzzy Hash: 45514C3190070AEFDB209FA8DD85BAEBBB5FF04709F00852CE696A35A0C774A955DB50

Function 00C95113 Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00C95129
LoadCursorW.USER32(00000000,00007F00), ref: 00C95134
LoadCursorW.USER32(00000000,00007F03), ref: 00C9513F
LoadCursorW.USER32(00000000,00007F8B), ref: 00C9514A
LoadCursorW.USER32(00000000,00007F01), ref: 00C95155
LoadCursorW.USER32(00000000,00007F81), ref: 00C95160
LoadCursorW.USER32(00000000,00007F88), ref: 00C9516B
LoadCursorW.USER32(00000000,00007F80), ref: 00C95176
LoadCursorW.USER32(00000000,00007F86), ref: 00C95181
LoadCursorW.USER32(00000000,00007F83), ref: 00C9518C
LoadCursorW.USER32(00000000,00007F85), ref: 00C95197
LoadCursorW.USER32(00000000,00007F82), ref: 00C951A2
LoadCursorW.USER32(00000000,00007F84), ref: 00C951AD
LoadCursorW.USER32(00000000,00007F04), ref: 00C951B8
LoadCursorW.USER32(00000000,00007F02), ref: 00C951C3
LoadCursorW.USER32(00000000,00007F89), ref: 00C951CE
GetCursorInfo.USER32(?), ref: 00C951DE

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 05118533838b9c9ebf4474228e4fd8ddb213754bb29e0a5963ce53887bfba13a
Instruction ID: 9db81b9e9fd4a42fa7eb2d160581236cc58140c8893b9042b8ce29ac45ff5bb6
Opcode Fuzzy Hash: 05118533838b9c9ebf4474228e4fd8ddb213754bb29e0a5963ce53887bfba13a
Instruction Fuzzy Hash: D13135B0D48719AADF109FB68C8996FBEE8FF04750F50452AE51DE7280DA7865008FA1

Function 00CAA1EB Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAA28B
DestroyWindow.USER32(00000000,?), ref: 00CAA305

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CAA37F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CAA3A1
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CAA3B4
DestroyWindow.USER32(00000000), ref: 00CAA3D6
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C20000,00000000), ref: 00CAA40D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CAA426
GetDesktopWindow.USER32 ref: 00CAA43F
GetWindowRect.USER32(00000000), ref: 00CAA446
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CAA45E
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CAA476

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

Strings

0, xrefs: 00CAA2A1
tooltips_class32, xrefs: 00CAA378, 00CAA406

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7771f6284b8610b91cdf0d923244dbd38c5471a4337b37b3dcfbc516334c256e
Instruction ID: 52f542af3bea1476e68452a8ab8b1c69b8f09539147bd219f3c58255d8bda963
Opcode Fuzzy Hash: 7771f6284b8610b91cdf0d923244dbd38c5471a4337b37b3dcfbc516334c256e
Instruction Fuzzy Hash: 4171CD70140645AFDB20CF28DC48F6A77E5FB8A708F04052DF9968B2A1D770EA02DF62

Function 00CAC668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DragQueryPoint.SHELL32(?,?), ref: 00CAC691

Part of subcall function 00CAAB69: ClientToScreen.USER32(?,?), ref: 00CAAB92
Part of subcall function 00CAAB69: GetWindowRect.USER32(?,?), ref: 00CAAC08
Part of subcall function 00CAAB69: PtInRect.USER32(?,?,00CAC07E), ref: 00CAAC18

SendMessageW.USER32(?,000000B0,?,?), ref: 00CAC6FA
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CAC705
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CAC728
_wcscat.LIBCMT ref: 00CAC758
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CAC76F
SendMessageW.USER32(?,000000B0,?,?), ref: 00CAC788
SendMessageW.USER32(?,000000B1,?,?), ref: 00CAC79F
SendMessageW.USER32(?,000000B1,?,?), ref: 00CAC7C1
DragFinish.SHELL32(?), ref: 00CAC7C8
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CAC8BB

Strings

@GUI_DRAGFILE, xrefs: 00CAC86A
@GUI_DROPID, xrefs: 00CAC7E8
@GUI_DRAGID, xrefs: 00CAC833

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 353174237d8029bbceee1bf271b18f697a4b481ca6de7fa4ed914096c421e87f
Instruction ID: 2baef257ba3d868fccf66bf6b86b67688f883a752bc8c2373323d55bbdd4dc08
Opcode Fuzzy Hash: 353174237d8029bbceee1bf271b18f697a4b481ca6de7fa4ed914096c421e87f
Instruction Fuzzy Hash: 5B616C71108311AFC710EFA4DC85E9FBBE8EB89714F00092EF691971A1DB709A09DB92

Function 00C87DC3 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C87E08
VariantCopy.OLEAUT32(00000000,?), ref: 00C87E11
VariantClear.OLEAUT32(00000000), ref: 00C87E1D
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C87F0B
__swprintf.LIBCMT ref: 00C87F3B
VarR8FromDec.OLEAUT32(?,?), ref: 00C87F67
VariantInit.OLEAUT32(?), ref: 00C88018
SysFreeString.OLEAUT32(00000016), ref: 00C880AC
VariantClear.OLEAUT32(?), ref: 00C88106
VariantClear.OLEAUT32(?), ref: 00C88115
VariantInit.OLEAUT32(00000000), ref: 00C88153

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C87F35
Default, xrefs: 00C87FC8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 45a1f3b61691258a6d37e086904a4e1f2286c307ea7870b6d58ed83d06e3d284
Instruction ID: ae0f7e26c73ec557b06a3acef7afeb214ef18ea6489b536778d713cbe9849e00
Opcode Fuzzy Hash: 45a1f3b61691258a6d37e086904a4e1f2286c307ea7870b6d58ed83d06e3d284
Instruction Fuzzy Hash: A0D10731608526DFDB20BFA6D884B6AB7B4FF05308F3482A9F4159B590EB30DD44EB65

Function 00CA43FB Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA448D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA44D8

Strings

GETITEMCOUNT, xrefs: 00CA45BA
SELECT, xrefs: 00CA4689
ISCHECKED, xrefs: 00CA465B
UNCHECK, xrefs: 00CA46B4
GETSELECTED, xrefs: 00CA45E8
GETTEXT, xrefs: 00CA462B
CHECK, xrefs: 00CA44F8
EXISTS, xrefs: 00CA4541
GETTOTALCOUNT, xrefs: 00CA44BF
EXPAND, xrefs: 00CA458A
COLLAPSE, xrefs: 00CA451E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: cb2052de8e402a67eb69a15ee54a053b2e0abacb6aa8f483cd9b8f8b3c2fadea
Instruction ID: af747df31301f56fab29e2e07bf5688f8b9b9d5074768dc99541680d59474b71
Opcode Fuzzy Hash: cb2052de8e402a67eb69a15ee54a053b2e0abacb6aa8f483cd9b8f8b3c2fadea
Instruction Fuzzy Hash: 90919374204712DFCB18EF10C491A6DB7A1EF85314F14885DF89A5B7A2CB71ED4AEB82

Function 00CAB832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CAB8E8
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CA6B43,?), ref: 00CAB944
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CAB97D
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CAB9C0
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CAB9F7
FreeLibrary.KERNEL32(?), ref: 00CABA03
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CABA13
DestroyIcon.USER32(?), ref: 00CABA22
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CABA3F
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CABA4B

Part of subcall function 00C4307D: __wcsicmp_l.LIBCMT ref: 00C43106

Strings

.icl, xrefs: 00CAB85E
.dll, xrefs: 00CAB8A1
.exe, xrefs: 00CAB87E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: ba44623bd9d74a9b54318f828f95182bfbf0bfda4fdfeee27b04bc848487f82b
Instruction ID: bba899f18b237bc749b135057ec235e26daad209c79621f91ad4a7615b71e563
Opcode Fuzzy Hash: ba44623bd9d74a9b54318f828f95182bfbf0bfda4fdfeee27b04bc848487f82b
Instruction Fuzzy Hash: B361F07190061ABAEB24DF64DC41BBE77A8FF0A714F10411AF925D61C1DB74AE81E7A0

Function 00C8DCA6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C8DD68
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C8DD78
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C8DD84
__wsplitpath.LIBCMT ref: 00C8DDE2
_wcscat.LIBCMT ref: 00C8DDFA
_wcscat.LIBCMT ref: 00C8DE0C
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C8DE21
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DE35
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DE67
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DE88
_wcscpy.LIBCMT ref: 00C8DE94
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C8DED3

Strings

*.*, xrefs: 00C8DE8E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: b8cfbd2ba3691c043ca270a728c8d6666e3e87d53257132bd8874c85ff94dce4
Instruction ID: 10409ea39630ec5cf3acfa83ccf6bcf3e91a42f430ded8e71ee5dca173d2ed89
Opcode Fuzzy Hash: b8cfbd2ba3691c043ca270a728c8d6666e3e87d53257132bd8874c85ff94dce4
Instruction Fuzzy Hash: 1C61AD765043159FCB10EF60D881AAEB3E8FF89314F04492EF99AC7251DB31EA45CB96

Function 00C9742F Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C974A4
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C974B0
CreateCompatibleDC.GDI32(?), ref: 00C974BC
SelectObject.GDI32(00000000,?), ref: 00C974C9
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,es-mx), ref: 00C9751D
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C97559
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C9757D
SelectObject.GDI32(00000006,?), ref: 00C97585
DeleteObject.GDI32(?), ref: 00C9758E
DeleteDC.GDI32(00000006), ref: 00C97595
ReleaseDC.USER32(00000000,?), ref: 00C975A0

Strings

(, xrefs: 00C97525
es-mx, xrefs: 00C97508

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: ($es-mx
API String ID: 2598888154-1799561661
Opcode ID: d3c6c45c720d8e7216cf59e879901cd9764336c307991bb9dac55edd7dcd14ee
Instruction ID: 112944a279f6bc9c5fd56cfa794d4d950d1f2d4d2e9bb18aec3eb21afb631442
Opcode Fuzzy Hash: d3c6c45c720d8e7216cf59e879901cd9764336c307991bb9dac55edd7dcd14ee
Instruction Fuzzy Hash: AD514A71904209EFCB25CFA8CC89FAEBBB9EF49310F14852DF99A97211D731A941CB50

Function 00C89CC2 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00C89D09

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C89D2A
__swprintf.LIBCMT ref: 00C89D83
__swprintf.LIBCMT ref: 00C89D9C
_wprintf.LIBCMT ref: 00C89E43
_wprintf.LIBCMT ref: 00C89E61

Strings

^ ERROR , xrefs: 00C89DD8
Error: , xrefs: 00C89E0B
Line %d (File "%s"):, xrefs: 00C89D7D, 00C89D96
"%s" (%d) : ==> %s:, xrefs: 00C89E5C
Incorrect parameters to object property !, xrefs: 00C89DE5
"%s" (%d) : ==> %s:%s%s, xrefs: 00C89E3E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 7aa62f0a50779b8ec1f300bcc24b9e1c7970176a7dc7e667b63f7bed7174c189
Instruction ID: 4188ce56663d7506a80f4aeda8d391ce6485543db54ea0f90fc18b336bdac1d6
Opcode Fuzzy Hash: 7aa62f0a50779b8ec1f300bcc24b9e1c7970176a7dc7e667b63f7bed7174c189
Instruction Fuzzy Hash: 00518071900619AACF15EBE0DD86EEEB778EF14304F140166F505721A2EF312F59EBA0

Function 00C8A3DC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

CharLowerBuffW.USER32(?,?), ref: 00C8A455
GetDriveTypeW.KERNEL32 ref: 00C8A4A2
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A4EA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A521
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A54F

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Strings

type cdaudio alias cd wait, xrefs: 00C8A4CD
set cd door , xrefs: 00C8A4F0
close, xrefs: 00C8A45B
wait, xrefs: 00C8A50C
open, xrefs: 00C8A47C
open , xrefs: 00C8A4B1
closed, xrefs: 00C8A469, 00C8A472
close cd wait, xrefs: 00C8A53A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: f06ac6b2b2f7d8a83b229c667d5952528e18fd30ecc4950475e0ce7bc136d552
Instruction ID: ceced205d568826578771c2a7c73d0ea306e6b71a5a06873e7d9900585796b50
Opcode Fuzzy Hash: f06ac6b2b2f7d8a83b229c667d5952528e18fd30ecc4950475e0ce7bc136d552
Instruction Fuzzy Hash: 80515C711047149FD700EF20D8D196AB7E4FF84718F10496EF89A976A1DB31EE0ADB92

Function 00C7FBDB Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C5E382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C7FC10
LoadStringW.USER32(00000000,?,00C5E382,00000001), ref: 00C7FC19

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

GetModuleHandleW.KERNEL32(00000000,00CE5310,?,00000FFF,?,?,00C5E382,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C7FC3B
LoadStringW.USER32(00000000,?,00C5E382,00000001), ref: 00C7FC3E
__swprintf.LIBCMT ref: 00C7FC8E
__swprintf.LIBCMT ref: 00C7FC9F
_wprintf.LIBCMT ref: 00C7FD48
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C7FD5F

Strings

Error: , xrefs: 00C7FD16
Line %d (File "%s"):, xrefs: 00C7FC88
%s (%d) : ==> %s: %s %s, xrefs: 00C7FD43
^ ERROR, xrefs: 00C7FCF4
Line %d:, xrefs: 00C7FC99

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 393f00b7164207b8db1e6a7bf5a210eeb9019e241c9d401655b5d14758e66c7e
Instruction ID: f50e5344869125db5602268bba58ebf52c4d3ea6c39f32b3f09775f1ce08ba3b
Opcode Fuzzy Hash: 393f00b7164207b8db1e6a7bf5a210eeb9019e241c9d401655b5d14758e66c7e
Instruction Fuzzy Hash: 22413E72804219AACF15FBE0DDD6EEEB778AF14700F500169F60576092EE716F49EBA0

Function 00C5AA4B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00C5AAAB
___wtomb_environ.LIBCMT ref: 00C5AACD

Part of subcall function 00C48CA8: __getptd_noexit.LIBCMT ref: 00C48CA8

__malloc_crt.LIBCMT ref: 00C5AAF5
__malloc_crt.LIBCMT ref: 00C5AB12
_free.LIBCMT ref: 00C5AB49
__recalloc_crt.LIBCMT ref: 00C5AB82
__recalloc_crt.LIBCMT ref: 00C5ABC7
_strlen.LIBCMT ref: 00C5ABF3
__calloc_crt.LIBCMT ref: 00C5ABFD
_strlen.LIBCMT ref: 00C5AC0C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00C5AC3A
_free.LIBCMT ref: 00C5AC54
_free.LIBCMT ref: 00C5AC61
_free.LIBCMT ref: 00C5AC73
__invoke_watson.LIBCMT ref: 00C5AC8D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: f69449a8de76ec6e47838c1f0ec4d86a25b126a9336409a4fda3be004aed04d7
Instruction ID: 4661f97264a8ebd3cd6a152e25d87b1737c6fa0ad40f4224f1bd66f2ce57060f
Opcode Fuzzy Hash: f69449a8de76ec6e47838c1f0ec4d86a25b126a9336409a4fda3be004aed04d7
Instruction Fuzzy Hash: 4961F57A900211EFEB205F26DD4576E77A8FF00362F104319EC119B191DB35EAC8EB9A

Function 00CABA67 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CABA8A
GetFileSize.KERNEL32(00000000,00000000), ref: 00CABAA1
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CABAAC
CloseHandle.KERNEL32(00000000), ref: 00CABAB9
GlobalLock.KERNEL32(00000000), ref: 00CABAC2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CABAD1
GlobalUnlock.KERNEL32(00000000), ref: 00CABADA
CloseHandle.KERNEL32(00000000), ref: 00CABAE1
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CABAF2
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CB2CAC,?), ref: 00CABB0B
GlobalFree.KERNEL32(00000000), ref: 00CABB1B
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CABB3F
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00CABB6A
DeleteObject.GDI32(00000000), ref: 00CABB92
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CABBA8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 5104b414091ef119f1a3915cb952b367b0811b77bb3e21cbaacd5075dc7b96d7
Instruction ID: 557d64d36309b5a14ad6f924732401995bf8a30f65692d636ae060199863c556
Opcode Fuzzy Hash: 5104b414091ef119f1a3915cb952b367b0811b77bb3e21cbaacd5075dc7b96d7
Instruction Fuzzy Hash: E5411A75600209EFDB219FA5DC88FAE7BB8EF8A719F104168F915D7261D7309E02DB60

Function 00C8D925 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00C8DA9C
_wcscat.LIBCMT ref: 00C8DAB4
_wcscat.LIBCMT ref: 00C8DAC6
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C8DADB
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DAEF
GetFileAttributesW.KERNEL32(?), ref: 00C8DB07
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C8DB21
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DB33

Strings

*.*, xrefs: 00C8DB72

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: e6e369acb7c8798772af7144d7343d2c9186610a7de6029157994979b1e09723
Instruction ID: d88b2a2501aac21a6f8d730fd4e22c4297d85b3e18729de3f45ea8b8b2d0bccc
Opcode Fuzzy Hash: e6e369acb7c8798772af7144d7343d2c9186610a7de6029157994979b1e09723
Instruction Fuzzy Hash: 198192715083509FCB24FF65C845AAAB7E4FB88318F28482EF497D7291DA30DE44DB56

Function 00CAC216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CAC266
GetFocus.USER32 ref: 00CAC276
GetDlgCtrlID.USER32(00000000), ref: 00CAC281
_memset.LIBCMT ref: 00CAC3AC
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CAC3D7
GetMenuItemCount.USER32(?), ref: 00CAC3F7
GetMenuItemID.USER32(?,00000000), ref: 00CAC40A
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CAC43E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CAC486
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CAC4BE
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CAC4F3

Strings

0, xrefs: 00CAC3A4

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: ebfaa2add2d414453492db5eb021c30d6d98f7dc8de3d46fdedb1e0d7cd72a78
Instruction ID: 0e3da3173d2e4bf1f55dde5604bbf78f8adaff39f803662070d60705a1781b04
Opcode Fuzzy Hash: ebfaa2add2d414453492db5eb021c30d6d98f7dc8de3d46fdedb1e0d7cd72a78
Instruction Fuzzy Hash: 1E817D71508302AFDB20CF54D894A7EBBE8FB8A718F00452DF9A5972A1D730D905DBA2

Function 00C891FE Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C89008: __time64.LIBCMT ref: 00C89012

Part of subcall function 00C25045: _fseek.LIBCMT ref: 00C2505D

__wsplitpath.LIBCMT ref: 00C892DD

Part of subcall function 00C4426E: __wsplitpath_helper.LIBCMT ref: 00C442AE

_wcscpy.LIBCMT ref: 00C892F0
_wcscat.LIBCMT ref: 00C89303
__wsplitpath.LIBCMT ref: 00C89328
_wcscat.LIBCMT ref: 00C8933E
_wcscat.LIBCMT ref: 00C89351

Part of subcall function 00C8904E: _memmove.LIBCMT ref: 00C89087
Part of subcall function 00C8904E: _memmove.LIBCMT ref: 00C89096

_wcscmp.LIBCMT ref: 00C89298

Part of subcall function 00C897DD: _wcscmp.LIBCMT ref: 00C898CD
Part of subcall function 00C897DD: _wcscmp.LIBCMT ref: 00C898E0

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C894FB
_wcsncpy.LIBCMT ref: 00C8956E
DeleteFileW.KERNEL32(?,?), ref: 00C895A4
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C895BA
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C895CB
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C895DD

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 9c3e20e0af56f4e0c27c9312f8eaa76b2fa81f16083c070a2dfd771b84821909
Instruction ID: 2356892d2efe76641772def9808afe4985c46a389adc8ac8d92c5d97d872b062
Opcode Fuzzy Hash: 9c3e20e0af56f4e0c27c9312f8eaa76b2fa81f16083c070a2dfd771b84821909
Instruction Fuzzy Hash: E0C16BB1D00229AADF21EFA5CC85AEFB7BCEF44314F0440AAF609E7151DB709A449F64

Function 00C26BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00C40AD7: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C26C6C,?,00008000), ref: 00C40AF3

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C26D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00C26E5A

Part of subcall function 00C259CD: _wcscpy.LIBCMT ref: 00C25A05

Part of subcall function 00C437BD: _iswctype.LIBCMT ref: 00C437C5

Strings

Unterminated string, xrefs: 00C5EB3D
Error opening the file, xrefs: 00C5E796, 00C5E811
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C5E77A
Bad directive syntax error, xrefs: 00C5EAF6
EA06, xrefs: 00C5E7AB
>>>AUTOIT SCRIPT<<<, xrefs: 00C5E7EF
AU3!, xrefs: 00C26CC1

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: dbcfdf62ce80c591ad0e053ee9b5b95a20c2b0f5983334785a47ca3b8b90e210
Instruction ID: e48d166fcfc19a3ce7074aabb7c612b7aaea61c10889fecd7f1b5a8359a9379c
Opcode Fuzzy Hash: dbcfdf62ce80c591ad0e053ee9b5b95a20c2b0f5983334785a47ca3b8b90e210
Instruction Fuzzy Hash: 9E02D0301083519FC724EF24D881AAFBBE5FF98314F04491DF899936A1DB30DA89EB52

Function 00C245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C245F9
GetMenuItemCount.USER32(00CE5890), ref: 00C5D6FD
GetMenuItemCount.USER32(00CE5890), ref: 00C5D7AD
GetCursorPos.USER32(?), ref: 00C5D7F1
SetForegroundWindow.USER32(00000000), ref: 00C5D7FA
TrackPopupMenuEx.USER32(00CE5890,00000000,?,00000000,00000000,00000000), ref: 00C5D80D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C5D819

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 7337b94a983a449824b1f5f1812a9af2b7c10606b8a53716a4f1ff50df652983
Instruction ID: fbe5a442a5cf5bcf2896f095232f7f09d14808a5897048780e5d84220d6786ec
Opcode Fuzzy Hash: 7337b94a983a449824b1f5f1812a9af2b7c10606b8a53716a4f1ff50df652983
Instruction Fuzzy Hash: 9A711334640315BFEB309F54DC89FAABF64FF05369F100216F92AAA1E0CBB15994DB58

Function 00C77B04 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

_memset.LIBCMT ref: 00C77B93
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C77BC8
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C77BE4
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C77C00
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C77C2A
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C77C52
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C77C5D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C77C62

Strings

\IPC$, xrefs: 00C77BAA
SOFTWARE\Classes\, xrefs: 00C77B34
\CLSID, xrefs: 00C77B4A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: f43d5978c0e4f7d92e6d14ab2e9f2147dcef63b99c350c6b38623bd2e13aa4b2
Instruction ID: d8e961b50d041cabb95729d3e08b9c0461903728eee39cf6048655f385749951
Opcode Fuzzy Hash: f43d5978c0e4f7d92e6d14ab2e9f2147dcef63b99c350c6b38623bd2e13aa4b2
Instruction Fuzzy Hash: DB41F97281422DABCB21EBA4EC85DEEB778FF08700F054669E915A3161EB305E05DB90

Function 00CA0EA5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FE38,?,?), ref: 00CA0EBC

Strings

HKCU, xrefs: 00CA0FAC
HKEY_LOCAL_MACHINE, xrefs: 00CA0F25
HKU, xrefs: 00CA0FCE
HKEY_CURRENT_USER, xrefs: 00CA0F9B
HKEY_CURRENT_CONFIG, xrefs: 00CA0F79
HKCC, xrefs: 00CA0F8A
HKEY_CLASSES_ROOT, xrefs: 00CA0F4F
HKLM, xrefs: 00CA0F3A
HKEY_USERS, xrefs: 00CA0FBD
HKCR, xrefs: 00CA0F64

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 478d9a382045bced771c7dac9aff8e49920e23545d7c14ecb5409fe5562911b2
Instruction ID: 847edc15ee07a4fbef1fd84f0657a9c731886304096093aeb3ca28d4d08265f1
Opcode Fuzzy Hash: 478d9a382045bced771c7dac9aff8e49920e23545d7c14ecb5409fe5562911b2
Instruction Fuzzy Hash: F3417D7414024A8FCF20EF50ECD1AEE3720FF12358F240515FD522B292DB359A5AEBA1

Function 00C7FAD2 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C5E5F9,00000010,?,Bad directive syntax error,00CAF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C7FAF3
LoadStringW.USER32(00000000,?,00C5E5F9,00000010), ref: 00C7FAFA

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

_wprintf.LIBCMT ref: 00C7FB2D
__swprintf.LIBCMT ref: 00C7FB4F
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C7FBBE

Strings

Line %d (File "%s"):, xrefs: 00C7FB64
%s (%d) : ==> %s.: %s %s, xrefs: 00C7FB28
., xrefs: 00C7FBA4
Line %d:, xrefs: 00C7FB49
Error: , xrefs: 00C7FB8C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: b10f6a319de308c7fa815c48e5c6c09d1106b2d80999dea63feaed1715a474f5
Instruction ID: 3561d56147bc2a7552b2ce16e455cd3846d00c6b4c9a9291e4d279b364555aa8
Opcode Fuzzy Hash: b10f6a319de308c7fa815c48e5c6c09d1106b2d80999dea63feaed1715a474f5
Instruction Fuzzy Hash: 6621743284421EEBCF12EFA0DC9AFEE7775FF14300F04446AF615620A1DA719A19EB50

Function 00C8536E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Part of subcall function 00C27A84: _memmove.LIBCMT ref: 00C27B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C853D7
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C853ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C853FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C85410
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C85421

Strings

close PlayMe, xrefs: 00C853E8, 00C85415
status PlayMe mode, xrefs: 00C853D2
open , xrefs: 00C85386
alias PlayMe, xrefs: 00C853B0
play PlayMe wait, xrefs: 00C8540B
play PlayMe, xrefs: 00C8541C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a4c1268bbb13684d073923f7fffab9d422e416cbf34b450fed3ad620c25eb22e
Instruction ID: be74a62bae64df739d1374c214361bcb84829bd975e31161016a153c3f221d03
Opcode Fuzzy Hash: a4c1268bbb13684d073923f7fffab9d422e416cbf34b450fed3ad620c25eb22e
Instruction Fuzzy Hash: F0119131A9013979D720B7A1DC8ADFF7BBCEBD1B54F00052AB511A21D1EEA05E4AD6B0

Function 00C846F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C84713
gethostname.WSOCK32(?,00000100), ref: 00C8472D
gethostbyname.WSOCK32(?), ref: 00C8473A
_wcscpy.LIBCMT ref: 00C84762
_memmove.LIBCMT ref: 00C84775
inet_ntoa.WSOCK32(?), ref: 00C84780
_strcat.LIBCMT ref: 00C8478E
_wcscpy.LIBCMT ref: 00C847A5
WSACleanup.WSOCK32 ref: 00C847B3
_wcscpy.LIBCMT ref: 00C847C1

Strings

0.0.0.0, xrefs: 00C8475C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 1763744fd53354c51cb2eaec59b1764dbb960d257e7b0638c6dc60691e8f7e00
Instruction ID: d922b77e6685eb35fdf75b01522efe690fed4c7113e8a13802e8023ea34fefd0
Opcode Fuzzy Hash: 1763744fd53354c51cb2eaec59b1764dbb960d257e7b0638c6dc60691e8f7e00
Instruction Fuzzy Hash: 56110231904115ABDB28BBA0DC4AFEE77BCEF03718F0101BAF50496091EF748A86DB94

Function 00C8501C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C85021

Part of subcall function 00C4034A: timeGetTime.WINMM(?,75C0B400,00C30FDB), ref: 00C4034E

Sleep.KERNEL32(0000000A), ref: 00C8504D
EnumThreadWindows.USER32(?,Function_00064FCF,00000000), ref: 00C85071
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C85093
SetActiveWindow.USER32 ref: 00C850B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C850C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C850DF
Sleep.KERNEL32(000000FA), ref: 00C850EA
IsWindow.USER32 ref: 00C850F6
EndDialog.USER32(00000000), ref: 00C85107

Strings

BUTTON, xrefs: 00C85085

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ce70a7508aa0e82be5d31cb59d713b29e8100e582507bf3e7e4948eef3fdc1eb
Instruction ID: bc4f666cfa3c685fca83e97d48fa5742a8c5a60275305c84df2646783cd49689
Opcode Fuzzy Hash: ce70a7508aa0e82be5d31cb59d713b29e8100e582507bf3e7e4948eef3fdc1eb
Instruction Fuzzy Hash: 3E218E71201A49AFE7106FA0ECCDF3E3B69EB5538DB041028F611862B1DBB18D41AB65

Function 00C8D619 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

CoInitialize.OLE32(00000000), ref: 00C8D676
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C8D709
SHGetDesktopFolder.SHELL32(?), ref: 00C8D71D
CoCreateInstance.OLE32(00CB2D7C,00000000,00000001,00CD8C1C,?), ref: 00C8D769
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C8D7D8
CoTaskMemFree.OLE32(?,?), ref: 00C8D830
_memset.LIBCMT ref: 00C8D86D
SHBrowseForFolderW.SHELL32(?), ref: 00C8D8A9
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C8D8CC
CoTaskMemFree.OLE32(00000000), ref: 00C8D8D3
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C8D90A
CoUninitialize.OLE32(00000001,00000000), ref: 00C8D90C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 7f5b9f45a311e34a2570020194b88ae9b1aca976be2c24bf3d238261a86e95e1
Instruction ID: 0be8b20332bcdcf87291eb8edf2b539c68d738ff022f6e4007496274a35070d9
Opcode Fuzzy Hash: 7f5b9f45a311e34a2570020194b88ae9b1aca976be2c24bf3d238261a86e95e1
Instruction Fuzzy Hash: A8B10E75A00119AFDB14EFA4C888EAEBBB9FF48304F144469F40AEB251DB30ED41CB54

Function 00C8034D Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C803C8
SetKeyboardState.USER32(?), ref: 00C80433
GetAsyncKeyState.USER32(000000A0), ref: 00C80453
GetKeyState.USER32(000000A0), ref: 00C8046A
GetAsyncKeyState.USER32(000000A1), ref: 00C80499
GetKeyState.USER32(000000A1), ref: 00C804AA
GetAsyncKeyState.USER32(00000011), ref: 00C804D6
GetKeyState.USER32(00000011), ref: 00C804E4
GetAsyncKeyState.USER32(00000012), ref: 00C8050D
GetKeyState.USER32(00000012), ref: 00C8051B
GetAsyncKeyState.USER32(0000005B), ref: 00C80544
GetKeyState.USER32(0000005B), ref: 00C80552

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9adea10c514d68ede992772668f55e6b71b6abb402658fdb51dfe3e144b649b
Instruction ID: e4781303ddf98d8a20ca67f60614cb62fcf347576bcefb599c0a20861da78046
Opcode Fuzzy Hash: c9adea10c514d68ede992772668f55e6b71b6abb402658fdb51dfe3e144b649b
Instruction Fuzzy Hash: 9351F8309087842AFB74FBB084117AEBFF49F02388F58859D99D2571D3DA649B4CCB69

Function 00C7C529 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C7C545
GetWindowRect.USER32(00000000,?), ref: 00C7C557
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C7C5B5
GetDlgItem.USER32(?,00000002), ref: 00C7C5C0
GetWindowRect.USER32(00000000,?), ref: 00C7C5D2
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C7C626
GetDlgItem.USER32(?,000003E9), ref: 00C7C634
GetWindowRect.USER32(00000000,?), ref: 00C7C645
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C7C688
GetDlgItem.USER32(?,000003EA), ref: 00C7C696
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C7C6B3
InvalidateRect.USER32(?,00000000,00000001), ref: 00C7C6C0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d94a46d63f65006ad44538ac00c45039b3097412c59298824a253ac1a6164004
Instruction ID: 5898de1c5e32dcc580ecc61ba7c9bc8f2dee5adfb451685a7e51c493aa8d77b2
Opcode Fuzzy Hash: d94a46d63f65006ad44538ac00c45039b3097412c59298824a253ac1a6164004
Instruction Fuzzy Hash: 97514371B00205AFDB18CFA9DDC5BAEBBB5EB89310F14812DF51AD7290D770AD018B50

Function 00C2201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C22036,?,00000000,?,?,?,?,00C216CB,00000000,?), ref: 00C21B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C220D3
KillTimer.USER32(-00000001,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C2216E
DestroyAcceleratorTable.USER32(00000000), ref: 00C5BE26
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BE57
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BE6E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BE8A
DeleteObject.GDI32(00000000), ref: 00C5BE9C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d923dd5623185eb933de8f878c9a1ca278d90a54b3eb98c45170ce40682625ba
Instruction ID: 99fdc8117ca55d89d8028a1f8d47e5f03d9d8ed4c06be66119e5fec37188a2c1
Opcode Fuzzy Hash: d923dd5623185eb933de8f878c9a1ca278d90a54b3eb98c45170ce40682625ba
Instruction Fuzzy Hash: B9619F35500A60EFCB359F15E989B2DBBF1FB4031AF14452DEA528B9B0C7B0AD95DB80

Function 00C221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

GetSysColor.USER32(0000000F), ref: 00C221D3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 996c942e80efb5422c00356d2648c8782ddda8b92790b1d6e738bb17f98075d0
Instruction ID: 16e514a2d87bbf2535092cb08ff9f2ff19ebb86e8eef53530f72f1113767ed1f
Opcode Fuzzy Hash: 996c942e80efb5422c00356d2648c8782ddda8b92790b1d6e738bb17f98075d0
Instruction Fuzzy Hash: 5641AF35000260EEDB255F68EC88BBD3B65EB46335F244365FE659B1E2C7328D82DB21

Function 00C8A931 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00CAF910), ref: 00C8A995
GetDriveTypeW.KERNEL32(00000061,00CD89A0,00000061), ref: 00C8AA5F
_wcscpy.LIBCMT ref: 00C8AA89

Strings

network, xrefs: 00C8A9F3
removable, xrefs: 00C8A9C7
unknown, xrefs: 00C8AA20
cdrom, xrefs: 00C8A9B1
fixed, xrefs: 00C8A9DD
ramdisk, xrefs: 00C8AA09
all, xrefs: 00C8A99B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 749cc649cff605c27c6357e9f55dedb5a1ab6e845ce27bf86a6ee66300332706
Instruction ID: 3742f0b5634d3873b74589cec98d0ca93b3f0933b088050ffecf99245240b61e
Opcode Fuzzy Hash: 749cc649cff605c27c6357e9f55dedb5a1ab6e845ce27bf86a6ee66300332706
Instruction Fuzzy Hash: 0051BD301083019FD714FF14D8D2AAEB7A5FF84308F54492EF5A6576A2DB309A09EB93

Function 00C29997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00C299C2
__swprintf.LIBCMT ref: 00C29A0C
__i64tow.LIBCMT ref: 00C5F93F

Strings

False, xrefs: 00C5F907
%.15g, xrefs: 00C29A06
True, xrefs: 00C5F900
0x%p, xrefs: 00C5F921

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 9f6222ac8b339036d27f3f9b29b956efe88829e6c52b78314438224e75ba5398
Instruction ID: 2a2479d7a8109d5c83a3aff686d5efb8ac68a17c1c03807b4147185df415a9eb
Opcode Fuzzy Hash: 9f6222ac8b339036d27f3f9b29b956efe88829e6c52b78314438224e75ba5398
Instruction Fuzzy Hash: 9A410431504215AEEB28AB74DC42E76B3E8FF45310F20447EE549D62D2EA719A86DB10

Function 00CA7184 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA719C
CreateMenu.USER32 ref: 00CA71B7
SetMenu.USER32(?,00000000), ref: 00CA71C6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA7253
IsMenu.USER32(?), ref: 00CA7269
CreatePopupMenu.USER32 ref: 00CA7273
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA72A0
DrawMenuBar.USER32 ref: 00CA72A8

Strings

0, xrefs: 00CA7192
F, xrefs: 00CA7294

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: f24e79f0c24aac407a4d0f57bc9c09cc5d479868b2947c1b849fb94fab40f810
Instruction ID: 38da3b14a678a70c9d4aefd1e5306766911c6b29228f9738032a84888ddef4a4
Opcode Fuzzy Hash: f24e79f0c24aac407a4d0f57bc9c09cc5d479868b2947c1b849fb94fab40f810
Instruction Fuzzy Hash: 9E412975A01206EFDB20DFA4D884B9A7BF5FF4A314F144229F955A7361D731AA10CBA0

Function 00CA74ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CA7590
CreateCompatibleDC.GDI32(00000000), ref: 00CA7597
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CA75AA
SelectObject.GDI32(00000000,00000000), ref: 00CA75B2
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CA75BD
DeleteDC.GDI32(00000000), ref: 00CA75C6
GetWindowLongW.USER32(?,000000EC), ref: 00CA75D0
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CA75E4
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CA75F0

Strings

static, xrefs: 00CA7528

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 351ba6c30ca12ce10485cfcf1adcdc00d26f82f95e45d29bd03444de1fb67c12
Instruction ID: a6fa92371bd42da35cb3c0a8db41a2ed66d3331e35ffccc9d5fc424adafef8e0
Opcode Fuzzy Hash: 351ba6c30ca12ce10485cfcf1adcdc00d26f82f95e45d29bd03444de1fb67c12
Instruction Fuzzy Hash: 35314C72505116ABDF129FA4DC48FDF3B69FF0A728F110328FA65A61A0C731D921DB64

Function 00C46F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C46FBB

Part of subcall function 00C48CA8: __getptd_noexit.LIBCMT ref: 00C48CA8

__gmtime64_s.LIBCMT ref: 00C47054
__gmtime64_s.LIBCMT ref: 00C4708A
__gmtime64_s.LIBCMT ref: 00C470A7
__allrem.LIBCMT ref: 00C470FD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C47119
__allrem.LIBCMT ref: 00C47130
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C4714E
__allrem.LIBCMT ref: 00C47165
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C47183
__invoke_watson.LIBCMT ref: 00C471F4

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: a93a832fd28b38cd34a774f479f74fd27ecd2d9c315b5c2d190128d8db427b4d
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 3071FA72A00717ABEB149F79CC42B5EB3A8BF15365F14423AFD14E7281EB70EA449790

Function 00C8281F Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C8283A
GetMenuItemInfoW.USER32(00CE5890,000000FF,00000000,00000030), ref: 00C8289B
SetMenuItemInfoW.USER32(00CE5890,00000004,00000000,00000030), ref: 00C828D1
Sleep.KERNEL32(000001F4), ref: 00C828E3
GetMenuItemCount.USER32(?), ref: 00C82927
GetMenuItemID.USER32(?,00000000), ref: 00C82943
GetMenuItemID.USER32(?,-00000001), ref: 00C8296D
GetMenuItemID.USER32(?,?), ref: 00C829B2
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C829F8
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C82A0C
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C82A2D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: a3f140497e80168cb5f2a0f42797c0582465578a6a83bb224a067940f21f5dee
Instruction ID: 8fd7ff4c62b3160c15ea5126cb6e25670260cfa7d35283f95662267ae0e31395
Opcode Fuzzy Hash: a3f140497e80168cb5f2a0f42797c0582465578a6a83bb224a067940f21f5dee
Instruction Fuzzy Hash: DA619170900249AFDF25EFA4C88CEAE7BB9EF4530CF140059E852A7251D731AE06EB24

Function 00CA6F55 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CA6FD7
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CA6FDA
GetWindowLongW.USER32(?,000000F0), ref: 00CA6FFE
_memset.LIBCMT ref: 00CA700F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CA7021
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CA7099

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4dbb1480a3034ce30cfb9cff1dba334c3b3c87f30b15ffe91aed7f6728ce5908
Instruction ID: 048f25bc351e2d30e2aa491db2b77c55240cff63a620b022f5ff35bed6f96937
Opcode Fuzzy Hash: 4dbb1480a3034ce30cfb9cff1dba334c3b3c87f30b15ffe91aed7f6728ce5908
Instruction Fuzzy Hash: BE617C75A00249AFDB20DFA4CC81FEE77F8EB09718F14015AFA15AB2A1C770AE41DB50

Function 00C76EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C76F15
SafeArrayAllocData.OLEAUT32(?), ref: 00C76F6E
VariantInit.OLEAUT32(?), ref: 00C76F80
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C76FA0
VariantCopy.OLEAUT32(?,?), ref: 00C76FF3
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C77007
VariantClear.OLEAUT32(?), ref: 00C7701C
SafeArrayDestroyData.OLEAUT32(?), ref: 00C77029
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C77032
VariantClear.OLEAUT32(?), ref: 00C77044
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C7704F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7a8e789d017563bd18fb79df873ec26172661d29f6b2cd792d7ab13f2dd34974
Instruction ID: 145eb7dafa458c510b794538502dba067a65fbe0e2e21d9bfbb339f0ec68d8fc
Opcode Fuzzy Hash: 7a8e789d017563bd18fb79df873ec26172661d29f6b2cd792d7ab13f2dd34974
Instruction Fuzzy Hash: F5413035A042199FCB00DFA4D848EAEBBB9FF48354F00C069F959A7261DB30A946DF90

Function 00C95848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C958A9
inet_addr.WSOCK32(?,?,?), ref: 00C958EE
gethostbyname.WSOCK32(?), ref: 00C958FA
IcmpCreateFile.IPHLPAPI ref: 00C95908
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C95978
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C9598E
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C95A03
WSACleanup.WSOCK32 ref: 00C95A09

Strings

Ping, xrefs: 00C9592C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1b20ecb813865eb0ba6e69cc62daef6e7e0e24ef7736c19fd059c71ac58943d4
Instruction ID: d5c7158e470c28d3ba0d081cc92bb0c5ec1b92c03f3a5f1df18679885e72b16c
Opcode Fuzzy Hash: 1b20ecb813865eb0ba6e69cc62daef6e7e0e24ef7736c19fd059c71ac58943d4
Instruction Fuzzy Hash: 1A517D31604700DFEB12EF65D849B2EB7E4EB49720F154529F9AADB2A1DB30ED01DB42

Function 00C8B54F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8B55C
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C8B5D2
GetLastError.KERNEL32 ref: 00C8B5DC
SetErrorMode.KERNEL32(00000000,READY), ref: 00C8B649

Strings

READONLY, xrefs: 00C8B614
NOTREADY, xrefs: 00C8B608
INVALID, xrefs: 00C8B61B
UNKNOWN, xrefs: 00C8B601
READY, xrefs: 00C8B622

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1e4235a32f4f978b75b2f1f987162bc3dbf5a909ec978a53c64d28c05f2ebf4f
Instruction ID: effd16aba03c60d5bbd1d07b4163654aa6615807680f9b4aa021631b4d813a30
Opcode Fuzzy Hash: 1e4235a32f4f978b75b2f1f987162bc3dbf5a909ec978a53c64d28c05f2ebf4f
Instruction Fuzzy Hash: 5131AC75A04209AFCB14EFA5D885EAEB7B4EF08308F14412AF51597291EB70AE06CB94

Function 00C79251 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AEC7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C792D6
GetDlgCtrlID.USER32 ref: 00C792E1
GetParent.USER32 ref: 00C792FD
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C79300
GetDlgCtrlID.USER32(?), ref: 00C79309
GetParent.USER32(?), ref: 00C79325
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C79328

Strings

ListBox, xrefs: 00C79293
ComboBox, xrefs: 00C7925E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 0e7114d339326d1c498f1d896148a53d4ec9bfc93fd712b87acdfca8a5f38f82
Instruction ID: 0ef11d5c5eb0737a3e04ffc5b8f7a630694ac62a56f6bbee225db950880b6bd0
Opcode Fuzzy Hash: 0e7114d339326d1c498f1d896148a53d4ec9bfc93fd712b87acdfca8a5f38f82
Instruction Fuzzy Hash: BC21D670940108BBDF04ABA0CC89EFEBB74EF46310F104169B561972E1DB755915EB20

Function 00C7933C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AEC7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C793BF
GetDlgCtrlID.USER32 ref: 00C793CA
GetParent.USER32 ref: 00C793E6
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C793E9
GetDlgCtrlID.USER32(?), ref: 00C793F2
GetParent.USER32(?), ref: 00C7940E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C79411

Strings

ListBox, xrefs: 00C7937E
ComboBox, xrefs: 00C79349

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 492cb61daa29432d7676e8c811b3240f5eaa38f1bf3e0b981ca8af676d99955e
Instruction ID: 6259d39fcb330dff9d2aa638ef908fbed82c68d9ec324261ee004dc984b259f1
Opcode Fuzzy Hash: 492cb61daa29432d7676e8c811b3240f5eaa38f1bf3e0b981ca8af676d99955e
Instruction Fuzzy Hash: 7821B374A40208BBDF00ABA4CCC9FFEBB74EF45300F10416AB921972A5DB755916EB20

Function 00C79425 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C79431
GetClassNameW.USER32(00000000,?,00000100), ref: 00C79446
_wcscmp.LIBCMT ref: 00C79458
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C794D3

Strings

SHELLDLL_DefView, xrefs: 00C79452
largeicons, xrefs: 00C79467
smallicons, xrefs: 00C7949B
details, xrefs: 00C79481
list, xrefs: 00C794B5

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 972000787b5ff3b2b569c23f7a0293c46e6fb3694b8746b51f430e6dde27c9e0
Instruction ID: d0c6e75dfe155b768c9d03b31a3aac21d2b5b04e3aadaebc0b56687d9587bb5a
Opcode Fuzzy Hash: 972000787b5ff3b2b569c23f7a0293c46e6fb3694b8746b51f430e6dde27c9e0
Instruction Fuzzy Hash: 0511293764C307BAFA102620AC0BEA6379CDB06324F208227FA18E50E1FB7169535694

Function 00C989C0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C989EC
CoInitialize.OLE32(00000000), ref: 00C98A19
CoUninitialize.OLE32 ref: 00C98A23
GetRunningObjectTable.OLE32(00000000,?), ref: 00C98B23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C98C50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CB2C0C), ref: 00C98C84
CoGetObject.OLE32(?,00000000,00CB2C0C,?), ref: 00C98CA7
SetErrorMode.KERNEL32(00000000), ref: 00C98CBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C98D3A
VariantClear.OLEAUT32(?), ref: 00C98D4A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: e40b4c649d22f81410b693a5959e7cb3343f2a37d8e615ea125ba183b1072d0b
Instruction ID: 1a25b3002ca6b4c993a8fbeff7ca432171587f1dcabc7bd92584f905c062751d
Opcode Fuzzy Hash: e40b4c649d22f81410b693a5959e7cb3343f2a37d8e615ea125ba183b1072d0b
Instruction Fuzzy Hash: DEC138B12043059FDB00DF64C88892BB7E9FF8A748F04495DF58A9B251DB71ED0ACB52

Function 00C87A39 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C87B15

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 8c4477dc3c67ca830ecf4c7f81a0f5acb577c2c099cb7d1adb7b81b51941c149
Instruction ID: e738cc5da23fcf26665f7cc5fb0dd09e8915221a9e4fff86ed0fa6db5e77236b
Opcode Fuzzy Hash: 8c4477dc3c67ca830ecf4c7f81a0f5acb577c2c099cb7d1adb7b81b51941c149
Instruction Fuzzy Hash: 87B1C27190821A9FDB10EFA4C884BBEB7B4FF09329F34456AE510E7251E734E941DBA4

Function 00C814FF Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C81521
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C80599,?,00000001), ref: 00C81535
GetWindowThreadProcessId.USER32(00000000), ref: 00C8153C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C80599,?,00000001), ref: 00C8154B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C8155D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C80599,?,00000001), ref: 00C81576
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C80599,?,00000001), ref: 00C81588
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C80599,?,00000001), ref: 00C815CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C80599,?,00000001), ref: 00C815E2
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C80599,?,00000001), ref: 00C815ED

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 16cc4e6faeec743f04aecbf65df2bb119be61f55296d473fe1692849b77400be
Instruction ID: 14158317d51bcaef3cb777af27343b6a961052dc6e3aaee4c92543c43d484bd8
Opcode Fuzzy Hash: 16cc4e6faeec743f04aecbf65df2bb119be61f55296d473fe1692849b77400be
Instruction Fuzzy Hash: DD31B171910244FFDB60AF94EC84BAD37EDABA5369F144019FD15CB1A0D7B09E428B64

Function 00C2FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C2FC06
OleUninitialize.OLE32(?,00000000), ref: 00C2FCA5
UnregisterHotKey.USER32(?), ref: 00C2FDFC
DestroyWindow.USER32(?), ref: 00C6492F
FreeLibrary.KERNEL32(?), ref: 00C64994
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C649C1

Strings

close all, xrefs: 00C2FC01

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0f1420ac1a93d1d2c0b1dfdc9d00c96cfd4e02827a36f9968bec25a61fc65bb9
Instruction ID: 8bd1a7f844887dea83a99854343751de81b180484f352b49f4994c540693d055
Opcode Fuzzy Hash: 0f1420ac1a93d1d2c0b1dfdc9d00c96cfd4e02827a36f9968bec25a61fc65bb9
Instruction Fuzzy Hash: DAA17C30701226DFCB29EF14D495A6AF764BF04700F1442BDE90AAB662DB30AE17EF50

Function 00C7A473 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C7A844), ref: 00C7A782

Strings

NAME, xrefs: 00C7A5B4
TEXT, xrefs: 00C7A6B9
CLASS, xrefs: 00C7A501
REGEXPCLASS, xrefs: 00C7A547
INSTANCE, xrefs: 00C7A690
CLASSNN, xrefs: 00C7A524

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: f85636783d966e32d11b8c576d085bd7c348cb79780fca127e913f9469e42dee
Instruction ID: 202ebe67cb76c6f297d38e5d5a98f67c0ff4bef0f47f7f18e3e6eff9ea8a2ba8
Opcode Fuzzy Hash: f85636783d966e32d11b8c576d085bd7c348cb79780fca127e913f9469e42dee
Instruction Fuzzy Hash: E9919271A00505EBCB08DF60C4D2BEDFBB4BF44304F54C119E96DA7291DB306A99DB92

Function 00C22E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C22EAE

Part of subcall function 00C21DB3: GetClientRect.USER32(?,?), ref: 00C21DDC
Part of subcall function 00C21DB3: GetWindowRect.USER32(?,?), ref: 00C21E1D
Part of subcall function 00C21DB3: ScreenToClient.USER32(?,?), ref: 00C21E45

GetDC.USER32 ref: 00C5CEB2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C5CEC5
SelectObject.GDI32(00000000,00000000), ref: 00C5CED3
SelectObject.GDI32(00000000,00000000), ref: 00C5CEE8
ReleaseDC.USER32(?,00000000), ref: 00C5CEF0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C5CF7B

Strings

U, xrefs: 00C5CE50

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 07157bdf18256a90d1703c743d3d4be785cece3c22b3f16b2b335605c4db3266
Instruction ID: 09df720f63f6626eac201caa513d34bd28a5e7f9babb2a97f67ae47231fe0e69
Opcode Fuzzy Hash: 07157bdf18256a90d1703c743d3d4be785cece3c22b3f16b2b335605c4db3266
Instruction Fuzzy Hash: 6771CF34400305EFCF218FA4D8C5AAA7BB6FF49326F144269FD655A2A6C7308D95EF60

Function 00C91B2B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C91B66
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C91B92
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C91BD4
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C91BE9
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C91BF6
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C91C26
InternetCloseHandle.WININET(00000000), ref: 00C91C6D

Part of subcall function 00C92599: GetLastError.KERNEL32(?,?,00C9192D,00000000,00000000,00000001), ref: 00C925AE
Part of subcall function 00C92599: SetEvent.KERNEL32(?,?,00C9192D,00000000,00000000,00000001), ref: 00C925C3

Strings

, xrefs: 00C91C17

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 315b3ee4d4a1e8e739dbe0f4ef31da8978bdf226fe0db93736cfb4229e108946
Instruction ID: 31e4519b084f15979f8b42f99c678784d19cc73476772741c40434e9a6d94cc2
Opcode Fuzzy Hash: 315b3ee4d4a1e8e739dbe0f4ef31da8978bdf226fe0db93736cfb4229e108946
Instruction Fuzzy Hash: 98416CB1540219BFEF118F90CC8AFBF7BACEB09354F04412AFE159A141E7709E459BA0

Function 00C98D5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CAF910), ref: 00C98E3D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CAF910), ref: 00C98E71
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C98FEB
SysFreeString.OLEAUT32(?), ref: 00C99015

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 69af2e2dc8d191a20c886a200dc0f18ace1b0a0f4af0a1c7514340c09a40c005
Instruction ID: 1c313d3b1976987dee63003052f61bf9705126e04803f89e422257abd42e8820
Opcode Fuzzy Hash: 69af2e2dc8d191a20c886a200dc0f18ace1b0a0f4af0a1c7514340c09a40c005
Instruction Fuzzy Hash: 65F14D71A00109EFCF14DF98C888EAEB7B9FF49315F108499F916AB251DB31AE46CB50

Function 00C9F7A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F7C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9F95C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9F980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9F9C0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9F9E2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9FB5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C9FB90
CloseHandle.KERNEL32(?), ref: 00C9FBBF
CloseHandle.KERNEL32(?), ref: 00C9FC36

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 73b52e2c0d597e15ff8f884237eb5ed3aaeb12a4787a6ca176b701df1d1a9cb7
Instruction ID: f35e5239e9a798bb104b4b1c3e12efab80fdef8da5db37567bda55186fd3dbec
Opcode Fuzzy Hash: 73b52e2c0d597e15ff8f884237eb5ed3aaeb12a4787a6ca176b701df1d1a9cb7
Instruction Fuzzy Hash: 8FE1BF31604201DFDB14EF24C885B6ABBE0BF85314F14896DF89A8B2A2DB31DD46DB52

Function 00C84D68 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C846AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C836DB,?), ref: 00C846CC

Part of subcall function 00C846AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C836DB,?), ref: 00C846E5

Part of subcall function 00C84AD8: GetFileAttributesW.KERNEL32(?,00C8374F), ref: 00C84AD9

lstrcmpiW.KERNEL32(?,?), ref: 00C84DE7
_wcscmp.LIBCMT ref: 00C84E01
MoveFileW.KERNEL32(?,?), ref: 00C84E1C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 5eb542eb040f7ecde8387a585a3c8e872120637295fb92a027a107cd48a7f46e
Instruction ID: a3467e4d386e4a4d66690d71ea70ae1e59dbce849c1e9c4fb8def9130bab9b4a
Opcode Fuzzy Hash: 5eb542eb040f7ecde8387a585a3c8e872120637295fb92a027a107cd48a7f46e
Instruction Fuzzy Hash: E35165B24083859BC724EB90D8819DFB7ECAF85304F40092EF695D3151EF74A68CD75A

Function 00CA8677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CA8731

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 8f9c5ed062f9603962c3109c08055b11a4b5a6dd6b1591962f7b8b9604912c50
Instruction ID: 5216f3523925316d491d2777144464829c855190bff7ebfba9938f4147ff2145
Opcode Fuzzy Hash: 8f9c5ed062f9603962c3109c08055b11a4b5a6dd6b1591962f7b8b9604912c50
Instruction Fuzzy Hash: F951D370500216BFEF209B69CC89B9D7B64EB07318F604125FA25EA1E1CF75EA88DB50

Function 00C22B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C5C477
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C5C499
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C5C4B1
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C5C4CF
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C5C4F0
DestroyIcon.USER32(00000000), ref: 00C5C4FF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C5C51C
DestroyIcon.USER32(?), ref: 00C5C52B

Part of subcall function 00CAA4E1: DeleteObject.GDI32(00000000), ref: 00CAA51A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: aeb902b39a7144539924ad7aae20f2cd5177ab6904a91d93c56c934b423e2fb4
Instruction ID: 91e45941f28a44921d9e10e6ea2eb039247df8f42884ed5c206d0d5bd5f7a520
Opcode Fuzzy Hash: aeb902b39a7144539924ad7aae20f2cd5177ab6904a91d93c56c934b423e2fb4
Instruction Fuzzy Hash: 34518974600319EFDB20DF65EC85FAE37B5EB58315F100528F912A76A0DB70AE81EB50

Function 00C79930 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7AC37: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7AC57
Part of subcall function 00C7AC37: GetCurrentThreadId.KERNEL32 ref: 00C7AC5E
Part of subcall function 00C7AC37: AttachThreadInput.USER32(00000000,?,00C79945,?,00000001), ref: 00C7AC65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C79950
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C7996D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C79970
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C79979
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C79997
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C7999A
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C799A3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C799BA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C799BD

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f412097c793126717c5928e681b0f454200ffd737de5d470bece93d43fd785f6
Instruction ID: bb6d4aa38f7bdc0d1f5fc46d313ef0ec00d873c6ee6a46e9c2717fedc9336ced
Opcode Fuzzy Hash: f412097c793126717c5928e681b0f454200ffd737de5d470bece93d43fd785f6
Instruction Fuzzy Hash: AF11CE71550218BEF6106BA1CC8AF6E7A2DEB4E759F100429F348AB0A0C9F25C129AA4

Function 00C78BE3 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C78864,00000B00,?,?), ref: 00C78BEC
HeapAlloc.KERNEL32(00000000,?,00C78864,00000B00,?,?), ref: 00C78BF3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C78864,00000B00,?,?), ref: 00C78C08
GetCurrentProcess.KERNEL32(?,00000000,?,00C78864,00000B00,?,?), ref: 00C78C10
DuplicateHandle.KERNEL32(00000000,?,00C78864,00000B00,?,?), ref: 00C78C13
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C78864,00000B00,?,?), ref: 00C78C23
GetCurrentProcess.KERNEL32(00C78864,00000000,?,00C78864,00000B00,?,?), ref: 00C78C2B
DuplicateHandle.KERNEL32(00000000,?,00C78864,00000B00,?,?), ref: 00C78C2E
CreateThread.KERNEL32(00000000,00000000,00C78C54,00000000,00000000,00000000), ref: 00C78C48

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 228b43b8e362cf110993a6e8116c1877b8bd0b9100d49ffb4b8bef8b3d1d89e4
Instruction ID: 3426dc1506e09a7597ccc192efdc59d7f91b60f9acf485165ce9f0efa82bf332
Opcode Fuzzy Hash: 228b43b8e362cf110993a6e8116c1877b8bd0b9100d49ffb4b8bef8b3d1d89e4
Instruction Fuzzy Hash: 2601A8B5240348FFE660ABA5DC4DFAF3BACEB89715F104425FB05DB1A1DA7098058A20

Function 00C99C38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00C99CB9, 00C99FDD
Not an Object type, xrefs: 00C99C90

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c3bb56b9cb8da02fd31700687bd5e178b0ea9ee2b2c8ec2569955dcae1f96005
Instruction ID: b3f92d04759905c234a9cb56aebbb3d7e27a68e2a55c5fd082f5c4cc8fcf488c
Opcode Fuzzy Hash: c3bb56b9cb8da02fd31700687bd5e178b0ea9ee2b2c8ec2569955dcae1f96005
Instruction Fuzzy Hash: A7C17271A002199FDF14DFACC889BAEB7B5FB48314F14846DE919EB281E7709E45CB60

Function 00C99228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9927C
VariantInit.OLEAUT32(?), ref: 00C9934D
VariantInit.OLEAUT32(?), ref: 00C9944E
VariantClear.OLEAUT32(?), ref: 00C99458
VariantClear.OLEAUT32(?), ref: 00C994B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C992DD, 00C9940B, 00C994C3
Incorrect Object type in FOR..IN loop, xrefs: 00C99431

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 6c0eda1a464724f70bb91fc5683e04d4660b7b70939e003174c7c4e06038c451
Instruction ID: f5cc909e0dcbc1cf6d843730ce879005a4ccd8af5dfb13f817bcf98f3c12d9b0
Opcode Fuzzy Hash: 6c0eda1a464724f70bb91fc5683e04d4660b7b70939e003174c7c4e06038c451
Instruction Fuzzy Hash: 6F91BE71A00219ABDF21DFA9C848FAEBBB8FF45710F10855DF515AB290D7709A46CFA0

Function 00C99872 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00C77432: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?,?,?,00C7777D), ref: 00C7744F
Part of subcall function 00C77432: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?,?), ref: 00C7746A
Part of subcall function 00C77432: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?,?), ref: 00C77478
Part of subcall function 00C77432: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?), ref: 00C77488

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C9991B
_memset.LIBCMT ref: 00C99928
_memset.LIBCMT ref: 00C99A6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C99A97
CoTaskMemFree.OLE32(?), ref: 00C99AA2

Strings

NULL Pointer assignment, xrefs: 00C99AF0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 6e3741327d7cd9d9b77471fa2427b87a800c13b36faba5c8b339fcb1390b9274
Instruction ID: c87148d54f6125eb0d6c0f911cddf93120a1a8b317b0aab23abbfda73a11c7dd
Opcode Fuzzy Hash: 6e3741327d7cd9d9b77471fa2427b87a800c13b36faba5c8b339fcb1390b9274
Instruction Fuzzy Hash: C3913771D00229EBDF20DFA5DC85ADEBBB8EF08710F10415AF419A7281DB719A45DFA0

Function 00CA6DB2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CA6E56
SendMessageW.USER32(?,00001036,00000000,?), ref: 00CA6E6A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CA6E84
_wcscat.LIBCMT ref: 00CA6EDF
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CA6EF6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CA6F24

Strings

SysListView32, xrefs: 00CA6E28

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: ae50bfe608023a4bbf03331b6d0c5ab1965d07c72c37fdc8de4573b02139c521
Instruction ID: c957ca822cf52e59da21b1263faed8ba3cfd1e6266b2aced7f7e64ee38426d83
Opcode Fuzzy Hash: ae50bfe608023a4bbf03331b6d0c5ab1965d07c72c37fdc8de4573b02139c521
Instruction Fuzzy Hash: 8341A174A00349AFEB219FA4CC89BEE77F8EF09358F14042AF554E7291D2729D848B64

Function 00C9EA47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C83C99: CreateToolhelp32Snapshot.KERNEL32 ref: 00C83CBE
Part of subcall function 00C83C99: Process32FirstW.KERNEL32(00000000,?), ref: 00C83CCC
Part of subcall function 00C83C99: CloseHandle.KERNEL32(00000000), ref: 00C83D96

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9EAB8
GetLastError.KERNEL32 ref: 00C9EACB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9EAFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C9EB77
GetLastError.KERNEL32(00000000), ref: 00C9EB82
CloseHandle.KERNEL32(00000000), ref: 00C9EBB7

Strings

SeDebugPrivilege, xrefs: 00C9EAD6

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ca2310a576d8d6b9b6b561ed76c1a650822a84d43b7430b2b78889044250204b
Instruction ID: bb3c1b02cce67eb4ac91556c5a8ae43b5a16cffced331a05d2a89229ce2382a2
Opcode Fuzzy Hash: ca2310a576d8d6b9b6b561ed76c1a650822a84d43b7430b2b78889044250204b
Instruction Fuzzy Hash: B541BD306002119FDB14EF54CC9AF6DB7A1EF54714F08845CF9469B2D2CBB5A905EB8A

Function 00C8302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C830CD

Strings

stop, xrefs: 00C8309E
blank, xrefs: 00C8304F
question, xrefs: 00C83086
info, xrefs: 00C8306E
warning, xrefs: 00C830B6

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fbcfc398796a0f7378d6b23c3282c58f6c1fcd89301d63325e9dfe2aabb058c9
Instruction ID: 6b2120b2d79af0f2aa806e573a4db2eaf5aab7f456dc50bb095c6ec2462a1896
Opcode Fuzzy Hash: fbcfc398796a0f7378d6b23c3282c58f6c1fcd89301d63325e9dfe2aabb058c9
Instruction Fuzzy Hash: 7111EB35608387BAE720BA55EC42D6A779C9F05B28F10002BFA10962C2EFB55F4157A9

Function 00C84339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C84353
LoadStringW.USER32(00000000), ref: 00C8435A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C84370
LoadStringW.USER32(00000000), ref: 00C84377
_wprintf.LIBCMT ref: 00C8439D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C843BB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C84398

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 80f907ab894573a9f09e015fd49deb0ad02210ddd7db4dded924637dbdd818bb
Instruction ID: 34e1bd44a388057a4d689f8d11ef14a6363012674199a7af1b9a234444f9a8d4
Opcode Fuzzy Hash: 80f907ab894573a9f09e015fd49deb0ad02210ddd7db4dded924637dbdd818bb
Instruction Fuzzy Hash: 04014FF2940208BFE751ABE09D89FEA776CD709305F0005A9B705E3051EA749E864B74

Function 00CAD4A8 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetSystemMetrics.USER32(0000000F), ref: 00CAD4E6
GetSystemMetrics.USER32(0000000F), ref: 00CAD506
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CAD741
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CAD75F
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CAD780
ShowWindow.USER32(00000003,00000000), ref: 00CAD79F
InvalidateRect.USER32(?,00000000,00000001), ref: 00CAD7C4
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CAD7E7

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d1551562aa8ff8d8e776fac13b926ecefd69a1a7fe4dcb42c28536a3469389e3
Instruction ID: c0970d2de103bc89c044a71fbd6c054f29f23d784375a3f9f3b32cfca72ebfaa
Opcode Fuzzy Hash: d1551562aa8ff8d8e776fac13b926ecefd69a1a7fe4dcb42c28536a3469389e3
Instruction Fuzzy Hash: C8B19C7550021AEFDF18CF68C9C97AD7BB1BF05708F088069EC5ADBA99D730AA50CB50

Function 00C9FD9C Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00CA0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FE38,?,?), ref: 00CA0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9FE79

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 1ec3e4366f14c14b8dda6b9dd523a99748ab8c2754286b21981061ef7a021dc1
Instruction ID: ed4c80f4b9e7256d078084c0464d9b4b341603335dab0cd00512baa749b214be
Opcode Fuzzy Hash: 1ec3e4366f14c14b8dda6b9dd523a99748ab8c2754286b21981061ef7a021dc1
Instruction Fuzzy Hash: 71A18C316042029FCB10EF54C885B6EB7E5FF85358F14881CF9968B2A2DB71E945EF82

Function 00C22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C5C347,00000004,00000000,00000000,00000000), ref: 00C22ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C5C347,00000004,00000000,00000000,00000000,000000FF), ref: 00C22B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C5C347,00000004,00000000,00000000,00000000), ref: 00C5C39A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C5C347,00000004,00000000,00000000,00000000), ref: 00C5C406

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c6c48db6c77dc499fa33c3ad23d8310d3432de6b93a8f3b1991bce820883baf6
Instruction ID: eaaf9346e9fe5d9e194c0b7481cb4cbdcbc61de83ae8b96001fc015a6c723373
Opcode Fuzzy Hash: c6c48db6c77dc499fa33c3ad23d8310d3432de6b93a8f3b1991bce820883baf6
Instruction Fuzzy Hash: 7C41F835204790FFC7358B29ACC87AE7B92AB45304F18C82DE56787D70C6759986F714

Function 00C8716F Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C87186

Part of subcall function 00C40F36: std::exception::exception.LIBCMT ref: 00C40F6C
Part of subcall function 00C40F36: __CxxThrowException@8.LIBCMT ref: 00C40F81

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C871BD
EnterCriticalSection.KERNEL32(?), ref: 00C871D9
_memmove.LIBCMT ref: 00C87227
_memmove.LIBCMT ref: 00C87244
LeaveCriticalSection.KERNEL32(?), ref: 00C87253
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C87268
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C87287

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 56f9759d52cd5686cb693c6b082784e65f2d16b3f4321a2cebcc780439b2b3a2
Instruction ID: 94f8363e6b52951155c1893865a92979a4b0683ecb234db76ad9701a526db2f5
Opcode Fuzzy Hash: 56f9759d52cd5686cb693c6b082784e65f2d16b3f4321a2cebcc780439b2b3a2
Instruction Fuzzy Hash: 85317E31904205EBDB20EFA4DC85BAE7778FF45314B2441B9F904AB256E730DE15DBA4

Function 00CA6205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CA621D
GetDC.USER32(00000000), ref: 00CA6225
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA6230
ReleaseDC.USER32(00000000,00000000), ref: 00CA623C
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CA6278
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CA6289
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CA905C,?,?,000000FF,00000000,?,000000FF,?), ref: 00CA62C3
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CA62E3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ff53634c88da90fbd75c4f38cb9fc86f0e39677e887beeceeaba672c080da56e
Instruction ID: ac18dc525ef188ddfa0be3f1d79f687ec3c7119f24d5aa483fa7a32355562534
Opcode Fuzzy Hash: ff53634c88da90fbd75c4f38cb9fc86f0e39677e887beeceeaba672c080da56e
Instruction Fuzzy Hash: 90316F721411147FEB114F50DC49FEA3FA9EF4A759F080169FE08DA191C6759D42CBA4

Function 00C8EBAF Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

Part of subcall function 00C3FE06: _wcscpy.LIBCMT ref: 00C3FE29

_wcstok.LIBCMT ref: 00C8ED20
_wcscpy.LIBCMT ref: 00C8EDAF
_memset.LIBCMT ref: 00C8EDE2

Strings

X, xrefs: 00C8EE1F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 0421c653091054de79586f7b8d4b099c2b31b30aa5fefbd040007395c7b2decb
Instruction ID: 3c9399b876099e1fc12772439339f2ff65c9fad09bcd133471e0eb418cf65060
Opcode Fuzzy Hash: 0421c653091054de79586f7b8d4b099c2b31b30aa5fefbd040007395c7b2decb
Instruction Fuzzy Hash: 4DC1AE316083109FD724FF64D885A6AB7E0FF84314F10492DF9999B6A2DB30ED49DB82

Function 00C21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced779c9e1ab8f3031efda8986c1cc25f2782f63e621e22c1e526acbca98becc
Instruction ID: 6a5fd0871df28c0563a550cbc86314033b2045dd94c796933259e178627aaf4c
Opcode Fuzzy Hash: ced779c9e1ab8f3031efda8986c1cc25f2782f63e621e22c1e526acbca98becc
Instruction Fuzzy Hash: DC71AC34900119EFCB04DF99DC88ABEBBB9FF85314F188159F915AB251C734AA51CFA4

Function 00C96C8C Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef262e4605f5f22fbde87219dcca59d8df275b39d904d798dc6e99d70b1ff641
Instruction ID: 22b99a3ff330d6a7cb4aff2c2628c4ec37c722820c3e51377e46477ac7629c5e
Opcode Fuzzy Hash: ef262e4605f5f22fbde87219dcca59d8df275b39d904d798dc6e99d70b1ff641
Instruction Fuzzy Hash: AC61AA35508310ABDB10EB24DC8AF6FB7E9EB84714F104A1DF556972E2DA30EE05DB92

Function 00CAB385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01535938), ref: 00CAB41F
IsWindowEnabled.USER32(01535938), ref: 00CAB42B
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CAB50F
SendMessageW.USER32(01535938,000000B0,?,?), ref: 00CAB546
IsDlgButtonChecked.USER32(?,?), ref: 00CAB583
GetWindowLongW.USER32(01535938,000000EC), ref: 00CAB5A5
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CAB5BD

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5d9f7feeff3bdb78b7c334b073ac096f1f60e52adb92b6ce5876c28c5f620ea0
Instruction ID: e1d6dab3f1778f4233e0e087f3b9684635f06cf6ee83da49501d891dc3f5dd79
Opcode Fuzzy Hash: 5d9f7feeff3bdb78b7c334b073ac096f1f60e52adb92b6ce5876c28c5f620ea0
Instruction Fuzzy Hash: FF71AE34A01606EFDF209F65C894FAA7BB9FF0A308F144069F965972A3C731AE51DB50

Function 00C9F532 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F55C
_memset.LIBCMT ref: 00C9F625
ShellExecuteExW.SHELL32(?), ref: 00C9F66A

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

Part of subcall function 00C3FE06: _wcscpy.LIBCMT ref: 00C3FE29

GetProcessId.KERNEL32(00000000), ref: 00C9F6E1
CloseHandle.KERNEL32(00000000), ref: 00C9F710

Strings

@, xrefs: 00C9F639

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 2cf7e483fe16118ddb740386eb176a505ee542e15cd27f799dd62a520dc8228b
Instruction ID: a26f64e2da847c4a913c6d653d61263a62c8aa4272b66078df2592a4aa162d03
Opcode Fuzzy Hash: 2cf7e483fe16118ddb740386eb176a505ee542e15cd27f799dd62a520dc8228b
Instruction Fuzzy Hash: 8261AE75A00629DFCF14EF94D4859ADBBB0FF48310F14846DE85AAB761CB30AE42DB90

Function 00C8127E Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C812BD
GetKeyboardState.USER32(?), ref: 00C812D2
SetKeyboardState.USER32(?), ref: 00C81333
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C81361
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C81380
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C813C6
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C813E9

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7dcec026582d1b23d4b269c10f4c299a7bf99b370b5b1778b86a6ea954031ad0
Instruction ID: a8389972a1bd27f12b091c08d418d41a7602c4159859fee992f22bba32fcefe8
Opcode Fuzzy Hash: 7dcec026582d1b23d4b269c10f4c299a7bf99b370b5b1778b86a6ea954031ad0
Instruction Fuzzy Hash: 675106A09047D13EFB3662348C45BBA7EED5F46308F0C4589E8E5468D2C2E8DEC6D754

Function 00C81097 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C810D6
GetKeyboardState.USER32(?), ref: 00C810EB
SetKeyboardState.USER32(?), ref: 00C8114C
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C81178
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C81195
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C811D9
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C811FA

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8bbf87fb1398d9fb8effe808c64683764a3de23f4afdba3bb2e33391a0ad1dd6
Instruction ID: 00228a754a84f522020df39009449b46c7f1c82aa0694389d7a85cc46d86104e
Opcode Fuzzy Hash: 8bbf87fb1398d9fb8effe808c64683764a3de23f4afdba3bb2e33391a0ad1dd6
Instruction Fuzzy Hash: 1C5119A05047D53DFB32A7648C45F7A7EED5B06308F0C458DE9E5468C2C294ED86E758

Function 00C856A4 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C856B1
_wcsncpy.LIBCMT ref: 00C856E6
_wcsncpy.LIBCMT ref: 00C85718
_wcsncpy.LIBCMT ref: 00C8574B
_wcsncpy.LIBCMT ref: 00C8578D
_wcsncpy.LIBCMT ref: 00C857C7
_wcsncpy.LIBCMT ref: 00C857F6

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 03e25f79bd7a94100c1b2d1efee6284689ec22131389217a7b8d2b4a3dcdce93
Instruction ID: 370f0edf35ad95cb578a9d0824d0660f206a118ab4b3cb2b639e1b6464bf227c
Opcode Fuzzy Hash: 03e25f79bd7a94100c1b2d1efee6284689ec22131389217a7b8d2b4a3dcdce93
Instruction Fuzzy Hash: 2841E1A6C2061479CB11FBB49C86ACFB7B8BF45310F608466F958E3121E678A305D3E9

Function 00C836B5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C846AF: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C836DB,?), ref: 00C846CC

Part of subcall function 00C846AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C836DB,?), ref: 00C846E5

lstrcmpiW.KERNEL32(?,?), ref: 00C836FB
_wcscmp.LIBCMT ref: 00C83717
MoveFileW.KERNEL32(?,?), ref: 00C8372F
_wcscat.LIBCMT ref: 00C83777
SHFileOperationW.SHELL32(?), ref: 00C837E3

Strings

\*.*, xrefs: 00C83771

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: d2b9108a545a1605c0e2674be1b52121452e973ebeec2e4d4e9a6524c8eeb69f
Instruction ID: dcfb1d28aa4bb86804e6bc867c94c1fe9c6f374df7d27e2098ef8185fb4aa37c
Opcode Fuzzy Hash: d2b9108a545a1605c0e2674be1b52121452e973ebeec2e4d4e9a6524c8eeb69f
Instruction Fuzzy Hash: AC41EFB2408385AEC715FF64C441ADFB7E8EF88744F40192EB49AC7151EA34D788C75A

Function 00CA72C3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA72DC
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA7383
IsMenu.USER32(?), ref: 00CA739B
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA73E3
DrawMenuBar.USER32 ref: 00CA73F6

Strings

0, xrefs: 00CA72D0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: a3319820cedaac72469348b92ab3e26e939d342a5804ed53bcd6406650cd74fd
Instruction ID: a35905301b4ba34c14fedfb7b0f3ce5d98a6e8aa9470dbd25475ef50994689df
Opcode Fuzzy Hash: a3319820cedaac72469348b92ab3e26e939d342a5804ed53bcd6406650cd74fd
Instruction Fuzzy Hash: 4C412C75A05209EFDF20DF90D884E9ABBF8FB0A318F048129ED5697260D734AE51DF90

Function 00CA102D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00CA105C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA1086
FreeLibrary.KERNEL32(00000000), ref: 00CA113D

Part of subcall function 00CA102D: RegCloseKey.ADVAPI32(?), ref: 00CA10A3
Part of subcall function 00CA102D: FreeLibrary.KERNEL32(?), ref: 00CA10F5
Part of subcall function 00CA102D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CA1118

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CA10E0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 37094e09a64fa7925911691fedc52edea2385d54c1ce25b1848616c94f0470dc
Instruction ID: b77cc145dc4f12c5734d41cd15618842e7b025041c9eced63519420bffdc433f
Opcode Fuzzy Hash: 37094e09a64fa7925911691fedc52edea2385d54c1ce25b1848616c94f0470dc
Instruction Fuzzy Hash: DA312FB191110ABFDB149BD0DC89EFFB7BCEF0A344F040169EA12A2151DA745F859BA4

Function 00CA62FF Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CA631E
GetWindowLongW.USER32(01535938,000000F0), ref: 00CA6351
GetWindowLongW.USER32(01535938,000000F0), ref: 00CA6386
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CA63B8
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CA63E2
GetWindowLongW.USER32(?,000000F0), ref: 00CA63F3
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA640D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: beba774cd2cafe9052273d856ef3eb1505bd37a538a9aad889fc999a9af2bd41
Instruction ID: e5f79d6570a028e5371c4c4b84a189232b769127dabe525bea773ad3f2cc6eff
Opcode Fuzzy Hash: beba774cd2cafe9052273d856ef3eb1505bd37a538a9aad889fc999a9af2bd41
Instruction Fuzzy Hash: 1D311135645242AFDB21CF58DC84F5937E1FB4A328F1801A8F5218F2B2CB72A942DB51

Function 00C7DDFA Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7DE3D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7DE63
SysAllocString.OLEAUT32(00000000), ref: 00C7DE66
SysAllocString.OLEAUT32(?), ref: 00C7DE84
SysFreeString.OLEAUT32(?), ref: 00C7DE8D
StringFromGUID2.OLE32(?,?,00000028), ref: 00C7DEB2
SysAllocString.OLEAUT32(?), ref: 00C7DEC0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 26d9bbddab65a19e41c6703eaab7966cf4b60b09fd3fe77632edcac469d769de
Instruction ID: 83dbae19dcfe82dbdb49442bc8723976c17f8d9acf789f3959d6ac28f3c1a194
Opcode Fuzzy Hash: 26d9bbddab65a19e41c6703eaab7966cf4b60b09fd3fe77632edcac469d769de
Instruction Fuzzy Hash: 42218372600219AF9B119FB8DC88DBF77ACEF19364B108529FA19DB150D6709D418B60

Function 00C96289 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97EA0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C97ECB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C962DC
WSAGetLastError.WSOCK32(00000000), ref: 00C962EB
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C96324
connect.WSOCK32(00000000,?,00000010), ref: 00C9632D
WSAGetLastError.WSOCK32 ref: 00C96337
closesocket.WSOCK32(00000000), ref: 00C96360
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C96379

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5accfc5e42dd2fada0d8c5d76b916bb2e1adc4aa70964b92bffae82fc3ba4694
Instruction ID: 90ca0c5d2725b9316d3c95accf18d4222861d1aef8f12adda34a552735c7b20d
Opcode Fuzzy Hash: 5accfc5e42dd2fada0d8c5d76b916bb2e1adc4aa70964b92bffae82fc3ba4694
Instruction Fuzzy Hash: C831E231600618AFDF10AF60CC89BBE7BA9FB45724F00806DF91AD72D1DB74AD059BA1

Function 00C7F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C7F9A2
__wcsnicmp.LIBCMT ref: 00C7F9C3
__wcsnicmp.LIBCMT ref: 00C7F9DD

Strings

#OnAutoItStartRegister, xrefs: 00C7F9D7
#requireadmin, xrefs: 00C7F9BD
#notrayicon, xrefs: 00C7F99A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 67326a2a509da3794cc827ec825bdeac09c105f7ea3617389cc709dbe3f7ce30
Instruction ID: c78289c17758f94827ef6d8cfa18216897707f56006dbe09af300d16ec2aa7c2
Opcode Fuzzy Hash: 67326a2a509da3794cc827ec825bdeac09c105f7ea3617389cc709dbe3f7ce30
Instruction Fuzzy Hash: 7F213E3251C51176D331AA259C82FB77398EFA5320F50C03DF99D87181EB915E43F295

Function 00CA75FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CA7664
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CA7671
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CA767C
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CA768B
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CA7697

Strings

Msctls_Progress32, xrefs: 00CA7635

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8b6712c2ddec3012b1ddf603c9bc625d869a59bb11b30f97aed0a1b8923b8475
Instruction ID: ec6a149eec7ced38514ccf74ebb6020415035fbf7d8f37eb88b94f59a4f640f4
Opcode Fuzzy Hash: 8b6712c2ddec3012b1ddf603c9bc625d869a59bb11b30f97aed0a1b8923b8475
Instruction Fuzzy Hash: 5C11B2B255021EBFEF159F64CC85EEB7F6DEF09758F014215BA04A6090C672AC21DBA0

Function 00C49C66 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00C49C66

Part of subcall function 00C43307: EncodePointer.KERNEL32(00000000), ref: 00C4330A
Part of subcall function 00C43307: __initp_misc_winsig.LIBCMT ref: 00C43325
Part of subcall function 00C43307: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C4A020
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C4A034
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C4A047
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C4A05A
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C4A06D
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C4A080
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00C4A093
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C4A0A6
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C4A0B9
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C4A0CC
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C4A0DF
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C4A0F2
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C4A105
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C4A118
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C4A12B
Part of subcall function 00C43307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C4A13E

__mtinitlocks.LIBCMT ref: 00C49C6B
__mtterm.LIBCMT ref: 00C49C74

Part of subcall function 00C49CDC: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C49C79,00C47E4D,00CDA0B8,00000014), ref: 00C49DD6
Part of subcall function 00C49CDC: _free.LIBCMT ref: 00C49DDD
Part of subcall function 00C49CDC: DeleteCriticalSection.KERNEL32(00CDEC00,?,?,00C49C79,00C47E4D,00CDA0B8,00000014), ref: 00C49DFF

__calloc_crt.LIBCMT ref: 00C49C99
__initptd.LIBCMT ref: 00C49CBB
GetCurrentThreadId.KERNEL32 ref: 00C49CC2

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 8505d93b1a240d4f35a19413c4b6a726db30932cc363352fcc65b9820d07c6da
Instruction ID: 3f24d47659c7ad35d6587dcbb2636ee898ce8dbb25f3f9e5bd1ae655bc2f8da6
Opcode Fuzzy Hash: 8505d93b1a240d4f35a19413c4b6a726db30932cc363352fcc65b9820d07c6da
Instruction Fuzzy Hash: 01F0903254AB3219E6747B74BC0778B2AD4FB02734B20072AF464C90E2EF3089415190

Function 00C44109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C441D2,?), ref: 00C44123
GetProcAddress.KERNEL32(00000000), ref: 00C4412A
EncodePointer.KERNEL32(00000000), ref: 00C44136
DecodePointer.KERNEL32(00000001,00C441D2,?), ref: 00C44153

Strings

combase.dll, xrefs: 00C4411E
RoInitialize, xrefs: 00C44112

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 2b8fd1561d88b2a2cd13b3df0adf3c874b29f054e58f6cc745ce3ae8fbd81e14
Instruction ID: ba502bc8d82b90aead038d542f45fe9a2e69fe3a05d41ad0a2672e0e655a6c75
Opcode Fuzzy Hash: 2b8fd1561d88b2a2cd13b3df0adf3c874b29f054e58f6cc745ce3ae8fbd81e14
Instruction Fuzzy Hash: 29E0E570690380AEEF116BB0EC8DB5C3AA5B756B0BF90883CB512DB0A0DAB552819A00

Function 00C441DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C440F8), ref: 00C441F8
GetProcAddress.KERNEL32(00000000), ref: 00C441FF
EncodePointer.KERNEL32(00000000), ref: 00C4420A
DecodePointer.KERNEL32(00C440F8), ref: 00C44225

Strings

combase.dll, xrefs: 00C441F3
RoUninitialize, xrefs: 00C441E7

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: d26e9539c2c9bed80d40ec18e63ffb229457c081da5cb500c8161e0284023db8
Instruction ID: 6437eeee60462b39b1d740309dcde44d06a27d447937cad8375071ee61fc5acb
Opcode Fuzzy Hash: d26e9539c2c9bed80d40ec18e63ffb229457c081da5cb500c8161e0284023db8
Instruction Fuzzy Hash: 02E09270681280ABEB20ABA2EC4DB4D3AA4B70574AF20452CF111EB0E0CBB65601DA10

Function 00C21DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C21DDC
GetWindowRect.USER32(?,?), ref: 00C21E1D
ScreenToClient.USER32(?,?), ref: 00C21E45
GetClientRect.USER32(?,?), ref: 00C21F74
GetWindowRect.USER32(?,?), ref: 00C21F8D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c50a7ad1445d1356059d5419739c33fc7c50084f0b6c8fdfc543a26599c04144
Instruction ID: 09807b38a047d9bc29fc2c171d26dfc4a6f5d3af0ee8e459fe444b5a10a56b7d
Opcode Fuzzy Hash: c50a7ad1445d1356059d5419739c33fc7c50084f0b6c8fdfc543a26599c04144
Instruction Fuzzy Hash: 8AB15A7990024ADBDF10CFA9C5847EEBBB1FF18314F188529EC69AB654DB30AE41CB54

Function 00C86561 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C866B4
_memmove.LIBCMT ref: 00C865EF

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

_memmove.LIBCMT ref: 00C86662
_memmove.LIBCMT ref: 00C86749
_memmove.LIBCMT ref: 00C86762
_memmove.LIBCMT ref: 00C8677E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: ccb08acc44b68a1f1266914d2e7fe0522d9f1233f51541ceaad95578b7b79f9e
Instruction ID: 0d26776bae3125f609bed06bfcfe488ce0e32873d63727d411f9a6853c98f097
Opcode Fuzzy Hash: ccb08acc44b68a1f1266914d2e7fe0522d9f1233f51541ceaad95578b7b79f9e
Instruction Fuzzy Hash: F161BE3050066A9BDF11FF60DC82EFE37A4BF44318F044928F95A5B192EB35AD05EB94

Function 00CA026F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00CA0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FE38,?,?), ref: 00CA0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA0348
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA0388
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CA03AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CA03D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CA0417
RegCloseKey.ADVAPI32(00000000), ref: 00CA0424

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: d05a33ecd25353fbe762f63bba8ac1379498e7c32f401eab87246bff08cd5de2
Instruction ID: 9b7addd3aabcab773984f3ca86557fadadd58007195bbf451492f29e1c3c187f
Opcode Fuzzy Hash: d05a33ecd25353fbe762f63bba8ac1379498e7c32f401eab87246bff08cd5de2
Instruction Fuzzy Hash: 94519831208201AFDB10EF64D885E6FBBE8FF8A358F14492DF595872A1DB31E905DB52

Function 00CA5802 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CA5864
GetMenuItemCount.USER32(00000000), ref: 00CA589B
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CA58C3
GetMenuItemID.USER32(?,?), ref: 00CA5932
GetSubMenu.USER32(?,?), ref: 00CA5940
PostMessageW.USER32(?,00000111,?,00000000), ref: 00CA5991

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: b742dbe9a0b22cada954db0e304fc138bc7099bde003083f82f50e3d8bdfabab
Instruction ID: 9ad4024ef0bf19fbff80e634856e0e39114fa2a71fea0ea66a56c1b0f0e9fa15
Opcode Fuzzy Hash: b742dbe9a0b22cada954db0e304fc138bc7099bde003083f82f50e3d8bdfabab
Instruction Fuzzy Hash: 8B51A031E00616EFCF11EFA4C845AAEB7B4EF49324F108069E955BB351DB70AE42DB90

Function 00C7F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C7F218
VariantClear.OLEAUT32(00000013), ref: 00C7F28A
VariantClear.OLEAUT32(00000000), ref: 00C7F2E5
_memmove.LIBCMT ref: 00C7F30F
VariantClear.OLEAUT32(?), ref: 00C7F35C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C7F38A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: cc3b57bcde7ad04db27af920723fa387442919ff96f2588630c6fcdac504744d
Instruction ID: 590214fe5496e494d5d5249c733acfdff0d5ef82817f324c4c69dc58a34e9098
Opcode Fuzzy Hash: cc3b57bcde7ad04db27af920723fa387442919ff96f2588630c6fcdac504744d
Instruction Fuzzy Hash: C55138B5A00209AFDB14CF58C884AAAB7B8FF4D314B15856DE959DB311D730EA52CBA0

Function 00C82502 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82550
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C8259B
IsMenu.USER32(00000000), ref: 00C825BB
CreatePopupMenu.USER32 ref: 00C825EF
GetMenuItemCount.USER32(000000FF), ref: 00C8264D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C8267E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: e83a81441bf5050e7c72d05782179fbd8774de7dec8a2db293801b18dd9a2f16
Instruction ID: 816ab2bbc64e1b246fa214f2ec469dea486c6b15c40f364812b623850b686136
Opcode Fuzzy Hash: e83a81441bf5050e7c72d05782179fbd8774de7dec8a2db293801b18dd9a2f16
Instruction Fuzzy Hash: 1D519E70A00205DFDF20EF68D88CBADBBF4AF4531CF14426AF86197290E7709A05CB55

Function 00C21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00C2179A
GetWindowRect.USER32(?,?), ref: 00C217FE
ScreenToClient.USER32(?,?), ref: 00C2181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C2182C
EndPaint.USER32(?,?), ref: 00C21876

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 329e54b3a2c78e33fbbfa00f4d180c684e619902ff4c2126f64174cd63c1fddc
Instruction ID: f50c6feeb41d30014dd29da19a0aa8813a077cd8bfdb66e66d05154064a02b15
Opcode Fuzzy Hash: 329e54b3a2c78e33fbbfa00f4d180c684e619902ff4c2126f64174cd63c1fddc
Instruction Fuzzy Hash: 6741BD30104750AFC720DF25D8C4BAA7BF8EB56728F180229FAA48B2E1C7709945DB61

Function 00CAB6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00CE57B0,00000000,01535938,?,?,00CE57B0,?,00CAB5DC,?,?), ref: 00CAB746
EnableWindow.USER32(?,00000000), ref: 00CAB76A
ShowWindow.USER32(00CE57B0,00000000,01535938,?,?,00CE57B0,?,00CAB5DC,?,?), ref: 00CAB7CA
ShowWindow.USER32(?,00000004,?,00CAB5DC,?,?), ref: 00CAB7DC
EnableWindow.USER32(?,00000001), ref: 00CAB800
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CAB823

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6010e1d21f41455d51c23b090015f984710f81c9830791a8538ee83f77565796
Instruction ID: 71fe4f0bd1d26bf0285cc5a57a9a21585d3a396cf1f1f7b04c68646cdd8bb4c0
Opcode Fuzzy Hash: 6010e1d21f41455d51c23b090015f984710f81c9830791a8538ee83f77565796
Instruction Fuzzy Hash: 3E414234600145EFDB22CF68C489B947BE5BB46318F1841B9E959CF2A3C771AD86CB61

Function 00C971B3 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C94F57,?,?,00000000,00000001), ref: 00C971C1

Part of subcall function 00C93AB6: GetWindowRect.USER32(?,?), ref: 00C93AC9

GetDesktopWindow.USER32 ref: 00C971EB
GetWindowRect.USER32(00000000), ref: 00C971F2
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C97224

Part of subcall function 00C852EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85363

GetCursorPos.USER32(?), ref: 00C97250
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C972AE

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 7e8570e78d95512a5dd30acc380e2584a7b4f65c8fe684a869d54df2c1e65753
Instruction ID: 2e22fd2b6dd0f971f256a487a6e1d067a98625aac2061e57e1644a5fecc580f8
Opcode Fuzzy Hash: 7e8570e78d95512a5dd30acc380e2584a7b4f65c8fe684a869d54df2c1e65753
Instruction Fuzzy Hash: 8C31F072519305AFCB20EF54C849B9FB7A9FF89308F000A29F49597191CB70EA09CB92

Function 00C78B3B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C783D1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C783E8
Part of subcall function 00C783D1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C783F2
Part of subcall function 00C783D1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C78401
Part of subcall function 00C783D1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C78408
Part of subcall function 00C783D1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C7841E

GetLengthSid.ADVAPI32(?,00000000,00C78757), ref: 00C78B8C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C78B98
HeapAlloc.KERNEL32(00000000), ref: 00C78B9F
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C78BB8
GetProcessHeap.KERNEL32(00000000,00000000,00C78757), ref: 00C78BCC
HeapFree.KERNEL32(00000000), ref: 00C78BD3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2eff1c5dee59e7d4f1ac87b6a028afc1751c4aa2d3cee69f7246ccd7d1944893
Instruction ID: c2e7a042612cc5a75778f4d2370f257957d325754d952ffb92bcaf3b278956ea
Opcode Fuzzy Hash: 2eff1c5dee59e7d4f1ac87b6a028afc1751c4aa2d3cee69f7246ccd7d1944893
Instruction Fuzzy Hash: C211B1B1640204FFDB109FA4CC0DFAE77A9EB46319F10806DEA5997150CB319A09CBA0

Function 00C788D9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C7890A
OpenProcessToken.ADVAPI32(00000000), ref: 00C78911
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C78920
CloseHandle.KERNEL32(00000004), ref: 00C7892B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C7895A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C7896E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: dac398a80cc7a945c174b7b541d08da68fa79bb4f8a6b1725a56a0d75902516d
Instruction ID: 4b9185c85b66a85cf5ce5b3bcf57097b9ca073970632527b117fef77418cfa27
Opcode Fuzzy Hash: dac398a80cc7a945c174b7b541d08da68fa79bb4f8a6b1725a56a0d75902516d
Instruction Fuzzy Hash: DE115C72541209ABDF028FA4DD49BEE7BA9EF09308F044168FE04A2160C7718E659B61

Function 00C7BA52 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C7BA77
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C7BA88
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C7BA8F
ReleaseDC.USER32(00000000,00000000), ref: 00C7BA97
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C7BAAE
MulDiv.KERNEL32(000009EC,?,?), ref: 00C7BAC0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e4e77f31086c3609e52baeea559556ee89c1bb70a3b6e691915f48015e9278a8
Instruction ID: 12ae7e4e137e902cab16486e7ad2e5b2b0cb628cb74c4259651b53573d2a23c4
Opcode Fuzzy Hash: e4e77f31086c3609e52baeea559556ee89c1bb70a3b6e691915f48015e9278a8
Instruction Fuzzy Hash: C301A775E00319BBEF109BE59D49B5EBFB8EB49365F004079FA08A7291D6309D01CFA0

Function 00C402E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C40313
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C4031B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C40326
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C40331
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C40339
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C40341

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0341254dafc94dcd0b4762e4e8067099380b9b635fd29e67c0439eefecfe6185
Instruction ID: abcf78e044182aa1ecc89bd9239d5ebae7e4419cd6e00599b08367c1d061dbc3
Opcode Fuzzy Hash: 0341254dafc94dcd0b4762e4e8067099380b9b635fd29e67c0439eefecfe6185
Instruction Fuzzy Hash: A10148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA15847941C7B5A864CBE5

Function 00C85490 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C854A0
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C854B6
GetWindowThreadProcessId.USER32(?,?), ref: 00C854C5
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C854D4
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C854DE
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C854E5

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5fbe4a5e1e5030fbca2454489cbbcfbdd4fdce28a7af5dc0d072e204ec56091d
Instruction ID: fc86b1d1d4db2497a4e90c00f293aab03035817af0019e9f66659f66bcbae03f
Opcode Fuzzy Hash: 5fbe4a5e1e5030fbca2454489cbbcfbdd4fdce28a7af5dc0d072e204ec56091d
Instruction Fuzzy Hash: DEF01D32241158BBE7315BE2DC0DFEF7A7CEBCBB19F00016DFA04D20A096B11A0286B5

Function 00C872D9 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C872EC
EnterCriticalSection.KERNEL32(?,?,00C31044,?,?), ref: 00C872FD
TerminateThread.KERNEL32(00000000,000001F6,?,00C31044,?,?), ref: 00C8730A
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C31044,?,?), ref: 00C87317

Part of subcall function 00C86CDE: CloseHandle.KERNEL32(00000000,?,00C87324,?,00C31044,?,?), ref: 00C86CE8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C8732A
LeaveCriticalSection.KERNEL32(?,?,00C31044,?,?), ref: 00C87331

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 459d2e59fb4320b113df801112024f75965c8200f9a2a5f9558ed8aa14f2425b
Instruction ID: 36f599671111154eb3c19f9e7268a103981cfc7a896e654fc226a3e074f6ce83
Opcode Fuzzy Hash: 459d2e59fb4320b113df801112024f75965c8200f9a2a5f9558ed8aa14f2425b
Instruction Fuzzy Hash: 09F05436140612EBD7612BA4ED8CBDE7729EF4630AB100635F502924B1DB755912DB50

Function 00C78C54 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C78C5F
UnloadUserProfile.USERENV(?,?), ref: 00C78C6B
CloseHandle.KERNEL32(?), ref: 00C78C74
CloseHandle.KERNEL32(?), ref: 00C78C7C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C78C85
HeapFree.KERNEL32(00000000), ref: 00C78C8C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4fbb95a978838b5934d55f5e64fc3feaffc271673fb9b217a3a78e4a0b0dbcad
Instruction ID: c7a855911c7335a1bea6ab52b99c8fd1013f27f0cd2891cab893adb44d5ba479
Opcode Fuzzy Hash: 4fbb95a978838b5934d55f5e64fc3feaffc271673fb9b217a3a78e4a0b0dbcad
Instruction Fuzzy Hash: 81E05276104505FFDB021FE5EC0CB5EBB69FB8A76AB508639F219C2470CB329462DB50

Function 00C98702 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C98728
CharUpperBuffW.USER32(?,?), ref: 00C98837
VariantClear.OLEAUT32(?), ref: 00C989AF

Part of subcall function 00C8760B: VariantInit.OLEAUT32(00000000), ref: 00C8764B
Part of subcall function 00C8760B: VariantCopy.OLEAUT32(00000000,?), ref: 00C87654
Part of subcall function 00C8760B: VariantClear.OLEAUT32(00000000), ref: 00C87660

Strings

Incorrect Parameter format, xrefs: 00C98760, 00C98922
AUTOIT.ERROR, xrefs: 00C9883D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 108b92f46faf371100d3c76db610cccff764cd41ba9b3afcb0bea441ea3469c5
Instruction ID: 0b9571f2eab93581bcb8bd370619d9a0960090bb5ccb8b6ff616a3592cb1bc29
Opcode Fuzzy Hash: 108b92f46faf371100d3c76db610cccff764cd41ba9b3afcb0bea441ea3469c5
Instruction Fuzzy Hash: 71919E75608301DFCB00EF64C48596BBBE4EF89314F14896EF89A8B361DB31E909DB52

Function 00C82D8E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3FE06: _wcscpy.LIBCMT ref: 00C3FE29

_memset.LIBCMT ref: 00C82E7F
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C82EAE
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C82F61
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C82F8F

Strings

0, xrefs: 00C82E6B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e5b917227393e962670188ea11cbfc82e003829a31e5574c3c488bfa6df6b867
Instruction ID: 3352b5515c5034a477f1236e38c34cc06ab05420da8d59b56f96b843ec704465
Opcode Fuzzy Hash: e5b917227393e962670188ea11cbfc82e003829a31e5574c3c488bfa6df6b867
Instruction Fuzzy Hash: 4351C0715083219ED725AFA8C84976BB7F4EF85318F040A2DFAA5D31D0DB70CA04DB9A

Function 00C7D87B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7D8E3
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C7D919
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C7D92A
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C7D9AC

Strings

DllGetClassObject, xrefs: 00C7D91F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bd36a38fb218b6991ad9f03a4c06719801d14160ce93c243d019a16f52e309a7
Instruction ID: 63e86810c28627e9f4ef36c102d59066c63f7b82440f606562f81da02206ca2c
Opcode Fuzzy Hash: bd36a38fb218b6991ad9f03a4c06719801d14160ce93c243d019a16f52e309a7
Instruction Fuzzy Hash: E2419E72600204EFDB14DF55C884B9ABBB9EF85314F1181ADEE0A9F205DBB1DE40DBA0

Function 00C82A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82AB8
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C82AD4
DeleteMenu.USER32(?,00000007,00000000), ref: 00C82B1A
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CE5890,00000000), ref: 00C82B63

Strings

0, xrefs: 00C82AAD

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e0288ffbb439d5b7faf482be30e371931929476955665b395419b735ca1bafbc
Instruction ID: 207c28089cb9eb7d96ac19e78834379d3b5da72ba5e4d4d37c3df2efe6df974f
Opcode Fuzzy Hash: e0288ffbb439d5b7faf482be30e371931929476955665b395419b735ca1bafbc
Instruction Fuzzy Hash: 3B41C4302053019FD720EF24C889B2AB7E8EF85328F10461DF866972D1D770E905CB6A

Function 00C9D8B9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C9D8D9

Part of subcall function 00C279AB: _memmove.LIBCMT ref: 00C279F9

Strings

cdecl, xrefs: 00C9D930
winapi, xrefs: 00C9D94A
stdcall, xrefs: 00C9D95B
none, xrefs: 00C9D9B4

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 3254e83af574fdf19ed8696dcfdcee260d069e6058a1e4982541e5090ec3395a
Instruction ID: a9b6a239c61aa6ca19f3dcd52a5d224bccf3f159f58a905714749652cafd36f5
Opcode Fuzzy Hash: 3254e83af574fdf19ed8696dcfdcee260d069e6058a1e4982541e5090ec3395a
Instruction Fuzzy Hash: 48319270504615AFCF10EFA4D8D19EEB3B4FF05710B108B6AE966A77D1DB31AA06DB80

Function 00C79152 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AEC7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C791D6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C791E9
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C79219

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Strings

ListBox, xrefs: 00C79195
ComboBox, xrefs: 00C79160

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: f3fc0e8cddef4050769ad65aa3da896295512768eb597ac87a5661ed0ff12890
Instruction ID: e5c8d429bb0ca75ea0e11825bf53ffa29065117cb1e01bfa1b6a76ab04ea6b7a
Opcode Fuzzy Hash: f3fc0e8cddef4050769ad65aa3da896295512768eb597ac87a5661ed0ff12890
Instruction Fuzzy Hash: EE210A719441047FDB14ABB4DC8ADFFB778DF45360F148229F429671E1DB354D0AA610

Function 00C91943 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C91962
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C91988
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C919B8
InternetCloseHandle.WININET(00000000), ref: 00C919FF

Part of subcall function 00C92599: GetLastError.KERNEL32(?,?,00C9192D,00000000,00000000,00000001), ref: 00C925AE
Part of subcall function 00C92599: SetEvent.KERNEL32(?,?,00C9192D,00000000,00000000,00000001), ref: 00C925C3

Strings

, xrefs: 00C919A9

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: db39dbf109d6daa9967fca5e506511da9fef395d72313e3535085aaf623855c7
Instruction ID: a6dfa63770ece813532c345c376c622bb518557045c2a979b91bf262f4599500
Opcode Fuzzy Hash: db39dbf109d6daa9967fca5e506511da9fef395d72313e3535085aaf623855c7
Instruction Fuzzy Hash: 9721B0B1600209BFEB119FA4DC9AFBF76ACEB49744F15011AF845D3200EA309E05A7A1

Function 00CA6419 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CA6493
LoadLibraryW.KERNEL32(?), ref: 00CA649A
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CA64AF
DestroyWindow.USER32(?), ref: 00CA64B7

Strings

SysAnimate32, xrefs: 00CA646E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 66b3063ff2d320579c5008b5eaab3643d56097aecfecafa83f494394ffa4ed68
Instruction ID: 76488de2cdcd465224fb9b9ae3159388ec4d7e4314c9a4962cd5e2e10c5d3d1e
Opcode Fuzzy Hash: 66b3063ff2d320579c5008b5eaab3643d56097aecfecafa83f494394ffa4ed68
Instruction Fuzzy Hash: 40219D71600606ABEF108FA4DC80FBB77A9EF5E76CF188629FA6497190C771CC51A760

Function 00C86E45 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C86E65
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C86E98
GetStdHandle.KERNEL32(0000000C), ref: 00C86EAA
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C86EE4

Strings

nul, xrefs: 00C86EDF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fced57fa298440d6038eea69769014decad130435e85585d6fbdeaccf612917b
Instruction ID: 38abb19d807ccd06a320c9c9db19ea57393469baaddca3be3179f91924c2c0d0
Opcode Fuzzy Hash: fced57fa298440d6038eea69769014decad130435e85585d6fbdeaccf612917b
Instruction Fuzzy Hash: CF219078600209ABDB20AF69DC44B9EBBF4AF45728F204629FDB0D72D0DB709951CB54

Function 00C86F13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C86F32
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C86F64
GetStdHandle.KERNEL32(000000F6), ref: 00C86F75
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C86FAF

Strings

nul, xrefs: 00C86FAA

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cd217d8fe1aac988f50e406929a53085d6fef0a23f2ab7e4e959ab4382046173
Instruction ID: c9503f5b494825e7947026f03c9f9fbe067e95add104b7aa7f89de374563e161
Opcode Fuzzy Hash: cd217d8fe1aac988f50e406929a53085d6fef0a23f2ab7e4e959ab4382046173
Instruction Fuzzy Hash: 2721A171600305ABDB20AFA9AC04B9E77E8AF45328F200769FEB1D72D0D770D9418B68

Function 00C8ACCA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8ACDE
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C8AD32
__swprintf.LIBCMT ref: 00C8AD4B
SetErrorMode.KERNEL32(00000000,00000001,00000000,00CAF910), ref: 00C8AD89

Strings

%lu, xrefs: 00C8AD45

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: f22af0021dab9d3ce427169f9062a8da4faeaee761e25cabdc16050a9a6375ae
Instruction ID: a5114566ff822462bacb80914352271d800ce3cd4a0fb6ee9b4d93344f73e3ee
Opcode Fuzzy Hash: f22af0021dab9d3ce427169f9062a8da4faeaee761e25cabdc16050a9a6375ae
Instruction Fuzzy Hash: 22219535A00109AFCB10EFA5DD85EAE77B8EF49708B104069F509DB351DB31EE41DB61

Function 00C7A30F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

Part of subcall function 00C7A15C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C7A179
Part of subcall function 00C7A15C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7A18C
Part of subcall function 00C7A15C: GetCurrentThreadId.KERNEL32 ref: 00C7A193
Part of subcall function 00C7A15C: AttachThreadInput.USER32(00000000), ref: 00C7A19A

GetFocus.USER32 ref: 00C7A334

Part of subcall function 00C7A1A5: GetParent.USER32(?), ref: 00C7A1B3

GetClassNameW.USER32(?,?,00000100), ref: 00C7A37D
EnumChildWindows.USER32(?,00C7A3F5), ref: 00C7A3A5
__swprintf.LIBCMT ref: 00C7A3BF

Strings

%s%d, xrefs: 00C7A3B9

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 57361c51c82a8f0e1ea7e98b82aa90d9d4425afada13d6afefd4450d26ce6d1d
Instruction ID: fa1fa66d8ac471e1ac032afc64468dacd43ddddf8712a602a6e44bcc80b6992c
Opcode Fuzzy Hash: 57361c51c82a8f0e1ea7e98b82aa90d9d4425afada13d6afefd4450d26ce6d1d
Instruction Fuzzy Hash: FF118771500209BBDF117F60DC85FEE777CAF85700F048079BA1C9A152DA745945DB71

Function 00C9EC69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C9ED1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C9ED4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C9EE7E
CloseHandle.KERNEL32(?), ref: 00C9EEFF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 99481e4db8b9b784f9391b53da04e6f26cf93306691af011daf156d791e8c32d
Instruction ID: 86397f6ca76df3dd5805b8a1a9a3305e739e5bbdcfc0737a07c173222070bd7d
Opcode Fuzzy Hash: 99481e4db8b9b784f9391b53da04e6f26cf93306691af011daf156d791e8c32d
Instruction Fuzzy Hash: 818172716003109FDB20EF29D846F2AB7E5EF58710F04881DF999DB792DB70AD419B52

Function 00C4558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C455EB
_memcpy_s.LIBCMT ref: 00C4565D
__read_nolock.LIBCMT ref: 00C456BB
__filbuf.LIBCMT ref: 00C456DE
_memset.LIBCMT ref: 00C45722

Part of subcall function 00C48CA8: __getptd_noexit.LIBCMT ref: 00C48CA8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
Instruction ID: 7d597374c821ca1be232dd7039fe898d724901c33bcc7a5c568574da44f7396c
Opcode Fuzzy Hash: 17c9c7776e299596ed796557eca7f8bd29831e9b0e98da48d3161094909ff33f
Instruction Fuzzy Hash: 1751C170A00B05DBDB248FB9C8856AE7BB6FF41330F64872AF835962D2D7719E549B40

Function 00CA00C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00CA0EA5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FE38,?,?), ref: 00CA0EBC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA0188
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA01C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CA020E
RegCloseKey.ADVAPI32(?,?), ref: 00CA023A
RegCloseKey.ADVAPI32(00000000), ref: 00CA0247

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: b7b7b1e70c968ac222ddf64e57ad76f41dfe36a6ae0dc03db916765c943e188b
Instruction ID: 75edc426969bec05969a68ea00054863fadc3c2ee869932e3cb09055bc6b46e3
Opcode Fuzzy Hash: b7b7b1e70c968ac222ddf64e57ad76f41dfe36a6ae0dc03db916765c943e188b
Instruction Fuzzy Hash: 3A517831208305AFD704EBA4D885F6EB7E8FF89348F14892DB596872A1DB30E905DB52

Function 00C9D9DC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C9DA3B
GetProcAddress.KERNEL32(00000000,?), ref: 00C9DABE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C9DADA
GetProcAddress.KERNEL32(00000000,?), ref: 00C9DB1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C9DB35

Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C8793F,?,?,00000000), ref: 00C25B8C
Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C8793F,?,?,00000000,?,?), ref: 00C25BB0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 99d263549df2738310df088b4db3ec6a4162f39ba4dd025d7eec2b4a9f90895d
Instruction ID: 95e2b43b512e7d3c47ae10569a1b3928452249983a5bf638a1fa732adf2715e8
Opcode Fuzzy Hash: 99d263549df2738310df088b4db3ec6a4162f39ba4dd025d7eec2b4a9f90895d
Instruction Fuzzy Hash: 74515C35A04215DFDB00EFA8D4889ADB7F4FF19310B048069E91AAB351DB30EE45DF50

Function 00C8E5FD Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C8E6AB
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C8E6D4
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C8E713

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C8E738
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C8E740

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 049f31bfb33069401e36ef7a1cd8664c2bf3a85469684175ab5219d21803be7c
Instruction ID: 65f7b77ed999b2d6446c300c87924c1e3c2b97777180536329b382eed228c353
Opcode Fuzzy Hash: 049f31bfb33069401e36ef7a1cd8664c2bf3a85469684175ab5219d21803be7c
Instruction Fuzzy Hash: 23513A35A00215DFDB00EFA4C981AAEBBF5EF08314F1480A9E849AB361CB31ED51DB50

Function 00CAA088 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa77ba409b6f4ff8e202ba982bb9ba4725cfd27dfa72b052b2b3e985ecb9d081
Instruction ID: 18f32677b345e28a32ec39bb0796cd02f1d9100b3e1c39079ee7eeaa90c9853c
Opcode Fuzzy Hash: aa77ba409b6f4ff8e202ba982bb9ba4725cfd27dfa72b052b2b3e985ecb9d081
Instruction Fuzzy Hash: 2841E635900146FFD720DF68CC44FADBBA5EB0B368F150169FA26A72E1C7309E41DA51

Function 00C22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C22357
ScreenToClient.USER32(00CE57B0,?), ref: 00C22374
GetAsyncKeyState.USER32(00000001), ref: 00C22399
GetAsyncKeyState.USER32(00000002), ref: 00C223A7

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9154b103b73b5d570d535a47321ecba16dce86383bd16ea419f4323c635966fb
Instruction ID: d42628fa4adda52a88c3ab06add2672c1f11682efc43d000df7453b4021e9c3a
Opcode Fuzzy Hash: 9154b103b73b5d570d535a47321ecba16dce86383bd16ea419f4323c635966fb
Instruction Fuzzy Hash: 65418039904615FFCF15DF65C884AEEBBB4FB05365F10432AF835922A1C7346A94EB90

Function 00C76700 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7673D
TranslateAcceleratorW.USER32(?,?,?), ref: 00C76789
TranslateMessage.USER32(?), ref: 00C767B2
DispatchMessageW.USER32(?), ref: 00C767BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C767CB

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 385db6f4fdac2ab8b196c4f791bc9685ba635aa28da02534b6430d629b78597d
Instruction ID: 4b38f8d9fbdbacf6f873b31e28a9d8b5b59b6d354daed343702a0e30e550738e
Opcode Fuzzy Hash: 385db6f4fdac2ab8b196c4f791bc9685ba635aa28da02534b6430d629b78597d
Instruction Fuzzy Hash: 8B31C531900E46AFDB288FB0CC84FBA7BECAB0134CF148169E439C71A1E7359985DB50

Function 00C78CE1 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C78CF2
PostMessageW.USER32(?,00000201,00000001), ref: 00C78D9C
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C78DA4
PostMessageW.USER32(?,00000202,00000000), ref: 00C78DB2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C78DBA

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 42ac6710acce8da6e3ef48138f9f91396c14e9103b50a3e565c80a9ce51b60eb
Instruction ID: 71bb514cab683d3fdda0ec3a3fef3567a5eed30f57fbecd8cfffb7bce4b035d5
Opcode Fuzzy Hash: 42ac6710acce8da6e3ef48138f9f91396c14e9103b50a3e565c80a9ce51b60eb
Instruction Fuzzy Hash: 7F31A27150021AEFDF24CFA8D94DB9E7BB5EB25315F108229FA29E71D0C7709A14DB90

Function 00C7B4AE Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C7B4C6
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C7B4E3
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C7B51B
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C7B541
_wcsstr.LIBCMT ref: 00C7B54B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e6ca9ba72b3a422e94d53629dce8034bc65215c516880a8ca72b0b9dd281fe49
Instruction ID: a186760a7d5a723a3af6ed762b776fdda89257aca15b6405601736c71462310d
Opcode Fuzzy Hash: e6ca9ba72b3a422e94d53629dce8034bc65215c516880a8ca72b0b9dd281fe49
Instruction Fuzzy Hash: 2921D732604204BAEB259B799C09F7F7BA8EF49760F10803DF909DA161EB71DD41A6A0

Function 00CAB17F Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetWindowLongW.USER32(?,000000F0), ref: 00CAB1C6
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00CAB1EB
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CAB203
GetSystemMetrics.USER32(00000004), ref: 00CAB22C
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C90FA5,00000000), ref: 00CAB24A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 2cec4745ef6fefe85ab0858804411c6ec37aad5e6271943d83740b5d017e3ca4
Instruction ID: 271518a5caf047a207766d198c077ef785f6fd5f950c17dc167a2931d800b511
Opcode Fuzzy Hash: 2cec4745ef6fefe85ab0858804411c6ec37aad5e6271943d83740b5d017e3ca4
Instruction Fuzzy Hash: 0B218D72910666AFCB249F799C08B6E37A4EB06329F104739F936D72E1E7309D119B90

Function 00C795C9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C795E2

Part of subcall function 00C27D2C: _memmove.LIBCMT ref: 00C27D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C79614
__itow.LIBCMT ref: 00C7962C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C79654
__itow.LIBCMT ref: 00C79665

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: bd2deb2d9a03d9c3f0d00ddd898341bcecef46856a92e548236dd347770a0f78
Instruction ID: 3a8dca0591c95d8f88b1e9c2e444d09961622cb451616f12716dace5ccc9fda7
Opcode Fuzzy Hash: bd2deb2d9a03d9c3f0d00ddd898341bcecef46856a92e548236dd347770a0f78
Instruction Fuzzy Hash: 0421F931700218BFDB10ABA59C89FEE7BB8EF59724F048129FD08E7251E6708E419791

Function 00C95B63 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C95B84
GetForegroundWindow.USER32 ref: 00C95B9B
GetDC.USER32(00000000), ref: 00C95BD7
GetPixel.GDI32(00000000,?,00000003), ref: 00C95BE3
ReleaseDC.USER32(00000000,00000003), ref: 00C95C1E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b25642fbd6bbbd707c3a9ee51192aa1409f6778b4331ecf68cdd39c0ace452df
Instruction ID: 8ba8037762157afec6d55945bcc46f4bb0f4428223398b850f4144dcdd3b636d
Opcode Fuzzy Hash: b25642fbd6bbbd707c3a9ee51192aa1409f6778b4331ecf68cdd39c0ace452df
Instruction Fuzzy Hash: 2D219D75A00214EFDB10EFA5DD88BAEBBF5EF49315F048479F84A97662CA30AD01DB50

Function 00C212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C2134D
SelectObject.GDI32(?,00000000), ref: 00C2135C
BeginPath.GDI32(?), ref: 00C21373
SelectObject.GDI32(?,00000000), ref: 00C2139C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b9296c19045bc86398ec2363557773a4ea9428c8bcdde9bc83d72895b1198b49
Instruction ID: 6bf59548cbed5a70d174e8561cd47995c87b145f2a2b6c1c0c4d6b8a6031543d
Opcode Fuzzy Hash: b9296c19045bc86398ec2363557773a4ea9428c8bcdde9bc83d72895b1198b49
Instruction Fuzzy Hash: 82214C70840758EFDB20CF65EC8476D7BA9FB10329F18422AE8209A5F0D3B19991DF90

Function 00C84B3A Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C84B61
__beginthreadex.LIBCMT ref: 00C84B7F
MessageBoxW.USER32(?,?,?,?), ref: 00C84B94
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C84BAA
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C84BB1

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 86650bde282c93c8b96beb242630ad18aec0e4fb5db73e573f57d2f049d5a0a2
Instruction ID: 066e527762cbcc11ba31a834aca81e483285dd6d82a9fa6e78ee03c28e1a9753
Opcode Fuzzy Hash: 86650bde282c93c8b96beb242630ad18aec0e4fb5db73e573f57d2f049d5a0a2
Instruction Fuzzy Hash: 9011447290464ABBCB00AFA89C48BEE7FACAB45328F140269F924D3250C271CD0087A0

Function 00C7852A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C78546
GetLastError.KERNEL32(?,00C7800A,?,?,?), ref: 00C78550
GetProcessHeap.KERNEL32(00000008,?,?,00C7800A,?,?,?), ref: 00C7855F
HeapAlloc.KERNEL32(00000000,?,00C7800A,?,?,?), ref: 00C78566
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7857D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b6dbaaebfb779da06c4d4dbaa45002df96e5ea794b83260c6cd573fb3d837510
Instruction ID: bb086c1bda46a8fd9b8f53e9f22132c82bc2b68a99d398b5c4e71fb927591c79
Opcode Fuzzy Hash: b6dbaaebfb779da06c4d4dbaa45002df96e5ea794b83260c6cd573fb3d837510
Instruction Fuzzy Hash: 81014B71241204EFEB214FA6DC4CE6F7BACEF8A359B54452AF949C3220DA328D05CA60

Function 00C852EB Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85307
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C85315
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C8531D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C85327
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85363

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: af4e3e7c567c3a4406b00485677b6eab04736aa343cf43c434d8b2812062f583
Instruction ID: 73191c1428327bc8205cdb183024afa9e1ef1d5f5f171b9314f57634fd78d2a2
Opcode Fuzzy Hash: af4e3e7c567c3a4406b00485677b6eab04736aa343cf43c434d8b2812062f583
Instruction Fuzzy Hash: 72016D31C01A1DDBCF00AFE4E888BEDBBB8FB09315F050459E941F3190CBB05A5697A5

Function 00C77432 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?,?,?,00C7777D), ref: 00C7744F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?,?), ref: 00C7746A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?,?), ref: 00C77478
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?), ref: 00C77488
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C7736C,80070057,?,?), ref: 00C77494

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 14f1eaebf4defd82ee78e519120065bc4ec7526f010b6f0ccf281f30368e2413
Instruction ID: fbedb5da33f90107349f3891b8b6ecba9e4a4c5d4149140c48b85bcf810be5b7
Opcode Fuzzy Hash: 14f1eaebf4defd82ee78e519120065bc4ec7526f010b6f0ccf281f30368e2413
Instruction Fuzzy Hash: 93017176601308BBDB105F65DC48BAE7FADEB45756F148228F908D3220D775DD419FA0

Function 00C783D1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C783E8
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C783F2
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C78401
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C78408
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C7841E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c8f01ff8c59f355aa19f6095312d9a24e99c2e24ee6cd8cbbe97cde2df3861af
Instruction ID: be22038e014aeb7cf2091d43bf03f47fdc43da327609f0815d650c87be7e65f3
Opcode Fuzzy Hash: c8f01ff8c59f355aa19f6095312d9a24e99c2e24ee6cd8cbbe97cde2df3861af
Instruction Fuzzy Hash: 02F0AF30244205AFEB101FA4DC9CFAF3BACEF8A759B008029FA49C3150CBB0DC46DA60

Function 00C78432 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C78449
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C78453
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78462
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78469
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7847F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f00b78b506d0d391da10f1efdbefd6f5e5c99693bfb8e818979f451ad6ddd0a2
Instruction ID: 8e5eaba439decf50feb9aa870ae59923388d1d4b9ee5f93eb3335e2925f59389
Opcode Fuzzy Hash: f00b78b506d0d391da10f1efdbefd6f5e5c99693bfb8e818979f451ad6ddd0a2
Instruction Fuzzy Hash: D7F0A430240305AFDB211FA5DC9CF6F3BACEF46759B444029FA49C3150CBB09905DA60

Function 00C7C4A5 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C7C4B9
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C7C4D0
MessageBeep.USER32(00000000), ref: 00C7C4E8
KillTimer.USER32(?,0000040A), ref: 00C7C504
EndDialog.USER32(?,00000001), ref: 00C7C51E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 709531afe56f91e621917088b6db45cc6e4c1935afac418f04eaa0d0060e205d
Instruction ID: a1dc1411c75b19142554ab5225d6b9022a754a7d5dd76884b0b5bbc2f96ab653
Opcode Fuzzy Hash: 709531afe56f91e621917088b6db45cc6e4c1935afac418f04eaa0d0060e205d
Instruction Fuzzy Hash: AF01D630400705ABEB215F60DC8EFAA77B8FF01709F04866DF596A20E1DBF16A458B80

Function 00C213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C213BF
StrokeAndFillPath.GDI32(?,?,00C5BA08,00000000,?), ref: 00C213DB
SelectObject.GDI32(?,00000000), ref: 00C213EE
DeleteObject.GDI32 ref: 00C21401
StrokePath.GDI32(?), ref: 00C2141C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: cd9abeb051d6a7a2ff083317343b0f3e59d9616625cf4b6f0bf93064ac74de8a
Instruction ID: fb2f8412dd081b320558e4669da2fa8f71c476d666445cff28d055ca6e4e33aa
Opcode Fuzzy Hash: cd9abeb051d6a7a2ff083317343b0f3e59d9616625cf4b6f0bf93064ac74de8a
Instruction Fuzzy Hash: EDF0EC30044B48EBDB255F6AEC8C75C3FA5AB1132AF0C8228E9698D4F1C7714996DF50

Function 00C8C423 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C8C4BE
CoCreateInstance.OLE32(00CB2D6C,00000000,00000001,00CB2BDC,?), ref: 00C8C4D6

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

CoUninitialize.OLE32 ref: 00C8C743

Strings

.lnk, xrefs: 00C8C452, 00C8C47A, 00C8C484

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 7d3f401b7f0decede1bb46c2270abf976f272590e96ba003a28e9c60a2815383
Instruction ID: abb13a0a87ad24349118e2b70219ec056380bf6e9d560823a747789a9bc55bb9
Opcode Fuzzy Hash: 7d3f401b7f0decede1bb46c2270abf976f272590e96ba003a28e9c60a2815383
Instruction Fuzzy Hash: 31A13C71108315AFD700EF64D8D1EABB7E8EF89704F00491CF156971A2DB70EA49DB62

Function 00C32E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00C40F36: std::exception::exception.LIBCMT ref: 00C40F6C
Part of subcall function 00C40F36: __CxxThrowException@8.LIBCMT ref: 00C40F81

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C27BB1: _memmove.LIBCMT ref: 00C27C0B

__swprintf.LIBCMT ref: 00C3302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C32EC6

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: c41ee290d2c75c992c35c0623eb39ee05af34e16c94e9507d938b5d7463f3f8c
Instruction ID: 60cca57bb8e5a46f9a3d4729f801bb5fcaac6ba60ff006d02cb1e48c38574681
Opcode Fuzzy Hash: c41ee290d2c75c992c35c0623eb39ee05af34e16c94e9507d938b5d7463f3f8c
Instruction Fuzzy Hash: 80916C711182519FCB28EF64D8D6C6FB7A4EF85710F00491DF8969B2A1DB30EE44DB92

Function 00C8B9C7 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C248A1,?,?,00C237C0,?), ref: 00C248CE

CoInitialize.OLE32(00000000), ref: 00C8BA47
CoCreateInstance.OLE32(00CB2D6C,00000000,00000001,00CB2BDC,?), ref: 00C8BA60
CoUninitialize.OLE32 ref: 00C8BA7D

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

Strings

.lnk, xrefs: 00C8BA29, 00C8BA37

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 94fa74403c868d4b2f3035f434d2952bfc38c03a9333be0c1becc2bb69ace92c
Instruction ID: 6dd21406fd5731032ccf9e57373bb9765d27c9c8b4c33fadfa4b49b246dac796
Opcode Fuzzy Hash: 94fa74403c868d4b2f3035f434d2952bfc38c03a9333be0c1becc2bb69ace92c
Instruction Fuzzy Hash: ADA168756043119FCB10EF14C894E6ABBE5FF89318F148998F89A9B3A1CB31ED45CB91

Function 00C4518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C4521D

Part of subcall function 00C50270: __87except.LIBCMT ref: 00C502AB

Strings

pow, xrefs: 00C451F5, 00C45212

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: ee83e2d3b85d1723a8e2e3c56a03dcaca86ff59ed84992f476bb9a38adb46522
Instruction ID: 302fe19e1e58e25e2b258d9e226649a3252012073d31b91427285ceac6160225
Opcode Fuzzy Hash: ee83e2d3b85d1723a8e2e3c56a03dcaca86ff59ed84992f476bb9a38adb46522
Instruction Fuzzy Hash: A8514A65A0C60197DB216B14C94137E3B94BB40712F344A59E8A5C61F7EB748ECCA64A

Function 00C4017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00C401C0
+, xrefs: 00C401B7

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: e56414366d28a2ff3f3baf6492a7a1d457975c8a4ed0dfbc8c31917174d78cb5
Instruction ID: 37a4eb4a403aa5714282ad58a08ed97fc46774572c731070f85c4771186137f4
Opcode Fuzzy Hash: e56414366d28a2ff3f3baf6492a7a1d457975c8a4ed0dfbc8c31917174d78cb5
Instruction Fuzzy Hash: 09512135504256DFCF25DF28C485AFA7BA4FF1A310F288055ECA59B2E0C7B0AE42D760

Function 00C362F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C363A8
_memmove.LIBCMT ref: 00C36444
_memset.LIBCMT ref: 00C36468

Strings

ERCP, xrefs: 00C36313

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: c59e393511829305f37923d9c6bc0a320dee0a3188490e9068dc2ab75e47e224
Instruction ID: 71f6b386e5ae6be1d21f82dea6897c2134f4f4f611c106fd229f2ace69099817
Opcode Fuzzy Hash: c59e393511829305f37923d9c6bc0a320dee0a3188490e9068dc2ab75e47e224
Instruction Fuzzy Hash: 2C517E71910309EBDB24CF65C9817AAB7F4FF04714F24C56EE95ACB251E771AA84CB40

Function 00C79AB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C817ED: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C79558,?,?,00000034,00000800,?,00000034), ref: 00C81817

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C79B01

Part of subcall function 00C817B8: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C79587,?,?,00000800,?,00001073,00000000,?,?), ref: 00C817E2

Part of subcall function 00C8170F: GetWindowThreadProcessId.USER32(?,?), ref: 00C8173A
Part of subcall function 00C8170F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C7951C,00000034,?,?,00001004,00000000,00000000), ref: 00C8174A
Part of subcall function 00C8170F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C7951C,00000034,?,?,00001004,00000000,00000000), ref: 00C81760

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C79B6E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C79BBB

Strings

@, xrefs: 00C79BD3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 96bf03aad90ff834928cbdd08ef37577aa4e16da956ef9d8f4c1ff80c675371a
Instruction ID: af6949e9c7a5a7a97a834f3b27aea1f84700ab648b06ecae610362a87d770625
Opcode Fuzzy Hash: 96bf03aad90ff834928cbdd08ef37577aa4e16da956ef9d8f4c1ff80c675371a
Instruction Fuzzy Hash: 48414E7690021CBFDB10EFA4CC85BDEBBB8EB09704F148099F955B7190DA716E45DBA0

Function 00CA7978 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CAF910,00000000,?,?,?,?), ref: 00CA7A11
GetWindowLongW.USER32 ref: 00CA7A2E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA7A3E

Strings

SysTreeView32, xrefs: 00CA79E3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: dc2204e11ec91d7f961b53587f3e2ae0c97ed33c3ce306337bcb5813ed3925c7
Instruction ID: 87006f6cb106630cf4e765c7d86cf2caa72662871388a380be18738c770e6267
Opcode Fuzzy Hash: dc2204e11ec91d7f961b53587f3e2ae0c97ed33c3ce306337bcb5813ed3925c7
Instruction Fuzzy Hash: 8331BE32604606ABDB219F38DC41BEB77A9FB0A328F244725F875931E0C730EE519B50

Function 00CA740B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CA7493
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CA74A7
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA74CB

Strings

SysMonthCal32, xrefs: 00CA745E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6613a7ccc59d92d94a4a1fa148573e11daac38117b74ed93548e4b19ce1d23e8
Instruction ID: db1e676413aac29fc2a6b404b47b21db726d1654df011c8073fdeb72efd69880
Opcode Fuzzy Hash: 6613a7ccc59d92d94a4a1fa148573e11daac38117b74ed93548e4b19ce1d23e8
Instruction Fuzzy Hash: 4921DE32600219BBDF228F90DC86FEA3B79FF4D728F110214FE146B190D6B5A851DBA0

Function 00CA7BC5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CA7C7C
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CA7C8A
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CA7C91

Strings

msctls_updown32, xrefs: 00CA7BF6

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 882e4b6d77b862894a012b3e130610da303d6cdc2945081736ef3b3183ba529b
Instruction ID: a2cba607c2978c1456582f1e623a1f84e7f98bbb29a63540fb57002bbef983b9
Opcode Fuzzy Hash: 882e4b6d77b862894a012b3e130610da303d6cdc2945081736ef3b3183ba529b
Instruction Fuzzy Hash: 4D21AEB560020AAFDB10DF54DCC1EAB37EDFF4A368B040559FA119B2A1CB30ED419BA0

Function 00CA6CE2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CA6D6D
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CA6D7D
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CA6DA2

Strings

Listbox, xrefs: 00CA6D3A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c88ae7df623fbd3257f4e58d59647edd2ce8ba15ba9ddf33d63f3b6c5607cabc
Instruction ID: 867f50a6544ac277046e6c4ecaf923c81a17e262b10dbc2238660d39823a7b6c
Opcode Fuzzy Hash: c88ae7df623fbd3257f4e58d59647edd2ce8ba15ba9ddf33d63f3b6c5607cabc
Instruction Fuzzy Hash: 46210732B10119BFDF128F54DC84FBB3B7AEF8A758F058124F9159B190C6719C1197A0

Function 00CA7740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CA77A4
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CA77B9
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CA77C6

Strings

msctls_trackbar32, xrefs: 00CA777B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3eb196326ad828f626ed81d779602d3e940d2e55fdab18d69fc369eecf44e88f
Instruction ID: ee7e91f4bf16d6a05ace36e3dc89cfb7a0d51fa4bf770e681a21021537935698
Opcode Fuzzy Hash: 3eb196326ad828f626ed81d779602d3e940d2e55fdab18d69fc369eecf44e88f
Instruction Fuzzy Hash: CC11E732654209BBEF155F60CC45FEB37A9EF89718F010218FA51960D1D671A811DB20

Function 00C24C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24C2E), ref: 00C24CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C24CB5

Strings

GetNativeSystemInfo, xrefs: 00C24CAF
kernel32.dll, xrefs: 00C24C9E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e4b8e4016f118a31ca36f31296e755224581d09d59c7dad19705c022826c0a10
Instruction ID: c4d2a5482808ff0e1a7fb4273425e3ec7c747407ef54e3e8bd413d96f6dac5ae
Opcode Fuzzy Hash: e4b8e4016f118a31ca36f31296e755224581d09d59c7dad19705c022826c0a10
Instruction Fuzzy Hash: 46D0C770600323CFC7209FB4EA0870AB2E4AF02788B10883ED892C2550E670C881CA20

Function 00C24D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24CE1,?), ref: 00C24DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24DB4

Strings

kernel32.dll, xrefs: 00C24D9D
Wow64RevertWow64FsRedirection, xrefs: 00C24DAE

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3520c98b34e8bb134650ae26171c89df89ce0ba4eb40bd2722bd03fef53a99c0
Instruction ID: 3616cc9c307e229209d64f792063f0411d2d339805a8a64aa0f20af373937e3e
Opcode Fuzzy Hash: 3520c98b34e8bb134650ae26171c89df89ce0ba4eb40bd2722bd03fef53a99c0
Instruction Fuzzy Hash: 9ED01731550723CFD7209FB1E848B8A76E4AF06359F11883ED9D6D6660E770D881CA60

Function 00C24D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24D2E,?,00C24F4F,?,00CE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24D81

Strings

kernel32.dll, xrefs: 00C24D6A
Wow64DisableWow64FsRedirection, xrefs: 00C24D7B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: fe8843ccd11d1a25c91bde023815b105fbce53b3ece45d8f540e9882dec18ea5
Instruction ID: 479ab0e86358b68a3fd72e6ba860d791ddd6a29719c70f7070f17658ed99331e
Opcode Fuzzy Hash: fe8843ccd11d1a25c91bde023815b105fbce53b3ece45d8f540e9882dec18ea5
Instruction Fuzzy Hash: 15D01731510723CFD7209FB1E84875A76E8AF16356F11893ED596D6660E670D882CB60

Function 00CA0E72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00CA10C1), ref: 00CA0E80
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CA0E92

Strings

RegDeleteKeyExW, xrefs: 00CA0E8C
advapi32.dll, xrefs: 00CA0E7B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 20200f4592942d055c0211047b9175f5bad5090d2636fe9f9d8a2a3c115bb738
Instruction ID: 6817fcd96bf78526361a7974fc8627f74aa96044cb4f1eddbdf2b4198ddab62b
Opcode Fuzzy Hash: 20200f4592942d055c0211047b9175f5bad5090d2636fe9f9d8a2a3c115bb738
Instruction Fuzzy Hash: E5D01775510B23CFD7209FB5D94878AB6E4AF0639AB218C7EE6DAD2250E670D880CA50

Function 00C991F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C98E09,?,00CAF910), ref: 00C99203
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C99215

Strings

kernel32.dll, xrefs: 00C991FE
GetModuleHandleExW, xrefs: 00C9920F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 6e4ea38fb3f1cc36b2ebcaeaed70f37f3e32b30c9e389b50cc170b17ef80f41d
Instruction ID: e48a79418423a802168e4d7117a74c4bb085cb974101ff31b65563d9979ebd75
Opcode Fuzzy Hash: 6e4ea38fb3f1cc36b2ebcaeaed70f37f3e32b30c9e389b50cc170b17ef80f41d
Instruction Fuzzy Hash: 4BD0C730550B13DFCB309FB5DC0830A72E5AF12345B008C3ED992CA290EA70C880CB20

Function 00C61A6D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C61A71
__swprintf.LIBCMT ref: 00C61AA2

Strings

%.3d, xrefs: 00C61A7C
WIN_XPe, xrefs: 00C61AE1

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 2ebc1aed047176ce8845588f53652caacbbc7b3892eacd73014e7c4e9acea112
Instruction ID: 749bc367e45ea95da05f16331b07cb14e1d88d97417d2acc2d4c3ac4d3e913ed
Opcode Fuzzy Hash: 2ebc1aed047176ce8845588f53652caacbbc7b3892eacd73014e7c4e9acea112
Instruction Fuzzy Hash: 00D01771C15129EACB20DBD288C5AFE73BCEB08702F1C4562F906A2081E2358B84BA21

Function 00C774A5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3534aaa0e0223afe2a532fded7decd7fd4b3e56efc1b6021aa51a7bd0eece4
Instruction ID: 14503ec5fab4ce68c1cd9747a3f4d508dd41863dc494d93ae1552d194c6bcd77
Opcode Fuzzy Hash: 4a3534aaa0e0223afe2a532fded7decd7fd4b3e56efc1b6021aa51a7bd0eece4
Instruction Fuzzy Hash: 95C18575A0421AEFCB15CF98C884E6EB7F9FF48714B118698E819DB251D730DE81DB90

Function 00C9E13E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C9E1D2
CharLowerBuffW.USER32(?,?), ref: 00C9E215

Part of subcall function 00C9D8B9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C9D8D9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C9E415
_memmove.LIBCMT ref: 00C9E428

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 66d286890b9010bd6c23959fcdc1c12acb3f538237a8b93f9870c56882e3ba38
Instruction ID: 58d60ef3f4dc36084c151f46be4c9aa444a97025035a41e54da43ada754c3d97
Opcode Fuzzy Hash: 66d286890b9010bd6c23959fcdc1c12acb3f538237a8b93f9870c56882e3ba38
Instruction Fuzzy Hash: 18C16A71A08311DFCB04DF28C48496ABBE4FF99714F14896EF8999B351D731EA46CB82

Function 00C981A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C981D8
CoUninitialize.OLE32 ref: 00C981E3

Part of subcall function 00C7D87B: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7D8E3

VariantInit.OLEAUT32(?), ref: 00C981EE
VariantClear.OLEAUT32(?), ref: 00C984BF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 81b8f405a7b57708becce1722268b5a4db07a33a133e08369f539da36bf76952
Instruction ID: d9ae2be6d52b42d1b07b1f167e49831a3e37eb0c7a41aeecc14d0f533e3e8550
Opcode Fuzzy Hash: 81b8f405a7b57708becce1722268b5a4db07a33a133e08369f539da36bf76952
Instruction Fuzzy Hash: C5A135752047119FDB10EF24C495A2AB7E4FF89724F14884CF99A9B7A2CB30ED44DB86

Function 00C77858 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C77A12
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C77A2A
CLSIDFromProgID.OLE32(?,?,00000000,00CAFB80,000000FF,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C77A4F
_memcmp.LIBCMT ref: 00C77A70

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1102b7151444b9dbfa6cda0c9491f10e37d6388be38f8618fdb18a5358b402f8
Instruction ID: bfb350d0793849e9c4e299e956197bc0a4864eba94907251117658302248f9c9
Opcode Fuzzy Hash: 1102b7151444b9dbfa6cda0c9491f10e37d6388be38f8618fdb18a5358b402f8
Instruction Fuzzy Hash: F0811C71A00109EFCB04DFD4C988EEEB7B9FF89315F208599E515AB250DB71AE46CB60

Function 00C76BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C76BE4
SysAllocString.OLEAUT32(00000000), ref: 00C76C8D
VariantCopy.OLEAUT32 ref: 00C76CBC
VariantClear.OLEAUT32(?), ref: 00C76CE3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 10f5a44919d6a3449ac382e33e3ed24825fba9af282ecf8abbc3af46c9892ed9
Instruction ID: 2110fe4291ec2487799a6d350e1eb8d39d1a6df38b19af3c9eaa8bc386815b43
Opcode Fuzzy Hash: 10f5a44919d6a3449ac382e33e3ed24825fba9af282ecf8abbc3af46c9892ed9
Instruction Fuzzy Hash: 7751B330714B029BDB30AF76D891A6DB3E5EF15310F20C82FE5AECB691DA708841A715

Function 00CA9826 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CA9895
ScreenToClient.USER32(00000002,00000002), ref: 00CA98C8
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00CA9935

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 08a7665d72e1e730d2eb744f58571afc95f898dffc3e5c3115e210a83c4a9a96
Instruction ID: d00d7edecbb1d8f3d2cb0454e0cfb7b4a40d6f49d5d8c6ed0a82c8d73e27d842
Opcode Fuzzy Hash: 08a7665d72e1e730d2eb744f58571afc95f898dffc3e5c3115e210a83c4a9a96
Instruction Fuzzy Hash: C1514335900209EFCF24DF64D885AAE7BB5FF86364F14815DF8699B2A0D731AE41CB90

Function 00C4487A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C44910
__flush.LIBCMT ref: 00C44930
__write.LIBCMT ref: 00C44963
__flsbuf.LIBCMT ref: 00C44991

Part of subcall function 00C48CA8: __getptd_noexit.LIBCMT ref: 00C48CA8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 9d32a0cca31c7bb2b15b74915ad5c68f9b5270e2a37dcfa491c5b6f8e1a60b1a
Instruction ID: c454216c4a5dff55f4d72abeabeeb70d6690b3102565907620558e0bd2528607
Opcode Fuzzy Hash: 9d32a0cca31c7bb2b15b74915ad5c68f9b5270e2a37dcfa491c5b6f8e1a60b1a
Instruction Fuzzy Hash: 22410731A047459BDB1CCEA9C881B6F7BA9BF50360B34853DE865D7680D770DE40AB40

Function 00C96AC0 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C96AE7
WSAGetLastError.WSOCK32(00000000), ref: 00C96AF7

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C96B5B
WSAGetLastError.WSOCK32(00000000), ref: 00C96B67

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 51494cdf4e491b58078df0d3275745a2b5476ad8b775a83f97485a08ccf636e5
Instruction ID: 19db38f6d7478090d0d9cae36bb7c245e38bac4c2a4b3e07457946b92ecea673
Opcode Fuzzy Hash: 51494cdf4e491b58078df0d3275745a2b5476ad8b775a83f97485a08ccf636e5
Instruction Fuzzy Hash: D641B434740210AFEB20AF64EC87F3E77E9EF05B14F048418FA599B6D2DA749D01AB91

Function 00C96530 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00CAF910), ref: 00C965BD
_strlen.LIBCMT ref: 00C965EF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 64ea02ea6214a5a643716feb5fad9afb93c3088da7c1971284b4e20de228c490
Instruction ID: 842f53062e09f3937e96fe5971843aecf4c1aa3111974850e02ec318c171faec
Opcode Fuzzy Hash: 64ea02ea6214a5a643716feb5fad9afb93c3088da7c1971284b4e20de228c490
Instruction Fuzzy Hash: 9941B131A00114ABCF14EBA4EDD9EBEB7A9EF44310F148169F81A972D2DB30AE05DB51

Function 00C8B880 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C8B92A
GetLastError.KERNEL32(?,00000000), ref: 00C8B950
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C8B975
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C8B9A1

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f2a93f90386ea20d5cf48cc470608c6940025a88ac3ea55640185524eb306edf
Instruction ID: f49762ef773150a295a4afc5c4dceae00f4ff2470aa31358fddc5c921dcada27
Opcode Fuzzy Hash: f2a93f90386ea20d5cf48cc470608c6940025a88ac3ea55640185524eb306edf
Instruction Fuzzy Hash: CB413839600620DFCB10EF15D485A5DBBF1EF89324F098498E89A9B762CB31FD41EB95

Function 00CA8883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CA8910

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a9a8d29b726e7ea77c94ea1890e89490e5e588e89a0c95d1aa05735aadee1230
Instruction ID: ec6da1081547a0263fe3fe6238075d346920a01d3fffb949ccb4257ab5f8f984
Opcode Fuzzy Hash: a9a8d29b726e7ea77c94ea1890e89490e5e588e89a0c95d1aa05735aadee1230
Instruction Fuzzy Hash: 4E31F23060020ABFEF249E64CC89BBE7765EB07318F544115FA61E72E1CF349A889B42

Function 00CAAB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CAAB92
GetWindowRect.USER32(?,?), ref: 00CAAC08
PtInRect.USER32(?,?,00CAC07E), ref: 00CAAC18
MessageBeep.USER32(00000000), ref: 00CAAC89

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 460dfd440483778b478b201f3ae130b3b5c280f0b7ce5f1d282d2947096e85b0
Instruction ID: 277b4daeabb655e8608985b20c1bf49357c2f7ecaf2c0b00dd73f2b82d32cda4
Opcode Fuzzy Hash: 460dfd440483778b478b201f3ae130b3b5c280f0b7ce5f1d282d2947096e85b0
Instruction Fuzzy Hash: 95418D30640256DFEB21CF58C8C4B9D7BF5FB4A32CF1480A9E4258F261D732A945CB92

Function 00C80E07 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C80E58
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C80E74
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C80EDA
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C80F2C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: be68286aa48c8a0c8a95af6098c212363b813dc5cad3c9af50db2bd4b56f2dad
Instruction ID: 81d1e3aba16a3f60b190d7c89ea1d492f7bb0b0d99f2fc14bd4194b3c82f85c7
Opcode Fuzzy Hash: be68286aa48c8a0c8a95af6098c212363b813dc5cad3c9af50db2bd4b56f2dad
Instruction Fuzzy Hash: D4316830A40618AEFB70AA658C05BFF7BA9EB49318F38461EF4E0521D1C3758A499759

Function 00C80F42 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C80F97
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C80FB3
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C81012
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C81064

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a8f346beae4cc13a7a87e38d14ca8739691aec7eca168b25414c24fe09711cb1
Instruction ID: 9a08ca55600c454a6b6c9d06bd57850463e8f4537c1d44911ccfa88f234ab4f2
Opcode Fuzzy Hash: a8f346beae4cc13a7a87e38d14ca8739691aec7eca168b25414c24fe09711cb1
Instruction Fuzzy Hash: 4B315C30904298DEFF34AA658C04BFE7BEDAB45329F1C421AF8A1521D1C3744EC79769

Function 00C56345 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C5637B
__isleadbyte_l.LIBCMT ref: 00C563A9
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C563D7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C5640D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b84b11b587fd03b80972eea086d670b17eeaec8715d8941674870e259aa1b7ed
Instruction ID: da569c0e59131cdba7d158f3ab06277efac8e997e3d80bd1d97606899e431137
Opcode Fuzzy Hash: b84b11b587fd03b80972eea086d670b17eeaec8715d8941674870e259aa1b7ed
Instruction Fuzzy Hash: E431C135600286EFDB21CF65C844BAE7BA5FF41322F554129EC24871A0E730DD98EB94

Function 00CA4F57 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CA4F6B

Part of subcall function 00C83685: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C8369F
Part of subcall function 00C83685: GetCurrentThreadId.KERNEL32 ref: 00C836A6
Part of subcall function 00C83685: AttachThreadInput.USER32(00000000,?,00C850AC), ref: 00C836AD

GetCaretPos.USER32(?), ref: 00CA4F7C
ClientToScreen.USER32(00000000,?), ref: 00CA4FB7
GetForegroundWindow.USER32 ref: 00CA4FBD

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f719f293c9a4e3e0ca706a2a112ce0f80f333096b4d746864a6c966b042b921c
Instruction ID: 03d50658b6f8496b464c41bd03440dec92abccc8aedd53cf23df73891ce260a1
Opcode Fuzzy Hash: f719f293c9a4e3e0ca706a2a112ce0f80f333096b4d746864a6c966b042b921c
Instruction Fuzzy Hash: 01313E71D00218AFDB00EFA5D885AEFB7F9EF89304F10406AE515E7241EA759E41DBA1

Function 00C83C99 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C83CBE
Process32FirstW.KERNEL32(00000000,?), ref: 00C83CCC
Process32NextW.KERNEL32(00000000,?), ref: 00C83CEC
CloseHandle.KERNEL32(00000000), ref: 00C83D96

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 360bd4af1733486df064d25c883fc97ef846292c6e7cc1f10a7ea1178a8439f8
Instruction ID: 1d9eb06210f287c1d39ab2e3fd7ad2ccc8b444d38bc847ee543dca3bde54921d
Opcode Fuzzy Hash: 360bd4af1733486df064d25c883fc97ef846292c6e7cc1f10a7ea1178a8439f8
Instruction Fuzzy Hash: 4D31B4711083419FD300EF50D8C5BAFBBE8EF95748F14092EF591871A1EB709A49DB92

Function 00CAC502 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetCursorPos.USER32(?), ref: 00CAC53C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C5BB2B,?,?,?,?,?), ref: 00CAC551
GetCursorPos.USER32(?), ref: 00CAC59E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C5BB2B,?,?,?), ref: 00CAC5D8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2f371a6ffa74e5c147f150bbea52013c81b81ddfa2f2548ff0b9f8396f3ff5f1
Instruction ID: 9697ff1826ab5441e05e6fcdc3ec9aac374588a51acfd9b4a22807c3aceb9b67
Opcode Fuzzy Hash: 2f371a6ffa74e5c147f150bbea52013c81b81ddfa2f2548ff0b9f8396f3ff5f1
Instruction Fuzzy Hash: 87315536900418EFCB25CF95C898FAE7BF5EB4A314F444069F9158B261D731AE51EBA0

Function 00C7897E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C78449
Part of subcall function 00C78432: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C78453
Part of subcall function 00C78432: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78462
Part of subcall function 00C78432: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78469
Part of subcall function 00C78432: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7847F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C789CB
_memcmp.LIBCMT ref: 00C789EE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C78A24
HeapFree.KERNEL32(00000000), ref: 00C78A2B

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8386e444bd89dc6018327db9508fb0837fd77199f823071200fee3553cbe07b5
Instruction ID: e5eba83baf947ecaaecdb2d2554a362b15178d6e1930e38a91ca4d0c85f3423c
Opcode Fuzzy Hash: 8386e444bd89dc6018327db9508fb0837fd77199f823071200fee3553cbe07b5
Instruction Fuzzy Hash: 70219071E80109EFDB10DFA4C949BEEB7B8FF44355F158059EA68A7240DB30AA09DF51

Function 00C40B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00C40B2E

Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C8793F,?,?,00000000), ref: 00C25B8C
Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C8793F,?,?,00000000,?,?), ref: 00C25BB0

_fprintf.LIBCMT ref: 00C40B65
OutputDebugStringW.KERNEL32(?), ref: 00C76111

Part of subcall function 00C44C1A: _flsall.LIBCMT ref: 00C44C33

__setmode.LIBCMT ref: 00C40B9A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 81d692cf7f9f3a169c7e8f09359701386d9acb0ba30d9499c95b35f9ab7c6016
Instruction ID: 1fb1f6879016f5e958ab0596d733231ae7ebe3cdf92e4688aaa59b66670dee5e
Opcode Fuzzy Hash: 81d692cf7f9f3a169c7e8f09359701386d9acb0ba30d9499c95b35f9ab7c6016
Instruction Fuzzy Hash: AE113A329046147FDB08B7B4AC43ABE7B6DFF41324F344119F218971C2DE3149456799

Function 00C9187D Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C918B9

Part of subcall function 00C91943: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C91962
Part of subcall function 00C91943: InternetCloseHandle.WININET(00000000), ref: 00C919FF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: d449f0ec165e697f0e93f4dca93d2653f42cedb386fbfab1416ea1cb8122c4d5
Instruction ID: feb9ec0428a5ff8b2c8b51b1160b6c9705ceab53ebfa64300480055d499a3563
Opcode Fuzzy Hash: d449f0ec165e697f0e93f4dca93d2653f42cedb386fbfab1416ea1cb8122c4d5
Instruction Fuzzy Hash: F1210135200606BFEF119F608C1AF7AB7A9FF49700F09402AFE51D6690CB31D912A790

Function 00C83A6E Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CAFAC0), ref: 00C83AA8
GetLastError.KERNEL32 ref: 00C83AB7
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C83AC6
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CAFAC0), ref: 00C83B23

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: fa80955f48726eaceead4445a2dac8e672e86ecd0aa71387a6558c3c612e7b9e
Instruction ID: 22414eb41f7cb601a03d4a897bde925ff6537ce4f0387da40e09be7568014f91
Opcode Fuzzy Hash: fa80955f48726eaceead4445a2dac8e672e86ecd0aa71387a6558c3c612e7b9e
Instruction Fuzzy Hash: 1621E7705093518F8710EF64D8809AFB7E4EE06B18F144A2DF4A9C72A1D730DF06DB86

Function 00C55262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C55281

Part of subcall function 00C4588C: __FF_MSGBANNER.LIBCMT ref: 00C458A3
Part of subcall function 00C4588C: __NMSG_WRITE.LIBCMT ref: 00C458AA
Part of subcall function 00C4588C: RtlAllocateHeap.NTDLL(01520000,00000000,00000001,00000000,?,?,?,00C40F53,?), ref: 00C458CF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: db5fc1c3ceafc88d91cb53c4b2841167f0021f05957204cd83a8a07a5ddadec0
Instruction ID: 6b6c4be819aeecb12bbfdae36d935b54b23a5b23f94f09be459ab56de5f60300
Opcode Fuzzy Hash: db5fc1c3ceafc88d91cb53c4b2841167f0021f05957204cd83a8a07a5ddadec0
Instruction Fuzzy Hash: EA110636902A15AFCF203FB0AC5575E3B98BF013A2F204529FD549B161DF348EC9A799

Function 00C24531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C24560

Part of subcall function 00C2410D: _memset.LIBCMT ref: 00C2418D
Part of subcall function 00C2410D: _wcscpy.LIBCMT ref: 00C241E1
Part of subcall function 00C2410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C241F1

KillTimer.USER32(?,00000001,?,?), ref: 00C245B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C245C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C5D5FE

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: bafbcae6909b64769157f9c3288de0ca2ca2f20127555e9d7c847aba8eaf079a
Instruction ID: 9023e5465d952607cf7eee29818c5fe8e5ec51b25ff8c19a4f4f54946f48fc1b
Opcode Fuzzy Hash: bafbcae6909b64769157f9c3288de0ca2ca2f20127555e9d7c847aba8eaf079a
Instruction Fuzzy Hash: 112129B49047949FEB328B24D845BEBBBEC9F0130DF04009EE6DA57241D7B41AC9CB51

Function 00C9647F Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C8793F,?,?,00000000), ref: 00C25B8C
Part of subcall function 00C25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C8793F,?,?,00000000,?,?), ref: 00C25BB0

gethostbyname.WSOCK32(?,?,?), ref: 00C964AF
WSAGetLastError.WSOCK32(00000000), ref: 00C964BA
_memmove.LIBCMT ref: 00C964E7
inet_ntoa.WSOCK32(?), ref: 00C964F2

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: abc5ae500e3b26e07048c2e307629e4d78b5d9b6c6d6ca2baf61f8e4aee4a69a
Instruction ID: b9bad380e1c0fcc2815aba14aed470edbc99b2de9347a760a88993595cadb1db
Opcode Fuzzy Hash: abc5ae500e3b26e07048c2e307629e4d78b5d9b6c6d6ca2baf61f8e4aee4a69a
Instruction Fuzzy Hash: 76112E31900119AFCF04FBE4ED86DAEB7B8EF05310B144069F506A75A1DF31AE14EB61

Function 00C78E03 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C78E23
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C78E35
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C78E4B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C78E66

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0e79d3da5afb41a07201350371dc36b6c3ac7ee767e651a619e9dd4bfddc58c1
Instruction ID: 43752be102de255be63d37c5e57a142c5744760d0ae1dc0d09b891a9bd983a28
Opcode Fuzzy Hash: 0e79d3da5afb41a07201350371dc36b6c3ac7ee767e651a619e9dd4bfddc58c1
Instruction Fuzzy Hash: BB113679940218BFEB10DFA5C884E9DBBB8FB08710F204095EA04B7290DB716E10DB90

Function 00C21290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,00000020,?), ref: 00C212D8
GetClientRect.USER32(?,?), ref: 00C5B77B
GetCursorPos.USER32(?), ref: 00C5B785
ScreenToClient.USER32(?,?), ref: 00C5B790

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 517fb278f104bad1fe833c02e29ffb3f4f2edd31b2c1c9d1f6ec65568b09a39f
Instruction ID: 2166a9d35bf7ceb887c0a633dce29f2b769c8fe076666a5e0e0e2030fd2906cf
Opcode Fuzzy Hash: 517fb278f104bad1fe833c02e29ffb3f4f2edd31b2c1c9d1f6ec65568b09a39f
Instruction Fuzzy Hash: 1E118C35A00129FFCB10DFA8E885AFE77B8FB16304F000455F901E7640C730BA529BA5

Function 00C81473 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C8001E,?,00C81071,?,00008000), ref: 00C81490
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C8001E,?,00C81071,?,00008000), ref: 00C814B5
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C8001E,?,00C81071,?,00008000), ref: 00C814BF
Sleep.KERNEL32(?,?,?,?,?,?,?,00C8001E,?,00C81071,?,00008000), ref: 00C814F2

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6bf91a6a716272cfc0f41a78d20b98be4d6f4cc3fa15fbeb22d6e945ecd63bc7
Instruction ID: 7b1d3972bd33a3d603ade8f5a62885e77672074377f059d086b9b888250a2556
Opcode Fuzzy Hash: 6bf91a6a716272cfc0f41a78d20b98be4d6f4cc3fa15fbeb22d6e945ecd63bc7
Instruction Fuzzy Hash: AE112A31C00529DBCF00AFE5D948BEEBBB8FF49715F054159EE81B6240CB3096928B99

Function 00C7DB40 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C7DB5C
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C7DB73
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C7DB88
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C7DBA6

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 30f3723174ec0f8e235cf51c279653d2ce4d082ea8bc141bbd4219dce57660d1
Instruction ID: 2c5e1a6492be1e9c3ca9d11f6b98ac81667cc231a08e719dd511bf8ae34b6afc
Opcode Fuzzy Hash: 30f3723174ec0f8e235cf51c279653d2ce4d082ea8bc141bbd4219dce57660d1
Instruction Fuzzy Hash: 96118BB5205304EBE3208F51EC49F9ABBBCEF04B00F1085ADA65AC7040D7B0E9549BA1

Function 00C57137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C5715B

Part of subcall function 00C57842: __fltout2.LIBCMT ref: 00C5786B

__cftog_l.LIBCMT ref: 00C57181
__cftoe_l.LIBCMT ref: 00C571B3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: d1458930f25c13d32e5e1e6cf9067fa76a770d72a29b10c5adc8db632786ec13
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 33016D3A04854ABBCF125E84EC058EE3F26BB18346B488615FE2858130C636CAF5AB85

Function 00CAB2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CAB318
ScreenToClient.USER32(?,?), ref: 00CAB330
ScreenToClient.USER32(?,?), ref: 00CAB354
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAB36F

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f975d182e6bb41f766340ae09c2ed55b482c001a2586be4905e157aaba85dafb
Instruction ID: b906f69d26bab8227a1c4b595c71b50138dbeb9d40bd179187131904432322f5
Opcode Fuzzy Hash: f975d182e6bb41f766340ae09c2ed55b482c001a2586be4905e157aaba85dafb
Instruction Fuzzy Hash: 6D114675D00209EFDB41CF98C484AEEBBB5FB09314F104166E914E3220D735AA558F90

Function 00CAB669 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAB678
_memset.LIBCMT ref: 00CAB687
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CE6F20,00CE6F64), ref: 00CAB6B6
CloseHandle.KERNEL32 ref: 00CAB6C8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 91a585f84da8791703729c39cdeee570839a5c68580e695b3d50d5f36de8a239
Instruction ID: 698abe5f73dfd56c0bcf686fa09da064a5dd88e50ebd97431973bf23b2770dd5
Opcode Fuzzy Hash: 91a585f84da8791703729c39cdeee570839a5c68580e695b3d50d5f36de8a239
Instruction Fuzzy Hash: 3DF082F2650354BEFB1027E1BC46FBF3A5CEB19394F404024BA08DA1A2D7715C0187A8

Function 00C86C83 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C86C8F

Part of subcall function 00C8776D: _memset.LIBCMT ref: 00C877A2

_memmove.LIBCMT ref: 00C86CB2
_memset.LIBCMT ref: 00C86CBF
LeaveCriticalSection.KERNEL32(?), ref: 00C86CCF

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 79578b5164d830ea123c1fea88be1c9e84b33b63fc37b50c4a02e47eb6c7a2c2
Instruction ID: af048946e68c3c89aa3735e3d94ef540acd7d6980e675a9e487867e643cfdda2
Opcode Fuzzy Hash: 79578b5164d830ea123c1fea88be1c9e84b33b63fc37b50c4a02e47eb6c7a2c2
Instruction Fuzzy Hash: 83F03A3A204104ABCF416F95DC85F8ABB2AFF45324B548065FE085F22BC731A816DBB4

Function 00CABD86 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C2134D
Part of subcall function 00C212F3: SelectObject.GDI32(?,00000000), ref: 00C2135C
Part of subcall function 00C212F3: BeginPath.GDI32(?), ref: 00C21373
Part of subcall function 00C212F3: SelectObject.GDI32(?,00000000), ref: 00C2139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CABDAA
LineTo.GDI32(00000000,?,?), ref: 00CABDB7
EndPath.GDI32(00000000), ref: 00CABDC7
StrokePath.GDI32(00000000), ref: 00CABDD5

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 10f93d8f814108d2e6201d98a67e383209a93d3a50926f1b2877d79c1d3f66a3
Instruction ID: 31cb384c2f6d0f3193e0286c6b57b4efe5c40f295f6b06a72806c760625dc4d4
Opcode Fuzzy Hash: 10f93d8f814108d2e6201d98a67e383209a93d3a50926f1b2877d79c1d3f66a3
Instruction Fuzzy Hash: BDF05E31041659BADB226F94AC09FCE3F59AF06318F084004FA11660E2C7B85652DFA5

Function 00C7A15C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C7A179
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7A18C
GetCurrentThreadId.KERNEL32 ref: 00C7A193
AttachThreadInput.USER32(00000000), ref: 00C7A19A

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b546533aba8a7e8870c2cc91ae1a22e3fac9ba3554c3d2948db1cfed433c65b4
Instruction ID: 9aab247d6e0deb10b5bba49562f69ac42d0a9cbcc5644a503e0f0269c943d357
Opcode Fuzzy Hash: b546533aba8a7e8870c2cc91ae1a22e3fac9ba3554c3d2948db1cfed433c65b4
Instruction Fuzzy Hash: C6E0C931545228FBEB205BA2DC0DFDF7F5CEF267A5F408029F60996060C6718541CBA1

Function 00C22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C22231
SetTextColor.GDI32(?,000000FF), ref: 00C2223B
SetBkMode.GDI32(?,00000001), ref: 00C22250
GetStockObject.GDI32(00000005), ref: 00C22258
GetWindowDC.USER32(?,00000000), ref: 00C5C003
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C5C010
GetPixel.GDI32(00000000,?,00000000), ref: 00C5C029
GetPixel.GDI32(00000000,00000000,?), ref: 00C5C042
GetPixel.GDI32(00000000,?,?), ref: 00C5C062
ReleaseDC.USER32(?,00000000), ref: 00C5C06D

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d4f8a9e2c69798aa154204ca836e66954f23d8e1d90734c51d11bbe48a2208b3
Instruction ID: 52f91312cf217003757d2803f24b6d139176f00e66fbe8d8f8ee0968fa04a667
Opcode Fuzzy Hash: d4f8a9e2c69798aa154204ca836e66954f23d8e1d90734c51d11bbe48a2208b3
Instruction Fuzzy Hash: 2EE03932504244EAEB215FA4FC4D7DC3B20EB5633AF10836AFA79480E187724A95DB22

Function 00C78A3A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C78A43
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C7860E), ref: 00C78A4A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C7860E), ref: 00C78A57
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C7860E), ref: 00C78A5E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 72e5223b00115bad9ead2e7498a19408ab19f365757397d43f03b0e4d9fae849
Instruction ID: 3e6dfe9da684dca6207e7a4185f0ba1142e709c8212fb75a3dbea15866f80157
Opcode Fuzzy Hash: 72e5223b00115bad9ead2e7498a19408ab19f365757397d43f03b0e4d9fae849
Instruction Fuzzy Hash: A5E04F366412119FD7605FF16D0CB9A3BA8EF527A6F04882CA245CA054DA7495469750

Function 00C620B6 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C620B6
GetDC.USER32(00000000), ref: 00C620C0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C620E0
ReleaseDC.USER32(?), ref: 00C62101

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 66982bec3a5ad529be34016e731bb83644cb9d80d45794d232340327769801b0
Instruction ID: 067ca483f54d196558513ad92bc2b9396a73b0109c127cbfa0cf1013a89157fe
Opcode Fuzzy Hash: 66982bec3a5ad529be34016e731bb83644cb9d80d45794d232340327769801b0
Instruction Fuzzy Hash: 14E01A75800214EFCB219FA1D84879D7FF1EB4D315F108429F85A97260CB388142EF40

Function 00C620CA Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C620CA
GetDC.USER32(00000000), ref: 00C620D4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C620E0
ReleaseDC.USER32(?), ref: 00C62101

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 905278a428fb10b9ce0782070d95b0e7c50dec59ead2c08b5f82a0dcb97bee86
Instruction ID: 70f7a799fe15fabc3f3e59492d13a8f38b02690c7742de06e06ae3d3d4a3aafd
Opcode Fuzzy Hash: 905278a428fb10b9ce0782070d95b0e7c50dec59ead2c08b5f82a0dcb97bee86
Instruction Fuzzy Hash: 3CE012B5C00214EFCB219FB0D80879D7BF1EB4D315F108029F95AA7220CB389142AF40

Function 00C7B5B5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00C7B780

Strings

AutoIt3GUI, xrefs: 00C7B6F8
Container, xrefs: 00C7B6FD

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: cd1880fdbc87321f52ad381208ecdb24ce7200c77a5cb48c8e168b7152f9a02b
Instruction ID: 6712a08cd80bdc722a836934ebb8d696a592b956ce121c221f5798c26d6f2ed9
Opcode Fuzzy Hash: cd1880fdbc87321f52ad381208ecdb24ce7200c77a5cb48c8e168b7152f9a02b
Instruction Fuzzy Hash: 95912971600601AFDB14DF64C884B6ABBE8FF49710F24856EF959CB691DB70ED41CB60

Function 00C8B038 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3FE06: _wcscpy.LIBCMT ref: 00C3FE29

Part of subcall function 00C29997: __itow.LIBCMT ref: 00C299C2
Part of subcall function 00C29997: __swprintf.LIBCMT ref: 00C29A0C

__wcsnicmp.LIBCMT ref: 00C8B0B9
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C8B182

Strings

LPT, xrefs: 00C8B0B3

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 1f3e2081797115826ef221cd4d66ec3949c433673983be1779626dd6775b18a0
Instruction ID: dc4feebd6dac33b862b4706353e7775e42f62950584442f23c111aff81e66dd7
Opcode Fuzzy Hash: 1f3e2081797115826ef221cd4d66ec3949c433673983be1779626dd6775b18a0
Instruction Fuzzy Hash: 4161A075A00215EFCB14EF98C895EAEB7B4EF08314F104069F956AB391DB70AE84DB94

Function 00C32AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C32AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C32AE1

Strings

@, xrefs: 00C32AD5

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 1a562454ec81a5fb79b14ddf404f6ef9f2d63aa992f556a9c958ab8e679ade4f
Instruction ID: a51b6238848107fee737a38f7ae96976168940b1bb95d82d2f3b3fecf565af94
Opcode Fuzzy Hash: 1a562454ec81a5fb79b14ddf404f6ef9f2d63aa992f556a9c958ab8e679ade4f
Instruction Fuzzy Hash: B25146724187589BD320AF10EC86BAFBBE8FF88314F41885DF1D9811A5DB708529DB67

Function 00C897DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C2506B: __fread_nolock.LIBCMT ref: 00C25089

_wcscmp.LIBCMT ref: 00C898CD
_wcscmp.LIBCMT ref: 00C898E0

Strings

FILE, xrefs: 00C89819

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 73248330e0cc5f1b0314874a129d7622f7232d841bab9b3b6581d37e8779b92b
Instruction ID: 6919cd1f78097ad293d7a025f7d26c0e2a5fb75755aafbc3d4165a45e9abdca6
Opcode Fuzzy Hash: 73248330e0cc5f1b0314874a129d7622f7232d841bab9b3b6581d37e8779b92b
Instruction Fuzzy Hash: 20412671A0061ABADF20AEA0DC85FEFB7BDEF49714F040469F904B71C0DA71AE0497A5

Function 00C926A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C926B4
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C926EA

Strings

|, xrefs: 00C926BB

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 31b380430fcf2ca28b35c7482c9932475c06756c886c134b53ec962a2b74ac18
Instruction ID: f0794563331bed015212ea6063670533da9e337c0e1c099ecee0882571932914
Opcode Fuzzy Hash: 31b380430fcf2ca28b35c7482c9932475c06756c886c134b53ec962a2b74ac18
Instruction Fuzzy Hash: DD311A71800219AFCF01DFA1DC89EEEBFB9FF08310F100169F814B6165EA315A56EB60

Function 00CA7AA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CA7B93
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA7BA8

Strings

', xrefs: 00CA7AFC

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 151c35ad49345c9db8821d07f1926155a8eae536658301f52440fd8b51066b18
Instruction ID: a8f584b72343da334524a004b55edfcabf551ab944e53ab8e56392380a03af42
Opcode Fuzzy Hash: 151c35ad49345c9db8821d07f1926155a8eae536658301f52440fd8b51066b18
Instruction Fuzzy Hash: 99412AB5A0530AAFDB14CF65D880BDEBBB5FB09304F10016AE914AB391D730AA41CFA0

Function 00CA6A95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CA6B49
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CA6B85

Strings

static, xrefs: 00CA6AE5

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bc99be5fee895544a7d8c30c4f568a0f6bea2e2d5f449dbdf2f81f40b5801a2f
Instruction ID: 4e83b1fe8691c4a842f965aacc31e0350eebf3d202b51438e7f4fcb916e2e7de
Opcode Fuzzy Hash: bc99be5fee895544a7d8c30c4f568a0f6bea2e2d5f449dbdf2f81f40b5801a2f
Instruction Fuzzy Hash: D6319C71100605AAEB109F68DC81BFB73A9FF49728F148619F8A6D7190DB30AC81EB60

Function 00C82B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82C09
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C82C44

Strings

0, xrefs: 00C82C02

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 95210af3ca2d080f853016a09722862f97f4cbd134967365e37a92833d2ada2e
Instruction ID: b87f1d49ecc05bf246bba11133d386d2bfd4e0dbe8b2e27be29e179f62609947
Opcode Fuzzy Hash: 95210af3ca2d080f853016a09722862f97f4cbd134967365e37a92833d2ada2e
Instruction Fuzzy Hash: 0B31D7316002099FFB34EF58D989BBEBBB5FF05358F144019ED96961A0D770AB44DB14

Function 00C93AFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C93B7C

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Strings

, $, xrefs: 00C93BBC
AUTOITCALLVARIABLE%d, xrefs: 00C93B6E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 7ae2bf54194575649487f86078ecb32a6c8ac68ae414714de397490bb259ddb4
Instruction ID: 94ef94767273ea4f0e4a754e9f5067e390f4f1163bb9ac4695154b5ba0859b3e
Opcode Fuzzy Hash: 7ae2bf54194575649487f86078ecb32a6c8ac68ae414714de397490bb259ddb4
Instruction Fuzzy Hash: 98217135600229AFCF10EFA4DC86EAE77B4FF44700F4044A9F505AB281DB30EA59DBA1

Function 00CA6706 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CA6793
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA679E

Strings

Combobox, xrefs: 00CA6760

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a8deb11a361afb48509a924e711e5585f0a500bf537b082dc42399ef1776cf6d
Instruction ID: 091e7e25dbb62c3abc7d3cba69bd28be74611be409aa820f188293a0e73f4cee
Opcode Fuzzy Hash: a8deb11a361afb48509a924e711e5585f0a500bf537b082dc42399ef1776cf6d
Instruction Fuzzy Hash: 1811B27561020A6FEF21DF24CC84EBB376AEB9A36CF144129F928D7290D6319D5197A0

Function 00CA6C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

GetWindowRect.USER32(00000000,?), ref: 00CA6CA3
GetSysColor.USER32(00000012), ref: 00CA6CBD

Strings

static, xrefs: 00CA6C80

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 843d62772c8a02788247c01434b0d82be1ce6a4aed51e1546f18b046bb8f2f7b
Instruction ID: 9257ae86e952de6446fe8b2e53e1d17c49ae8b49b042ab44e32e5ebe65c8c0bb
Opcode Fuzzy Hash: 843d62772c8a02788247c01434b0d82be1ce6a4aed51e1546f18b046bb8f2f7b
Instruction Fuzzy Hash: C6212972A1021AAFDB04DFB8DC45AFA7BA8EB09318F044629FD56D3250E635E861DB50

Function 00CA6952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CA69D4
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CA69E3

Strings

edit, xrefs: 00CA69B8

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1191ca75a15f57ab702df3136f74e4d62837d6e0e5323abe34a36e286d9b0596
Instruction ID: c40476952a0337b089992b322bb259cf62dd5c992368329b73807f3baa188b0e
Opcode Fuzzy Hash: 1191ca75a15f57ab702df3136f74e4d62837d6e0e5323abe34a36e286d9b0596
Instruction Fuzzy Hash: 5E113D7150010AABEB119F74DC44AEB3769EB1636CF544728F9B5971E0C6319C519B60

Function 00C82CA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82D1A
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C82D39

Strings

0, xrefs: 00C82D10

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: bb764113864b6fdb7f5dfb1d676a6c6386f58d82c1f81351bdce02a0eef3a016
Instruction ID: b82fbe61b4595349a9220a9309ed83597cb6694bdf55318b69a59fd982fec60e
Opcode Fuzzy Hash: bb764113864b6fdb7f5dfb1d676a6c6386f58d82c1f81351bdce02a0eef3a016
Instruction Fuzzy Hash: 12110871D01114ABDB20FF98DC88FAE7BB9AB05308F140126EC25AB2A0D770AF05D799

Function 00C922EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C92342
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C9236B

Strings

<local>, xrefs: 00C92333

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a302dbd3394b59692ae66a1aae49853f5dbec868ffc0ce3371dce4a4d86d9240
Instruction ID: 6c20810c5364a3b47199629225a85033cb3e9c42abc7562bb9178f84c2cc2fc6
Opcode Fuzzy Hash: a302dbd3394b59692ae66a1aae49853f5dbec868ffc0ce3371dce4a4d86d9240
Instruction Fuzzy Hash: BC11A070541625FADF248F528C8DFBBFB6CFF06755F10812AF99596120D2746A81C6F0

Function 00C790C7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AEC7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C79135

Strings

ListBox, xrefs: 00C790FF
ComboBox, xrefs: 00C790D4

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 46f223ae2f12b4788be94a7ca6b81cfe33d1635f58b23169488b450bb7d9e95e
Instruction ID: 3f5be143ac3eda8658ff9dd2858a98ed8631d616322bfecd3ef6be054b5579bc
Opcode Fuzzy Hash: 46f223ae2f12b4788be94a7ca6b81cfe33d1635f58b23169488b450bb7d9e95e
Instruction Fuzzy Hash: BA012431645229ABCF04FBA4CC969FE7369FF0A320B144719F836673D2EA355918A750

Function 00C88E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C88E55
__fread_nolock.LIBCMT ref: 00C88E6A

Strings

EA06, xrefs: 00C88E9C

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: b15e1041b755768a8da0dd32006f3275f4cb29a4b6a59a3fe11bbed7bdd45831
Instruction ID: 1744249bf7d92e7a23c65dc57c1643ee0cdded5601063a8d7e0c684b159c3d01
Opcode Fuzzy Hash: b15e1041b755768a8da0dd32006f3275f4cb29a4b6a59a3fe11bbed7bdd45831
Instruction Fuzzy Hash: 3D01F9718042187EDB28D6A8CC16EEE7BF89B01701F0045AAF552D2181E9B4A6089760

Function 00C78FBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AEC7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C7902D

Strings

ListBox, xrefs: 00C78FF7
ComboBox, xrefs: 00C78FCC

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5f7cb41b0f186ed1d40f0a4d0101f2409c2d50d137d8c00e0cd6c84ec93c5e36
Instruction ID: 9f9d27ad983d4d4fdedfeb3487710234aad16b3445346974c1159831f37f105f
Opcode Fuzzy Hash: 5f7cb41b0f186ed1d40f0a4d0101f2409c2d50d137d8c00e0cd6c84ec93c5e36
Instruction Fuzzy Hash: A801F771A45118ABCF14E7A0CD96EFF73A8DF05300F14412AB916772C1DE355F18A271

Function 00C79044 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27F41: _memmove.LIBCMT ref: 00C27F82

Part of subcall function 00C7AEA4: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AEC7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C790B0

Strings

ListBox, xrefs: 00C7907C
ComboBox, xrefs: 00C79051

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 537695dbb7599fe48897c0407823e84c72abab0b7bdcdd6c55e2ba5a1fd0d164
Instruction ID: 18d5b225f98f1c0267e35f49adf4cdb8fc6917d479d48f7f9c07c219b9db5e7d
Opcode Fuzzy Hash: 537695dbb7599fe48897c0407823e84c72abab0b7bdcdd6c55e2ba5a1fd0d164
Instruction Fuzzy Hash: BE01A271A45118ABCF00E6A4CD96AFFB7A8DF06300F144126791673282DA365F18A2B2

Function 00C84FCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C84FED
_wcscmp.LIBCMT ref: 00C84FFF

Strings

#32770, xrefs: 00C84FF9

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 1a6198fd20aba275452b647d6dc80e86ccb583f25b863910d1b75c656515bda2
Instruction ID: 3ea61e8b7e3198634b9ba6160b891bf2222791b0ac43e54cda0e0992f3c71794
Opcode Fuzzy Hash: 1a6198fd20aba275452b647d6dc80e86ccb583f25b863910d1b75c656515bda2
Instruction Fuzzy Hash: 33E068336002292BE720AB99AC09FABF7ACFB41770F00002BFD00D3150EAB09A0587E0

Function 00C5B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C5B494: _memset.LIBCMT ref: 00C5B4A1

Part of subcall function 00C40AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C5B470,?,?,?,00C2100A), ref: 00C40AC5

IsDebuggerPresent.KERNEL32(?,?,?,00C2100A), ref: 00C5B474
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C2100A), ref: 00C5B483

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C5B47E

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 73be8adbf46cde640ca488a8e1c8ebccc9efd7b53e7346d0f5af53c8c088b7c9
Instruction ID: ffbde55d3e0bdfcf581263ac64be1a7c0a8f42af6c94eec54d912ee8ff77c739
Opcode Fuzzy Hash: 73be8adbf46cde640ca488a8e1c8ebccc9efd7b53e7346d0f5af53c8c088b7c9
Instruction Fuzzy Hash: C8E012B42007518FD730DF64E404B4A7BE4AF0470AF158A6DE896C7752EBF4D889CBA5

Function 00C61C8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00C61ACE

Part of subcall function 00C9C104: LoadLibraryA.KERNEL32(kernel32.dll,?,00C61CB7,?), ref: 00C9C112
Part of subcall function 00C9C104: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C9C124

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C61CC6

Strings

WIN_XPe, xrefs: 00C61AE1

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 928178fdb0cc0cc750bb4600ba4baa133e91a3af5b77ee81331993c96abfc808
Instruction ID: 5369060856c28a76bd3f8fa7ed45e432a53fd98ef0e3461819ebc3e7fa934b95
Opcode Fuzzy Hash: 928178fdb0cc0cc750bb4600ba4baa133e91a3af5b77ee81331993c96abfc808
Instruction Fuzzy Hash: 1AF0C970812119DFCB25DBD2C9C8BECBBF8AB08305F180095E502A64A2C7754F45EF24

Function 00C8998C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C899A1
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C899B8

Strings

aut, xrefs: 00C899B2

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 2d2fd8a41b0ca48b5c38ed2e989dea544981c2647d2adaa5aa8804555db01561
Instruction ID: c9a958ce785d05f38ae918ecbbd72df8f1a446ee83ed5d781cc0501cf0c69b52
Opcode Fuzzy Hash: 2d2fd8a41b0ca48b5c38ed2e989dea544981c2647d2adaa5aa8804555db01561
Instruction Fuzzy Hash: 47D05E7954030DABDB50ABE0DC0EFDA773CE704705F0003B1BB94921A1EAB095998B91

Function 00CA59CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA59D7
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CA59EA

Part of subcall function 00C852EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85363

Strings

Shell_TrayWnd, xrefs: 00CA59D0

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 19f1a4bb84aa6f8c680d0d3233dae132e73b2b1693c16a6f16b20611442f7234
Instruction ID: 05626de9d69df2f369b3f7a447488d7577ef79cde34b35e77fd0b5a7398b5560
Opcode Fuzzy Hash: 19f1a4bb84aa6f8c680d0d3233dae132e73b2b1693c16a6f16b20611442f7234
Instruction Fuzzy Hash: 3BD0C931784311B6E664BBB0AC4BF9A6A64AB01B54F00083AB355AB1D1D9F0A8018654

Function 00CA5A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA5A17
PostMessageW.USER32(00000000), ref: 00CA5A1E

Part of subcall function 00C852EB: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85363

Strings

Shell_TrayWnd, xrefs: 00CA5A10

Memory Dump Source

Source File: 00000000.00000002.1763142670.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.1763117646.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763239852.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1763255894.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_01_extracted.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 13767a6f2eabef4f8e051e281821f473139acb6049c96615ef339c7333faed57
Instruction ID: 535ad6e1ec1a588334cc7e6977dab7611b98d138515483b3ceb8b88a3e7139ed
Opcode Fuzzy Hash: 13767a6f2eabef4f8e051e281821f473139acb6049c96615ef339c7333faed57
Instruction Fuzzy Hash: 51D0C9317843117AE664BBB0AC4BF9A6664AB05B54F00083AB355AB1D1D9F0A8018658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 01_extracted.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_01_extracted.exe_82751c43976783803cb27442748f3d308a5a22_13b12cd7_f8022c4e-ad0c-49a2-a959-75bd881bc8f0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER35AF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36E9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3709.tmp.xml

C:\Users\user\AppData\Local\Temp\indivisibility

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
01_extracted.exe

Function 00C23B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00C24AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00C24FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00C23023 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Function 00C23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00C271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00C23A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00C23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00C23778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00C239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00C2410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00C269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Function 00C235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Function 00C89604 Relevance: 6.2, APIs: 4, Instructions: 155
COMMON

Function 00C273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON