Edit tour

Windows Analysis Report
Arba Outstanding Statement.exe

Overview

General Information

Sample name:	Arba Outstanding Statement.exe
Analysis ID:	1428409
MD5:	de2adabbce0147d01ae2fc5d80e9efbd
SHA1:	5c499b18b0a6059a8266c14c2a7db79ef1511637
SHA256:	c6a9cf5bccffab4f117d72117c58d725d779ed907d449426eb93a86956d33947
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Arba Outstanding Statement.exe (PID: 7004 cmdline: "C:\Users\user\Desktop\Arba Outstanding Statement.exe" MD5: DE2ADABBCE0147D01AE2FC5D80E9EFBD)

RegSvcs.exe (PID: 3620 cmdline: "C:\Users\user\Desktop\Arba Outstanding Statement.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kino2.top", "Username": "serverhar244@kino2.top", "Password": "         CJ@#Uy=?84oo               "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 25 88 44 24 2B 88 44 24 2F B0 8E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.3368520343.000000000322F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3366767251.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.3366767251.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 25 88 44 24 2B 88 44 24 2F B0 8E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x405c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40635:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x406bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40751:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x407bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4082d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x408c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40953:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f6db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f74d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f7d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f869:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f8d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f945:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f9db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fa6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3368520343.0000000003204000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3368520343.0000000003204000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3620	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Arba Outstanding Statement.exe.d90000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.Arba Outstanding Statement.exe.d90000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 25 88 44 24 2B 88 44 24 2F B0 8E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 25 88 44 24 2B 88 44 24 2F B0 8E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.4203190.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4203190.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.4203190.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4203190.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d8db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d94d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d9d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3da69:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dad3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3db45:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dbdb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dc6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.4203190.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4203190.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.4203190.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4203190.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f6db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f74d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f7d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f869:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f8d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f945:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f9db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fa6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.41b5570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.41b5570.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.41b5570.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.41b5570.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e7c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e835:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e8bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e951:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e9bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ea2d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eac3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3eb53:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.55f0000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.55f0000.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.55f0000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.55f0000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x405c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40635:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x406bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40751:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x407bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4082d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x408c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40953:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 25 88 44 24 2B 88 44 24 2F B0 8E 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.55f0ee8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.55f0ee8.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.55f0ee8.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.55f0ee8.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f6db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f74d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f7d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f869:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f8d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f945:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f9db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fa6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x405c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40635:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x406bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40751:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x407bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4082d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x408c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40953:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2d1f0c6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d1f0c6.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2d1f0c6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d1f0c6.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e7c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e835:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e8bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e951:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e9bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ea2d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eac3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3eb53:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.41b6458.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.41b6458.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.41b6458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.41b6458.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d8db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d94d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d9d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3da69:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dad3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3db45:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dbdb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dc6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5530000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5530000.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5530000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5530000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f6db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f74d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f7d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f869:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f8d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f945:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f9db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fa6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.55f0ee8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.55f0ee8.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.55f0ee8.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.55f0ee8.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d8db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d94d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d9d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3da69:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dad3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3db45:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dbdb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dc6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.5530000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.5530000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5530000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5530000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d8db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d94d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d9d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3da69:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dad3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3db45:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dbdb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dc6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.55f0000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.55f0000.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.55f0000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.55f0000.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e7c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e835:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e8bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e951:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e9bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3ea2d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eac3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3eb53:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2d1ffae.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d1ffae.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2d1ffae.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d1ffae.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d8db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d94d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d9d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3da69:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dad3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3db45:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dbdb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dc6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.2d1ffae.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2d1ffae.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.2d1ffae.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2d1ffae.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f6db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f74d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f7d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f869:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f8d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f945:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f9db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fa6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.41b5570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.41b5570.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.41b5570.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.41b5570.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x405c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8d2fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40635:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8d36d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x406bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8d3f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40751:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8d489:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x407bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8d4f3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x4082d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8d565:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x408c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8d5fb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40953:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8d68b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.41b6458.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.41b6458.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.41b6458.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.41b6458.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f6db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8c413:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f74d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8c485:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f7d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c50f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f869:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c5a1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f8d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c60b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f945:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8c67d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f9db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8c713:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fa6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8c7a3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 65 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.244.151.84, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 3620, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49711

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.kino2.top", "Username": "serverhar244@kino2.top", "Password": " CJ@#Uy=?84oo "}

Multi AV Scanner detection for submitted file

Source: Arba Outstanding Statement.exe

ReversingLabs: Detection: 47%

Machine Learning detection for sample

Source: Arba Outstanding Statement.exe

Joe Sandbox ML: detected

Source: Arba Outstanding Statement.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49710 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Arba Outstanding Statement.exe, 00000001.00000003.2119593078.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Arba Outstanding Statement.exe, 00000001.00000003.2119061427.0000000003610000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Arba Outstanding Statement.exe, 00000001.00000003.2119593078.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Arba Outstanding Statement.exe, 00000001.00000003.2119061427.0000000003610000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00094696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00094696
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009C93C FindFirstFileW,FindClose,	1_2_0009C93C
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0009C9C7
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0009F200
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0009F35D
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0009F65E
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00093A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00093A2B
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00093D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00093D4E
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0009BF27

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 185.244.151.84:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 185.244.151.84 185.244.151.84
Source: Joe Sandbox View	IP Address: 185.244.151.84 185.244.151.84

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 185.244.151.84:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000A25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_000A25E2

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: RegSvcs.exe, 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001139000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370861371.0000000005808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000002.00000002.3370861371.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000002.00000002.3370861371.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificat
Source: RegSvcs.exe, 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001139000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370861371.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001139000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 00000002.00000002.3368520343.000000000322F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kino2.top
Source: RegSvcs.exe, 00000002.00000002.3368520343.000000000322F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.kino2.top
Source: RegSvcs.exe, 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370861371.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001139000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370861371.0000000005808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000002.00000002.3368520343.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3368520343.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.3368520343.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.3368520343.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000002.00000002.3370861371.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS
Source: RegSvcs.exe, 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370861371.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001139000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49710 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, abAX9N.cs

.Net Code: jwJT

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000A425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_000A425A

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000A4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_000A4458

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

1_2_000A425A

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00090219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_00090219

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000BCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_000BCDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.Arba Outstanding Statement.exe.d90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.4203190.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.41b5570.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.55f0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d1f0c6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.41b6458.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.55f0ee8.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5530000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.55f0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d1ffae.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.41b5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3366767251.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00033B4C
Source: Arba Outstanding Statement.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Arba Outstanding Statement.exe, 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cd4491d6-6
Source: Arba Outstanding Statement.exe, 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_17337198-5
Source: Arba Outstanding Statement.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0b9b2cfa-c
Source: Arba Outstanding Statement.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_eb50e848-1

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00094021: CreateFileW,DeviceIoControl,CloseHandle,

1_2_00094021

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00088858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00088858

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_0009545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_0009545F

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0003E800	1_2_0003E800
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0005DBB5	1_2_0005DBB5
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000B804A	1_2_000B804A
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0003E060	1_2_0003E060
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00044140	1_2_00044140
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00052405	1_2_00052405
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00066522	1_2_00066522
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000B0665	1_2_000B0665
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0006267E	1_2_0006267E
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0005283A	1_2_0005283A
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00046843	1_2_00046843
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000689DF	1_2_000689DF
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00048A0E	1_2_00048A0E
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00066A94	1_2_00066A94
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000B0AE2	1_2_000B0AE2
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0008EB07	1_2_0008EB07
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00098B13	1_2_00098B13
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0005CD61	1_2_0005CD61
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00067006	1_2_00067006
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0004710E	1_2_0004710E
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00043190	1_2_00043190
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00031287	1_2_00031287
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000533C7	1_2_000533C7
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0005F419	1_2_0005F419
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00045680	1_2_00045680
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000516C4	1_2_000516C4
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000458C0	1_2_000458C0
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000578D3	1_2_000578D3
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00051BB8	1_2_00051BB8
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00069D05	1_2_00069D05
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0003FE40	1_2_0003FE40
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00051FD0	1_2_00051FD0
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0005BFE6	1_2_0005BFE6
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00D43640	1_2_00D43640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EAD0B0	2_2_02EAD0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EAD980	2_2_02EAD980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EACD68	2_2_02EACD68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EA0FD0	2_2_02EA0FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EA1030	2_2_02EA1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AA5230	2_2_06AA5230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AAA0E9	2_2_06AAA0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AA0040	2_2_06AA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AA61C8	2_2_06AA61C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06AA1138	2_2_06AA1138

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: String function: 00037F41 appears 35 times
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: String function: 00050D27 appears 70 times
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: String function: 00058B40 appears 42 times

Source: Arba Outstanding Statement.exe, 00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename0b240910-cc22-4c65-b7a6-64c655621ebf.exe4 vs Arba Outstanding Statement.exe
Source: Arba Outstanding Statement.exe, 00000001.00000003.2119593078.00000000038DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arba Outstanding Statement.exe
Source: Arba Outstanding Statement.exe, 00000001.00000003.2118651721.0000000003733000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arba Outstanding Statement.exe

Source: Arba Outstanding Statement.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.Arba Outstanding Statement.exe.d90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.4203190.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.41b5570.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.55f0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d1f0c6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.41b6458.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.55f0ee8.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5530000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.55f0000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d1ffae.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.41b5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3366767251.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_0009A2D5 GetLastError,FormatMessageW,

1_2_0009A2D5

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00088713 AdjustTokenPrivileges,CloseHandle,		1_2_00088713
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00088CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00088CC3

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_0009B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_0009B59E

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000AF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_000AF121

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_0009C602 CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0009C602

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00034FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00034FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

File created: C:\Users\user\AppData\Local\Temp\aut8131.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Command line argument: pb

1_2_0003492E

Source: Arba Outstanding Statement.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Arba Outstanding Statement.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\Arba Outstanding Statement.exe "C:\Users\user\Desktop\Arba Outstanding Statement.exe"
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Arba Outstanding Statement.exe"
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Arba Outstanding Statement.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Arba Outstanding Statement.exe

Static file information: File size 1219584 > 1048576

Source: Arba Outstanding Statement.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Arba Outstanding Statement.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Arba Outstanding Statement.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Arba Outstanding Statement.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Arba Outstanding Statement.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Arba Outstanding Statement.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Arba Outstanding Statement.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Arba Outstanding Statement.exe, 00000001.00000003.2119593078.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Arba Outstanding Statement.exe, 00000001.00000003.2119061427.0000000003610000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Arba Outstanding Statement.exe, 00000001.00000003.2119593078.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Arba Outstanding Statement.exe, 00000001.00000003.2119061427.0000000003610000.00000004.00001000.00020000.00000000.sdmp

Source: Arba Outstanding Statement.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Arba Outstanding Statement.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Arba Outstanding Statement.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Arba Outstanding Statement.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Arba Outstanding Statement.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000AC304 LoadLibraryA,GetProcAddress,

1_2_000AC304

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0003C590 push eax; retn 0003h	1_2_0003C599
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00058B85 push ecx; ret	1_2_00058B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02EA435D push esp; iretd	2_2_02EA4361

Source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'kkNNiLRG5sTlc', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'kkNNiLRG5sTlc', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'kkNNiLRG5sTlc', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'kkNNiLRG5sTlc', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'kkNNiLRG5sTlc', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00034A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_00034A35
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000B55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_000B55FD

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000533C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_000533C7

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6164			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1914			Jump to behavior

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-99988

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00094696 GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00094696
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009C93C FindFirstFileW,FindClose,	1_2_0009C93C
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0009C9C7
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0009F200
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0009F35D
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0009F65E
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00093A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00093A2B
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00093D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00093D4E
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0009BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0009BF27

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00034AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00034AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98342	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95717	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3370861371.00000000057EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	API call chain: ExitProcess graph end node	graph_1-98246
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	API call chain: ExitProcess graph end node	graph_1-99134
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000A41FD BlockInput,

1_2_000A41FD

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00033B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00033B4C

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00065CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00065CCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000AC304 LoadLibraryA,GetProcAddress,

1_2_000AC304

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00D434D0 mov eax, dword ptr fs:[00000030h]	1_2_00D434D0
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00D43530 mov eax, dword ptr fs:[00000030h]	1_2_00D43530
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_00D41ED0 mov eax, dword ptr fs:[00000030h]	1_2_00D41ED0

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000881F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_000881F7

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0005A364 SetUnhandledExceptionFilter,	1_2_0005A364
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_0005A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0005A395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DDD008

Jump to behavior

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00088C93 LogonUserW,

1_2_00088C93

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00033B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00033B4C

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00034A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_00034A35

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00094EC9 mouse_event,

1_2_00094EC9

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Arba Outstanding Statement.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

1_2_000881F7

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00094C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00094C03

Source: Arba Outstanding Statement.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Arba Outstanding Statement.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_0005886B cpuid

1_2_0005886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_000650D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_000650D7

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00072230 GetUserNameW,

1_2_00072230

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_0006418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0006418A

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe

Code function: 1_2_00034AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00034AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368520343.000000000322F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368520343.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 1.2.Arba Outstanding Statement.exe.d90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3366767251.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Arba Outstanding Statement.exe	Binary or memory string: WIN_81
Source: Arba Outstanding Statement.exe	Binary or memory string: WIN_XP
Source: Arba Outstanding Statement.exe	Binary or memory string: WIN_XPe
Source: Arba Outstanding Statement.exe	Binary or memory string: WIN_VISTA
Source: Arba Outstanding Statement.exe	Binary or memory string: WIN_7
Source: Arba Outstanding Statement.exe	Binary or memory string: WIN_8
Source: Arba Outstanding Statement.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368520343.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368520343.000000000322F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368520343.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4203190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1f0c6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0ee8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5530000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.55f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2d1ffae.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.41b6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 1.2.Arba Outstanding Statement.exe.d90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3366767251.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000A6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_000A6596
Source: C:\Users\user\Desktop\Arba Outstanding Statement.exe	Code function: 1_2_000A6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_000A6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	48 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Arba Outstanding Statement.exe	47%	ReversingLabs	Win32.Spyware.RedLine
Arba Outstanding Statement.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.12.205	true	false	high
kino2.top	185.244.151.84	true	false	unknown
mail.kino2.top	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	RegSvcs.exe, 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3368520343.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS	RegSvcs.exe, 00000002.00000002.3370861371.00000000057E3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://kino2.top	RegSvcs.exe, 00000002.00000002.3368520343.000000000322F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://sectigo.com/CPS0	RegSvcs.exe, 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370861371.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001139000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3366951698.0000000001188000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	RegSvcs.exe, 00000002.00000002.3368520343.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3368520343.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.kino2.top	RegSvcs.exe, 00000002.00000002.3368520343.000000000322F000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
185.244.151.84	kino2.top	Netherlands		60117	HSAE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428409
Start date and time:	2024-04-18 22:34:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Arba Outstanding Statement.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 60 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Arba Outstanding Statement.exe

Simulations

Behavior and APIs

Time	Type	Description
22:35:06	API Interceptor	40x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
185.244.151.84	https://apiservices.krxd.net/click_tracker/track?kxconfid=whjxbtb0h&_knopii=1&kxcampaignid=P.C.C-Class.W206.L.MI&kxplacementid=module2findmycar&kxbrand=MB&clk=http://WMUHS.penseldraget.com/?email=projectassistant@gheenirrigation.com	Get hash	malicious	HTMLPhisher	Browse	wmuhs.penseldraget.com/?email=projectassistant@gheenirrigation.com&_knopii=1
	https://sites.google.com/view/man-energy-solutions/halaman-muka	Get hash	malicious	HTMLPhisher	Browse	man-energy-solution.duerbcek.com/
	https://sites.google.com/view/asiatic-lloyd-maritime-llp/halaman-muka	Get hash	malicious	HTMLPhisher	Browse	asiatic-lloyd-maritime.duerbcek.com/
	https://sites.google.com/view/dnvlimited/halaman-muka	Get hash	malicious	Unknown	Browse	dnv-limited.duerbcek.com/
	https://veolia-dot-yamm-track.appspot.com/Redirect?ukey=1rYd-S6h21KvcEPO5BLkBWp1KOKV2-Rm-t86fM2DfnMk-177924590&key=YAMMID-18720160&link=http%3A%2F%2Fthrh.tumyphie.com%2F	Get hash	malicious	Unknown	Browse	thrh.tumyphie.com/
	http://mollkiss.mekythkit.online	Get hash	malicious	Unknown	Browse	mollkiss.mekythkit.online/
	Friday_ February 5th_ 2021 64427 a.m._ 20210205064427.64791275BD060468@juidine.com.html	Get hash	malicious	HTMLPhisher	Browse	185.244.151.84/cgi-sys/suspendedpage.cgi
	Thursday, February 4th, 2021 103440 p.m., 20210204223440.464D4D4AD1BFDE50@juidine.com.html	Get hash	malicious	HTMLPhisher	Browse	185.244.151.84/cgi-sys/suspendedpage.cgi
	Adjunto-30.doc	Get hash	malicious	Unknown	Browse	alkamefood.com/y/P/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	hesaphareketi-01.pdf.SCR.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	SHIPPING DOCUMENTS_PDF..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Payment Advice.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	RFQ Img_Quotation PO 202400969 - HESSEN TECH_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	order 4500381478001.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Scan-IMG PO Order CW289170-A CW201.bat.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	TransactionSummary_910020049836765_110424045239.xlsx	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	PRODUCT LIST_002673CC1F68.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HSAE	WZM.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	z1RFQ20838_CMC_RITM50736681.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	https://doggygangers.com/YfMv2QsjpCQl845BWSYNfNOQitweyze_Z6lIlrRr43MRjX_HrM/downloadsdownloadfile/dwnl_standart.php	Get hash	malicious	LummaC, PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	194.36.191.196
	BOQ- AE20003 0084 20240408 .exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	a9wJzPSyH4.exe	Get hash	malicious	AgentTesla	Browse	185.198.59.26
	4938730).vbs	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	194.36.191.196
	PI-23-24-041 AEH-CIPL 6-202424-014 .exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	CFD.exe	Get hash	malicious	AgentTesla	Browse	185.198.59.26
	RFQ 00033782024 SKM Project FMC.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	SKM 003-23 170204 004982024.pdf.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
CLOUDFLARENETUS	wFtZih4nN9.elf	Get hash	malicious	Mirai	Browse	104.28.24.146
	https://nwcchicago-my.sharepoint.com/:b:/p/jpsanavaitis/EZA36vHeUQxCnJ96O418g94BWiWpCx4SyNTLHION5X1T7g?e=N00DO7	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://tracker.club-os.com/campaign/click?msgId=f8ea317d963149a518aa35e03e5541f797badf3c&target=splendidanimations.com%2F%40%2FBigge/aDRmd79087aDRmd79087aDRmd/ZHN3ZWF6YUBiaWdnZS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	172.67.206.230
	https://dinamicconsultores.app.questorpublico.com.br/	Get hash	malicious	HTMLPhisher	Browse	104.21.235.213
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	172.67.206.230
	PO_983888123.xls	Get hash	malicious	Unknown	Browse	172.67.206.230
	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	F723838674.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	hesaphareketi-01.pdf.SCR.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Shipping Dcuments_CI PKL_HL_.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	hesaphareketi-01.pdf.SCR.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Request for Proposal Quote_2414976#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	104.26.12.205
	Signed Proforma Invoice 3645479_pdf.vbs	Get hash	malicious	FormBook	Browse	104.26.12.205
	F723838674.vbs	Get hash	malicious	Remcos	Browse	104.26.12.205
	order & specification.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	SHIPPING DOCUMENTS_PDF..vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Remittance slip.vbs	Get hash	malicious	Unknown	Browse	104.26.12.205
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\Arba Outstanding Statement.exe
File Type:	data
Category:	dropped
Size (bytes):	268288
Entropy (8bit):	7.867975334001988
Encrypted:	false
SSDEEP:	6144:eA3B4jPohevB+3xdUOEdJAH6N5uEsXL91FO+5klmaeMeA0:eIBgoh6shdUOmUWuEmPklmBMa
MD5:	F29ADBA361D7EEBB89F56EB4C99AB7F9
SHA1:	ACC20A3A46AD4F7F523EF59ED468B17714BEDDE6
SHA-256:	81F87206B49B52431620DF749CE8F3A55E7775405603200EFE39149F51732954
SHA-512:	CBD78DA171184AE290EF6A892FB6BA37BA027123F4B78FABD31F9DA002A247389D2D3BDFC47E19CEC9C4C8D7D51ED6151402F3468B19F16DD401E583EC27D3AA
Malicious:	false
Reputation:	low
Preview:	...5B2G3B10Q..SB.A2G3F10.CSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3.10QML.L5.;...0\|.b.;+FaB5\!CQ<c02,[.FgQ#.B$-s:,..}..+^T4m^^H.A2G3F109S.~nD.LkB.O. .-aaJ?.6.8:..=x".KmC.M.@./qp=<)0.9.eXN.2.-p.:LjB.Ob8 ;.3.?2G3F10QCSSB5A2G3G."7CSSBe.2G.G50%.S.B5A2G3F1.Q`RXC<A2.2F1LSCSSB5n.G3F!0QC.RB5ArG3V10QASSG5A2G3F15QCSSB5A2'7F14QC.h@5C2G.F1 QCCSB5A"G3V10QCSSR5A2G3F10QCS.W7AbG3F1PSCs.C5A2G3F10QCSSB5A2G3F10QCSS..@2[3F10QCSSB5A2G3F10QCSSB5A2G3.<2Q.SSB5A2G3F10Q.RS.4A2G3F10QCSSB5A2G3F10QCSSB5oF"K210Q[.RB5Q2G3.00QGSSB5A2G3F10QCSsB5!.5W'EQQC.>B5A.F3F_0QC.RB5A2G3F10QCSS.5AriW'EQQCS.r5A2g1F1&QCSY@5A2G3F10QCSSBuA2..4BB2CSSb.@2GSD10.BSSb7A2G3F10QCSSB5.2GsF10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10QCSSB5A2G3F10Q

C:\Users\user\AppData\Local\Temp\aut8131.tmp

Download File

Process:	C:\Users\user\Desktop\Arba Outstanding Statement.exe
File Type:	data
Category:	dropped
Size (bytes):	266358
Entropy (8bit):	7.975070531448954
Encrypted:	false
SSDEEP:	6144:AOr4KCILpsc3cxYjiWlriGMNyDRs/MSmvnICcouy3ewOlp:jrjbLpDjiozMwD6j9i347
MD5:	323AC3923E85044E080CA632EE7A13C9
SHA1:	B7D1BA24EAE55F5EA609D8F9BFBB4213B1AB6F2D
SHA-256:	602C7A41F523E6FFBBE9A133C8329C910944C2A2C60405F45E7755EBE46DBD17
SHA-512:	78993480B5F17E46783E21B635158EF8E0B652D43CA2814D02AFF01AA6EA44D94709812144DDAA0D5EA50D3C421735192BF24947B18372F9EC6134C078157012
Malicious:	false
Reputation:	low
Preview:	EA06.....BzSZ..3.Lf...B..@.J4.a....t)..nj ..N..4..=4..w........;..4).rCC..,s......Y.28..I-...X-.)....Kmz.H..'fsS...M]2.B.S..L..a.O.n..u..Oo.-E..C.ScT...p..%3....e.S.s-....S-@...q ...}.....G.......2....Y...S..a.Q.T..9..e.Q.4...n........R.'.Ty.X.8...tp.L.@..'..3J..Qh.Mhs*>.1.Tht0..D.i..r..W.=^oA..........}.,%.e[.l....F..5.J....}..4..2..+\|@....4w.............'..j4?<..h.Q.tj.....'\|. ....O..N..4Y.4i...4....~...e...(T)..ib..&Tz..c0...I......Q.`._h.o.........d...z..^FSS.h.tI-.g...`;.5O.t.....W.........7...P.7...'-.D7..<.1.U.p=.............v..A...7.0..0.i.....T.5.3....g..M..f8...c0....\|.}..\.8z.B....~v@...H..i.=f.....hTI..#@...Z..}4.O&...'..Qv:..Yn...`........r.4........D....".^V..1.Tn8......Y..^..+g..(;.D..,..-[.e...........(.Zv.+0.L.}..(...N..,d...Dcw......he....+..I.......E...}.N.gw.x..C.I.u;.e:..b..,^.Q..&TY..e.M.}9.F.2.Mw.X..Q..A.5Z.#....l0j...A..ty.......7q....^.....o...Y..O.%.0.\1....k...8..}F..R........\.......Q.4m...f..0.

C:\Users\user\AppData\Local\Temp\aut8181.tmp

Download File

Process:	C:\Users\user\Desktop\Arba Outstanding Statement.exe
File Type:	data
Category:	dropped
Size (bytes):	9848
Entropy (8bit):	7.601903049612647
Encrypted:	false
SSDEEP:	192:1DyaFcKXZG02JtX5WK0nYoa4qyedmysGOSk0qNY/50gOQUblxLr7LJtb/Ed:3F7XZGRJtX5OYnnyedmVGAdY50gUBxXG
MD5:	DCDECC214380FFFFE99A5EDC1C4EA470
SHA1:	5C8BD370C81EB96E33244AFD8F258F3AF49BB3F2
SHA-256:	D16D29CDBFB1376538D398BD7D97D9629352867D0A1C440994CB3B9FF9CBC4BA
SHA-512:	35B30EA4909D85A15869502C0B5D3BF3C88857C6E42A648AFB7861353722B4665182115B9FB6140F2F3A7BC4566CAAE4196ADE786C02CA30962C1BD5054B09F9
Malicious:	false
Reputation:	low
Preview:	EA06..p$...:5.g9.Q&T9..c3.P..Y..eB..&3.$.E.M.....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...\|.I..W.d...\|vI..W.d...\|vK..W.d...\|vK(.W.e...\|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d........#...

C:\Users\user\AppData\Local\Temp\reaffection

Download File

Process:	C:\Users\user\Desktop\Arba Outstanding Statement.exe
File Type:	ASCII text, with very long lines (28708), with no line terminators
Category:	dropped
Size (bytes):	28708
Entropy (8bit):	3.592282537092259
Encrypted:	false
SSDEEP:	768:ciTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+Ik6Ng4vfF3if6gyB:ciTZ+2QoioGRk6ZklputwjpjBkCiw2RP
MD5:	550FE4D7E532A5922A0F727911858F4A
SHA1:	E345D02BA54206B197BF944C25731084CC8CB49C
SHA-256:	26DD32B633B2B911B1A6427243D67DE42CA30B97868E426D8760DD4DA39E63EB
SHA-512:	2B2012BE8DF74A58B87ECBAE38B5BCA37088A62EED609544A22E8B7445E4CE2833409DBBF95DE176148FA6D468F1561E0248BBA387341EC82382C05B6FDFF13A
Malicious:	false
Reputation:	low
Preview:	36FCFF394D2C75138B45282B7018D1FE660x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857effffff

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.035150501409864
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Arba Outstanding Statement.exe
File size:	1'219'584 bytes
MD5:	de2adabbce0147d01ae2fc5d80e9efbd
SHA1:	5c499b18b0a6059a8266c14c2a7db79ef1511637
SHA256:	c6a9cf5bccffab4f117d72117c58d725d779ed907d449426eb93a86956d33947
SHA512:	1e13c6b64043253af3be935e7bc83934a2ec47b9a48a184e0d3d0b76e4881d1630b3c7090a408eebc9a5c2fb7fd4d7e985e565f40c99813dca2e57fa50d3124c
SSDEEP:	24576:JAHnh+eWsN3skA4RV1Hom2KXMmHa1DIx+YJbBHtT95:Qh+ZkldoPK8Ya1kxxJrb
TLSH:	0C459D3363918025FEA6B3FF5B55B23147BF6D250123851F12B83969A870163FE2D26E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	0f83cc888cc4030f

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66205CBC [Wed Apr 17 23:35:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FF01CC1ABBDh
jmp 00007FF01CC0D974h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FF01CC0DAFAh
cmp edi, eax
jc 00007FF01CC0DE5Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FF01CC0DAF9h
rep movsb
jmp 00007FF01CC0DE0Ch
cmp ecx, 00000080h
jc 00007FF01CC0DCC4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FF01CC0DB00h
bt dword ptr [004BF324h], 01h
jc 00007FF01CC0DFD0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FF01CC0DC9Dh
test edi, 00000003h
jne 00007FF01CC0DCAEh
test esi, 00000003h
jne 00007FF01CC0DC8Dh
bt edi, 02h
jnc 00007FF01CC0DAFFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FF01CC0DB03h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FF01CC0DB55h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x5f554	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x128000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x5f554	0x5f600	87d779cff165336bdfd267af7c84fac2	False	0.8138490129423329	data	7.4948934730320325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x128000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	English	Great Britain	0.04405240742931504
RT_MENU	0xd8ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd9048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd95dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd9c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xda0f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xda6f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdad50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdb1b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdb310	0x4bcf8	data			1.000325260852763
RT_GROUP_ICON	0x127008	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12701c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x127030	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x127044	0x14	data	English	Great Britain	1.25
RT_VERSION	0x127058	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x127164	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 22:35:07.093660116 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:07.093718052 CEST	443	49710	104.26.12.205	192.168.2.6
Apr 18, 2024 22:35:07.093792915 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:07.116467953 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:07.116487026 CEST	443	49710	104.26.12.205	192.168.2.6
Apr 18, 2024 22:35:07.343310118 CEST	443	49710	104.26.12.205	192.168.2.6
Apr 18, 2024 22:35:07.343494892 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:07.347883940 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:07.347898960 CEST	443	49710	104.26.12.205	192.168.2.6
Apr 18, 2024 22:35:07.348321915 CEST	443	49710	104.26.12.205	192.168.2.6
Apr 18, 2024 22:35:07.397716045 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:07.398020983 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:07.440140009 CEST	443	49710	104.26.12.205	192.168.2.6
Apr 18, 2024 22:35:07.638324022 CEST	443	49710	104.26.12.205	192.168.2.6
Apr 18, 2024 22:35:07.638387918 CEST	443	49710	104.26.12.205	192.168.2.6
Apr 18, 2024 22:35:07.638436079 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:07.644474983 CEST	49710	443	192.168.2.6	104.26.12.205
Apr 18, 2024 22:35:08.825031996 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:09.056914091 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:09.059691906 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:09.869700909 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:09.869946003 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:10.101908922 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:10.102159023 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:10.335474968 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:10.336033106 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:10.574181080 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:10.574203968 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:10.574215889 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:10.574229956 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:10.574290037 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:10.574369907 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:10.575853109 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:10.615952969 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:10.848336935 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:10.851916075 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:11.083990097 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:11.088423967 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:11.320559025 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:11.325381994 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:11.564435005 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:11.564790964 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:11.796730042 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:11.797072887 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:12.033027887 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:12.033320904 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:12.265316010 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:12.266041040 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:12.266084909 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:12.266099930 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:12.266138077 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:35:12.497889996 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:12.497992992 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:12.498009920 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:12.498025894 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:12.501780033 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:35:12.553922892 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:36:48.242062092 CEST	49711	587	192.168.2.6	185.244.151.84
Apr 18, 2024 22:36:48.474900007 CEST	587	49711	185.244.151.84	192.168.2.6
Apr 18, 2024 22:36:48.475486994 CEST	49711	587	192.168.2.6	185.244.151.84

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 22:35:06.946984053 CEST	49700	53	192.168.2.6	1.1.1.1
Apr 18, 2024 22:35:07.053011894 CEST	53	49700	1.1.1.1	192.168.2.6
Apr 18, 2024 22:35:08.222826004 CEST	59002	53	192.168.2.6	1.1.1.1
Apr 18, 2024 22:35:08.822905064 CEST	53	59002	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 22:35:06.946984053 CEST	192.168.2.6	1.1.1.1	0x5b6f	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:35:08.222826004 CEST	192.168.2.6	1.1.1.1	0xc765	Standard query (0)	mail.kino2.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 22:35:07.053011894 CEST	1.1.1.1	192.168.2.6	0x5b6f	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:35:07.053011894 CEST	1.1.1.1	192.168.2.6	0x5b6f	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:35:07.053011894 CEST	1.1.1.1	192.168.2.6	0x5b6f	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 18, 2024 22:35:08.822905064 CEST	1.1.1.1	192.168.2.6	0xc765	No error (0)	mail.kino2.top	kino2.top		CNAME (Canonical name)	IN (0x0001)	false
Apr 18, 2024 22:35:08.822905064 CEST	1.1.1.1	192.168.2.6	0xc765	No error (0)	kino2.top		185.244.151.84	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.26.12.205	443	3620	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 20:35:07 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-18 20:35:07 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 18 Apr 2024 20:35:07 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 87677084195e53b4-ATL
2024-04-18 20:35:07 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 18, 2024 22:35:09.869700909 CEST	587	49711	185.244.151.84	192.168.2.6	220-hosting2.ro.hostsailor.com ESMTP Exim 4.96.2 #2 Thu, 18 Apr 2024 22:35:09 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 18, 2024 22:35:09.869946003 CEST	49711	587	192.168.2.6	185.244.151.84	EHLO 721680
Apr 18, 2024 22:35:10.101908922 CEST	587	49711	185.244.151.84	192.168.2.6	250-hosting2.ro.hostsailor.com Hello 721680 [81.181.57.52] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Apr 18, 2024 22:35:10.102159023 CEST	49711	587	192.168.2.6	185.244.151.84	STARTTLS
Apr 18, 2024 22:35:10.335474968 CEST	587	49711	185.244.151.84	192.168.2.6	220 TLS go ahead

Target ID:	1
Start time:	22:35:03
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\Arba Outstanding Statement.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arba Outstanding Statement.exe"
Imagebase:	0x30000
File size:	1'219'584 bytes
MD5 hash:	DE2ADABBCE0147D01AE2FC5D80E9EFBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.2123836007.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:35:04
Start date:	18/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arba Outstanding Statement.exe"
Imagebase:	0xba0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3368520343.0000000003237000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3368520343.000000000322F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.3366767251.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3366767251.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.3370537578.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3368046380.0000000002CDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.3370341203.0000000005530000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3368520343.0000000003204000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3368520343.0000000003204000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3369690584.00000000041B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	44

Executed Functions

Function 00033B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00033B7A
IsDebuggerPresent.KERNEL32 ref: 00033B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,000F62F8,000F62E0,?,?), ref: 00033BFD

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

Part of subcall function 00040A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00033C26,000F62F8,?,?,?), ref: 00040ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00033C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,000E93F0,00000010), ref: 0006D4BC
SetCurrentDirectoryW.KERNEL32(?,000F62F8,?,?,?), ref: 0006D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,000E5D40,000F62F8,?,?,?), ref: 0006D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0006D581

Part of subcall function 00033A58: GetSysColorBrush.USER32(0000000F), ref: 00033A62
Part of subcall function 00033A58: LoadCursorW.USER32(00000000,00007F00), ref: 00033A71
Part of subcall function 00033A58: LoadIconW.USER32(00000063), ref: 00033A88
Part of subcall function 00033A58: LoadIconW.USER32(000000A4), ref: 00033A9A
Part of subcall function 00033A58: LoadIconW.USER32(000000A2), ref: 00033AAC
Part of subcall function 00033A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00033AD2
Part of subcall function 00033A58: RegisterClassExW.USER32(?), ref: 00033B28

Part of subcall function 000339E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00033A15
Part of subcall function 000339E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00033A36
Part of subcall function 000339E7: ShowWindow.USER32(00000000,?,?), ref: 00033A4A
Part of subcall function 000339E7: ShowWindow.USER32(00000000,?,?), ref: 00033A53

Part of subcall function 000343DB: _memset.LIBCMT ref: 00034401
Part of subcall function 000343DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000344A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0006D4B4
runas, xrefs: 0006D575

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 37fb9f99d75f8a2bb62e2cbf641f15a67c977104ce6217bdbb58cf2f6f05aced
Instruction ID: 4e6419a5e165ca05f7c558c887684dc5d23cbea72d602cc1095c4fe4146b77fe
Opcode Fuzzy Hash: 37fb9f99d75f8a2bb62e2cbf641f15a67c977104ce6217bdbb58cf2f6f05aced
Instruction Fuzzy Hash: 5A512770E08249AEEF62EBB4DC45EFD7BBDAF04700F044165F515A71A3CA7A5A01EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00034AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00034B2B

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

GetCurrentProcess.KERNEL32(?,000BFAEC,00000000,00000000,?), ref: 00034BF8
IsWow64Process.KERNEL32(00000000), ref: 00034BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00034C45
FreeLibrary.KERNEL32(00000000), ref: 00034C50
GetSystemInfo.KERNEL32(00000000), ref: 00034C81
GetSystemInfo.KERNEL32(00000000), ref: 00034C8D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: aa0af27e37f1ba3d25d488f5488e141e0ca49bffdc1d46f4e8b17c38595b44c3
Instruction ID: 37d468bb4fb621602bb04dc801d06239421d1a30d8faaacce73a9b061a4a3d79
Opcode Fuzzy Hash: aa0af27e37f1ba3d25d488f5488e141e0ca49bffdc1d46f4e8b17c38595b44c3
Instruction Fuzzy Hash: 8A91D73194A7C5DEC772CB7888615AAFFE9AF26300F444E5ED0CB97A01D224F908C719

Uniqueness

Uniqueness Score: -1.00%

Function 00034FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00034EEE,?,?,00000000,00000000), ref: 00034FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00034EEE,?,?,00000000,00000000), ref: 00035010
LoadResource.KERNEL32(?,00000000,?,?,00034EEE,?,?,00000000,00000000,?,?,?,?,?,?,00034F8F), ref: 0006DD60
SizeofResource.KERNEL32(?,00000000,?,?,00034EEE,?,?,00000000,00000000,?,?,?,?,?,?,00034F8F), ref: 0006DD75
LockResource.KERNEL32(00034EEE,?,?,00034EEE,?,?,00000000,00000000,?,?,?,?,?,?,00034F8F,00000000), ref: 0006DD88

Strings

SCRIPT, xrefs: 00035006

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f8da14c8861c2fcc46a5f16d70a5759631e6e72780428c7223e8d5baf67ff12d
Instruction ID: b1ecd08a8534a8a3f0a75faa1c3cd565d7c13cb5b3d442da4ca06f55c1f492e6
Opcode Fuzzy Hash: f8da14c8861c2fcc46a5f16d70a5759631e6e72780428c7223e8d5baf67ff12d
Instruction Fuzzy Hash: 85115A75200701AFE7258B69DC58FA77BBDEBC9B52F204668F506D7260DB62E8008660

Uniqueness

Uniqueness Score: -1.00%

Function 0003492E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00034992

Part of subcall function 000535AC: __lock.LIBCMT ref: 000535B2
Part of subcall function 000535AC: DecodePointer.KERNEL32(00000001,?,000349A7,000881BC), ref: 000535BE
Part of subcall function 000535AC: EncodePointer.KERNEL32(?,?,000349A7,000881BC), ref: 000535C9

Part of subcall function 00034A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00034A73
Part of subcall function 00034A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00034A88

Part of subcall function 00033B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00033B7A
Part of subcall function 00033B4C: IsDebuggerPresent.KERNEL32 ref: 00033B8C
Part of subcall function 00033B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,000F62F8,000F62E0,?,?), ref: 00033BFD
Part of subcall function 00033B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00033C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000349D2

Strings

pb, xrefs: 00034934

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID: pb
API String ID: 1438897964-3672949377
Opcode ID: 8bbfe5193aa7b6b5c38ec93c562868a2d235d914f9507f8275e133d221b9abb0
Instruction ID: 3033e3ecfd78deadc6371cbaa0732c7fa2691043e899b067aa15313c4f14985b
Opcode Fuzzy Hash: 8bbfe5193aa7b6b5c38ec93c562868a2d235d914f9507f8275e133d221b9abb0
Instruction Fuzzy Hash: 2211CD719087019BD300EF28DC0596AFFF8EB84710F008A1EF484872B2DBB59548DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00094696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0006E7C1), ref: 000946A6
FindFirstFileW.KERNELBASE(?,?), ref: 000946B7
FindClose.KERNEL32(00000000), ref: 000946C7

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 67abdae2e55cd8e6b6bcfc54a7574275df43dd1e75c1a3313d85be18f4c38143
Instruction ID: 3f279cc0e53d841682ad37eafbdb92f2f2db710206ce0cf79fb7c8135e763779
Opcode Fuzzy Hash: 67abdae2e55cd8e6b6bcfc54a7574275df43dd1e75c1a3313d85be18f4c38143
Instruction Fuzzy Hash: B5E0DF729104016BAA10A738EC4D8FA7B9C9F06335F100726F979C20E0EBB4996096AA

Uniqueness

Uniqueness Score: -1.00%

Function 0003E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 0007428C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: abed65b9b30b46fb12635d7ed0218e45b0d4b376bc900b381c30ef9a8bdc2fba
Instruction ID: cd999d159d11b81f1265148aa8907ed8ab65d40161a116d752a6668950a7b83d
Opcode Fuzzy Hash: abed65b9b30b46fb12635d7ed0218e45b0d4b376bc900b381c30ef9a8bdc2fba
Instruction Fuzzy Hash: C6A27C74E04245CFDB65CF58C480AAEB7F9FB49300F248169E90AAB392D775AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00040B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00040BBB
timeGetTime.WINMM ref: 00040E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00040FB3
TranslateMessage.USER32(?), ref: 00040FC7
DispatchMessageW.USER32(?), ref: 00040FD5
Sleep.KERNEL32(0000000A), ref: 00040FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0004105A
DestroyWindow.USER32 ref: 00041066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00041080
Sleep.KERNEL32(0000000A,?,?), ref: 000752AD
TranslateMessage.USER32(?), ref: 0007608A
DispatchMessageW.USER32(?), ref: 00076098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000760AC

Strings

@GUI_CTRLID, xrefs: 00075364
@COM_EVENTOBJ, xrefs: 0007591A
@TRAY_ID, xrefs: 00075BB9
@GUI_CTRLHANDLE, xrefs: 0007540E
@GUI_WINHANDLE, xrefs: 000753B9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: e315dfefc7da03425adf1c0f036778167eb69c76bc1554a5736fd81837fcf322
Instruction ID: 9816a01eca3fef549155e642fa386f66b27313a2339ceba64480f873ba359785
Opcode Fuzzy Hash: e315dfefc7da03425adf1c0f036778167eb69c76bc1554a5736fd81837fcf322
Instruction Fuzzy Hash: 87B2D470A08741DFD764DF24C884BEEB7E4BF84304F14892DE58997292DBB9E844CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000993DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000991E9: __time64.LIBCMT ref: 000991F3

Part of subcall function 00035045: _fseek.LIBCMT ref: 0003505D

__wsplitpath.LIBCMT ref: 000994BE

Part of subcall function 0005432E: __wsplitpath_helper.LIBCMT ref: 0005436E

_wcscpy.LIBCMT ref: 000994D1
_wcscat.LIBCMT ref: 000994E4
__wsplitpath.LIBCMT ref: 00099509
_wcscat.LIBCMT ref: 0009951F
_wcscat.LIBCMT ref: 00099532

Part of subcall function 0009922F: _memmove.LIBCMT ref: 00099268
Part of subcall function 0009922F: _memmove.LIBCMT ref: 00099277

_wcscmp.LIBCMT ref: 00099479

Part of subcall function 000999BE: _wcscmp.LIBCMT ref: 00099AAE
Part of subcall function 000999BE: _wcscmp.LIBCMT ref: 00099AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000996DC
_wcsncpy.LIBCMT ref: 0009974F
DeleteFileW.KERNEL32(?,?), ref: 00099785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0009979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000997AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000997BE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 1b70494065043ec22a2edea23c5cc3825f5bd0389da2137a3c03201d30b345b9
Instruction ID: 91af6b3822ff662adfad8d4f0df024063c9c262fd6c9857629cf653cad876687
Opcode Fuzzy Hash: 1b70494065043ec22a2edea23c5cc3825f5bd0389da2137a3c03201d30b345b9
Instruction Fuzzy Hash: 64C12BB1D00219AADF21DF99CC85ADEB7BDEF49300F0040AAF609E7152DB719A849F65

Uniqueness

Uniqueness Score: -1.00%

Function 000371EB Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00034864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,000F62F8,?,000337C0,?), ref: 00034882

Part of subcall function 0005074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000372C5), ref: 00050771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00037308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0006ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0006ED32
RegCloseKey.ADVAPI32(?), ref: 0006ED70
_wcscat.LIBCMT ref: 0006EDC9

Strings

Include, xrefs: 0006ECE8, 0006ED29
\Include\, xrefs: 000372C5
Software\AutoIt v3\AutoIt, xrefs: 000372FE
@J, xrefs: 0003723B
\, xrefs: 0006EDEC

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: @J$Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2775195532
Opcode ID: fa7fad0f5cff75d947c69bea0024f481dc0d78ff15b1ee6779072ef933e5bb20
Instruction ID: b6cb22127972b5f79798aecfcb040b5a580c0b9a2592e3342b70529e6e490bea
Opcode Fuzzy Hash: fa7fad0f5cff75d947c69bea0024f481dc0d78ff15b1ee6779072ef933e5bb20
Instruction Fuzzy Hash: CD718D714083019ED365EF29EC819AFB7F8FF99310F40092EF549971A1EB349948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00033015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00033074
RegisterClassExW.USER32(00000030), ref: 0003309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000330AF
InitCommonControlsEx.COMCTL32(?), ref: 000330CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000330DC
LoadIconW.USER32(000000A9), ref: 000330F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00033101

Strings

AutoIt v3 GUI, xrefs: 00033090
0, xrefs: 00033056
+, xrefs: 0003305D
TaskbarCreated, xrefs: 000330A4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 226c90f9b82bbc12d654d26e44493cf7047bbf88ea5e3e14306daab41e45eaba
Instruction ID: e13a30385d7ef5e770423bc759d7231b6add17331b4e107e9854fbfd9147d3af
Opcode Fuzzy Hash: 226c90f9b82bbc12d654d26e44493cf7047bbf88ea5e3e14306daab41e45eaba
Instruction Fuzzy Hash: 843147B184530AAFEB00DFA4DC84AE9BBF4FB09310F14466EE590E72A0D7BA0545DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00033A58 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00033A62
LoadCursorW.USER32(00000000,00007F00), ref: 00033A71
LoadIconW.USER32(00000063), ref: 00033A88
LoadIconW.USER32(000000A4), ref: 00033A9A
LoadIconW.USER32(000000A2), ref: 00033AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00033AD2
RegisterClassExW.USER32(?), ref: 00033B28

Part of subcall function 00033041: GetSysColorBrush.USER32(0000000F), ref: 00033074
Part of subcall function 00033041: RegisterClassExW.USER32(00000030), ref: 0003309E
Part of subcall function 00033041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000330AF
Part of subcall function 00033041: InitCommonControlsEx.COMCTL32(?), ref: 000330CC
Part of subcall function 00033041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000330DC
Part of subcall function 00033041: LoadIconW.USER32(000000A9), ref: 000330F2
Part of subcall function 00033041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00033101

Strings

pb, xrefs: 00033AB3
AutoIt v3, xrefs: 00033B17
#, xrefs: 00033B0D
0, xrefs: 00033B06

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3$pb
API String ID: 423443420-1839105792
Opcode ID: d068ab6b412493e1876f5fd623436be7fcafb50d0627bd168b60a4e9dd5f5d80
Instruction ID: e0d0201258098a61f9fc8104deb69898200e97cca534f2b75b0e89b283fff47a
Opcode Fuzzy Hash: d068ab6b412493e1876f5fd623436be7fcafb50d0627bd168b60a4e9dd5f5d80
Instruction Fuzzy Hash: 2A215970940304AFFB509FA4EC49BAD7FB4EB08720F00016AE504A76A0C7BA5654EF84

Uniqueness

Uniqueness Score: -1.00%

Function 00033041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00033074
RegisterClassExW.USER32(00000030), ref: 0003309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000330AF
InitCommonControlsEx.COMCTL32(?), ref: 000330CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000330DC
LoadIconW.USER32(000000A9), ref: 000330F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00033101

Strings

AutoIt v3 GUI, xrefs: 00033090
0, xrefs: 00033056
+, xrefs: 0003305D
TaskbarCreated, xrefs: 000330A4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f5aed59ee8b7102782bb97ca74b208821cfbb00b08813160bf75299cec9977c8
Instruction ID: fe4ed1ee3ecdd2401cb854361ae3969b08d808932a2d955220aeea1b990157b0
Opcode Fuzzy Hash: f5aed59ee8b7102782bb97ca74b208821cfbb00b08813160bf75299cec9977c8
Instruction Fuzzy Hash: F021F9B1950219AFEB00DF94EC48BEDBBF4FB08750F10422AF511A72A0DBBA4545DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00033633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 000336D2
KillTimer.USER32(?,00000001), ref: 000336FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0003371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0003372A
CreatePopupMenu.USER32 ref: 0003373E
PostQuitMessage.USER32(00000000), ref: 0003375F

Strings

TaskbarCreated, xrefs: 00033725

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 826ef7ceda4839cee1610589832ea784848409e868dbcf9d3610e72f5fb685c3
Instruction ID: 20dfefcca920f281d438b43ce38a0bfce3b3ccf9f00486c3b358ca11ed9e59eb
Opcode Fuzzy Hash: 826ef7ceda4839cee1610589832ea784848409e868dbcf9d3610e72f5fb685c3
Instruction Fuzzy Hash: FD412CB16085057FEB765F38DC8ABBD379DE700340F140229F602976A2CE69AE40E361

Uniqueness

Uniqueness Score: -1.00%

Function 00033778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 000338A4
CMDLINE, xrefs: 00033834
/ErrorStdOut, xrefs: 0003388F
/AutoIt3ExecuteScript, xrefs: 000338CE
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 000337C0
CMDLINERAW, xrefs: 0003380D
/AutoIt3ExecuteLine, xrefs: 000338B9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: cdb38ddb24a83e1eaa63255dfc3a5b9bb7a04c0f6b3caf5025450cfe559cffdf
Instruction ID: 928a39801e290ecae12e889b3b11a181608b37491973f6dea8454ed32ca28fa9
Opcode Fuzzy Hash: cdb38ddb24a83e1eaa63255dfc3a5b9bb7a04c0f6b3caf5025450cfe559cffdf
Instruction Fuzzy Hash: 2AA14C72D1062D9ADB16EBA0CC91EEEB77CBF14300F04052AF516B7192DF75AA09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D42620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D426F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D42917

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 382819c8ea4425fbf8ea61e376ad3f89d35f38c006eefefd53ae8b52233cd64d
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: 6CA10474E00209EBDB14CFA4C895BEEBBB5FF48304F248559E541BB280D7799A81DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 000339E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00033A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00033A36
ShowWindow.USER32(00000000,?,?), ref: 00033A4A
ShowWindow.USER32(00000000,?,?), ref: 00033A53

Strings

edit, xrefs: 00033A30
AutoIt v3, xrefs: 00033A0D, 00033A12, 00033A13

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a3719fcb071945d189bfd0d1f4fddc5ee0a73d8ac3913f1604f911fe6aaed043
Instruction ID: 15d39bee0e1edebbc6d29ac5d03c88d173866fa5ac470d9886eab4b61ab13bd1
Opcode Fuzzy Hash: a3719fcb071945d189bfd0d1f4fddc5ee0a73d8ac3913f1604f911fe6aaed043
Instruction Fuzzy Hash: BFF03A706402907EFA701B6BAC0CE772E7DD7C6F50B00012AB900A3170C6AE0800EAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0003F8CF Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000503A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000503D3
Part of subcall function 000503A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 000503DB
Part of subcall function 000503A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000503E6
Part of subcall function 000503A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000503F1
Part of subcall function 000503A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 000503F9
Part of subcall function 000503A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00050401

Part of subcall function 00046259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0003FA90), ref: 000462B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0003FB2D
OleInitialize.OLE32(00000000), ref: 0003FBAA
CloseHandle.KERNEL32(00000000), ref: 000749F2

Strings

@e, xrefs: 0003F937
F, xrefs: 0003F941

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: F$@e
API String ID: 1986988660-1765875470
Opcode ID: c9588084d9e81d1be9385b01f074783b0d7770ef79942b00c9eda50cb40403de
Instruction ID: 6b708b250f905b720f791406b659889cb77d045561b849e376cd8b4d2f7d92fc
Opcode Fuzzy Hash: c9588084d9e81d1be9385b01f074783b0d7770ef79942b00c9eda50cb40403de
Instruction Fuzzy Hash: 9C81B7B09052418EE784EF29E9516B57AF8EB99708710813E9119C7A62EB3FA508EF11

Uniqueness

Uniqueness Score: -1.00%

Function 00D42410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D42300: Sleep.KERNELBASE(000001F4), ref: 00D42311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D4250A

Strings

SSB5A2G3F10QC, xrefs: 00D4256D, 00D42570

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID: CreateFileSleep
String ID: SSB5A2G3F10QC
API String ID: 2694422964-173451937
Opcode ID: 9432fdb1cd9654c4fcca0f992234dcd0bb8fc562e8616bfa6389fe6a40aae431
Instruction ID: 18b1fce0ff99469228a075ac3c1e7c219ac739aeecaec451cea0bd0bed0824a3
Opcode Fuzzy Hash: 9432fdb1cd9654c4fcca0f992234dcd0bb8fc562e8616bfa6389fe6a40aae431
Instruction Fuzzy Hash: C4518F71D04249DBEF10DBA4C819BEEBBB8AF08300F104599E609BB2C0D7B94B45CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0003410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0006D5EC

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

_memset.LIBCMT ref: 0003418D
_wcscpy.LIBCMT ref: 000341E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000341F1

Strings

Line: , xrefs: 0006D615

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 8fb5e9785513aa253c934db4e7aa1f554b2d4453d560eddd2b787fd4c07db65b
Instruction ID: 843ba60e8158bfeef1f6db59751f68c1d57368ff15b48a44a6ebd58de1f74b31
Opcode Fuzzy Hash: 8fb5e9785513aa253c934db4e7aa1f554b2d4453d560eddd2b787fd4c07db65b
Instruction Fuzzy Hash: 6131C4714087046AE772EB64DC46FEB77ECAF44300F10451EF589970A2DB74A648CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0005564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 000556AB
_memcpy_s.LIBCMT ref: 0005571D
__read_nolock.LIBCMT ref: 0005577B
__filbuf.LIBCMT ref: 0005579E
_memset.LIBCMT ref: 000557E2

Part of subcall function 00058D68: __getptd_noexit.LIBCMT ref: 00058D68

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 415b1bf04af5dba7aea66ff5a28a4fcb58f98a44ff4958aa05469f0806e21017
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 9A519F30A04B09DBDB248EA9DCA46AF77F5AF44323F248629FC25972D1D7709D588B50

Uniqueness

Uniqueness Score: -1.00%

Function 000369CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00034F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,000F62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00034F6F

_free.LIBCMT ref: 0006E68C
_free.LIBCMT ref: 0006E6D3

Part of subcall function 00036BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00036D0D

Strings

Bad directive syntax error, xrefs: 0006E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0006E462

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: d998c1d2d7a26871849b6d63faf7b6688662500d313205f36e4f4f70766aad48
Instruction ID: 0c70b7f3bebefcec7e122b4c430603967d0b35bf268cb638a05bf34b326c71b4
Opcode Fuzzy Hash: d998c1d2d7a26871849b6d63faf7b6688662500d313205f36e4f4f70766aad48
Instruction Fuzzy Hash: C2919075910659EFCF15EFA4CC919EEB7B9FF14314F144429F816AB2A2EB30AA04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000335B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000335A1,SwapMouseButtons,00000004,?), ref: 000335D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000335A1,SwapMouseButtons,00000004,?,?,?,?,00032754), ref: 000335F5
RegCloseKey.KERNELBASE(00000000,?,?,000335A1,SwapMouseButtons,00000004,?,?,?,?,00032754), ref: 00033617

Strings

Control Panel\Mouse, xrefs: 000335D2

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 83fa6d879bae675e64e1838ed4e4e352fe1868de694d1602d116e581fbc73574
Instruction ID: 9ea9296ac8d4b41b66273e4d4324a3fb0974c31faa78a70fa238c87cd9028a1f
Opcode Fuzzy Hash: 83fa6d879bae675e64e1838ed4e4e352fe1868de694d1602d116e581fbc73574
Instruction Fuzzy Hash: 8E110675911218BFDB219F64DC859EFB7ACEF04740F118969B805D7210D6719F509760

Uniqueness

Uniqueness Score: -1.00%

Function 00D41300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D41B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D41B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D41B73

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: e49033572fa0a7188aca2017057a4fb78cafab040cab7a07e47be85c9bf7e909
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 5B621C34A14258DBEB24CFA4C851BDEB372EF58300F1091A9E50DEB394E7759E81CB69

Uniqueness

Uniqueness Score: -1.00%

Function 000997E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00035045: _fseek.LIBCMT ref: 0003505D

Part of subcall function 000999BE: _wcscmp.LIBCMT ref: 00099AAE
Part of subcall function 000999BE: _wcscmp.LIBCMT ref: 00099AC1

_free.LIBCMT ref: 0009992C
_free.LIBCMT ref: 00099933
_free.LIBCMT ref: 0009999E

Part of subcall function 00052F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00059C64), ref: 00052FA9
Part of subcall function 00052F95: GetLastError.KERNEL32(00000000,?,00059C64), ref: 00052FBB

_free.LIBCMT ref: 000999A6

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: a76fbcadab94935215724eedc64f38d4c6513d360bad136f3b5d8a92b91fdb89
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 37515FB1904218AFDF249F64DC81ADEBBB9EF48310F1044AEF609A7252DB715E90CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0005493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000549D0
__flush.LIBCMT ref: 000549F0
__write.LIBCMT ref: 00054A23
__flsbuf.LIBCMT ref: 00054A51

Part of subcall function 00058D68: __getptd_noexit.LIBCMT ref: 00058D68

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 8738b7108865159886f411fef3b107963d58bc4664b6cf55d80d29f1a381afef
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 8A41D5746006069BDF68CEA9C8819EF77EAEF8036AB24813DEC55C7680D7709DC88B45

Uniqueness

Uniqueness Score: -1.00%

Function 000373E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0006EE62
GetOpenFileNameW.COMDLG32(?), ref: 0006EEAC

Part of subcall function 000348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000348A1,?,?,000337C0,?), ref: 000348CE

Part of subcall function 000509D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000509F4

Strings

X, xrefs: 0006EE7A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: c9b6b10daee48a5284726a1bd44d8d74d9a15c1e1ef166a7d84e0cf648e48214
Instruction ID: 335c4d9e48ee940cd15188e76ef0b6dd3b608784e69b347eebe17c4b2fa54ee8
Opcode Fuzzy Hash: c9b6b10daee48a5284726a1bd44d8d74d9a15c1e1ef166a7d84e0cf648e48214
Instruction Fuzzy Hash: FF21D571A002989BDB52DF94CC45BEE7BFD9F49300F04405AE808F7282DBB959898FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0009901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00099036
__fread_nolock.LIBCMT ref: 0009904B

Strings

EA06, xrefs: 0009907D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 74f7e11c44981efdb1aedb27fdd5a42edbab15a81ce437a3874cb6d05a0c0947
Instruction ID: 4a242bd3c5f849ba36f4caff21b51b0c7de703f558282a6b99565cdf529b7bba
Opcode Fuzzy Hash: 74f7e11c44981efdb1aedb27fdd5a42edbab15a81ce437a3874cb6d05a0c0947
Instruction Fuzzy Hash: 2101F9719042587EDB28C6A8CC16FFE7BF89B05301F00419EF552D6181E5B5A608DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00099B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00099B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00099B99

Strings

aut, xrefs: 00099B93

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 8708121e3c88dfa8e523bb66eae4221751533148211d8672dfc1fbab06d74c3a
Instruction ID: 2423ab0ab9e9c812faeaa53811432b276535928002cf6ed8f35e9d122e4edbdf
Opcode Fuzzy Hash: 8708121e3c88dfa8e523bb66eae4221751533148211d8672dfc1fbab06d74c3a
Instruction Fuzzy Hash: 60D05E7964030EAFEB209B94DC0EFEA772CEB04700F0042A1BF54961A1DEB465988B91

Uniqueness

Uniqueness Score: -1.00%

Function 000ACDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15de785b96ee254c39d4498bb3c22d9861b2f57072dd169e26d6ec87c99a599c
Instruction ID: c10a998b9bd3f34a71f08ea4a579903a1e56914ad1b51899b6d64bd907610995
Opcode Fuzzy Hash: 15de785b96ee254c39d4498bb3c22d9861b2f57072dd169e26d6ec87c99a599c
Instruction Fuzzy Hash: 37F139716083019FCB14DF68C484A6ABBE5FF89314F14892EF89A9B352D771E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 000343DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00034401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 000344A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 000344C3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 389053225792a2281c3a32bfc0961cc585063f7c7cfcd342a24bed12ba4f3949
Instruction ID: ae9ed347859dad7f9bb23856ab7fdcce8ac3d1fb6aaf98e1dbb911f247a3aa2c
Opcode Fuzzy Hash: 389053225792a2281c3a32bfc0961cc585063f7c7cfcd342a24bed12ba4f3949
Instruction Fuzzy Hash: D0315EB05057019FD761DF24D8847ABBBF8FB48308F00093EF59A87251E775A948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0005594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00055963

Part of subcall function 0005A3AB: __NMSG_WRITE.LIBCMT ref: 0005A3D2
Part of subcall function 0005A3AB: __NMSG_WRITE.LIBCMT ref: 0005A3DC

__NMSG_WRITE.LIBCMT ref: 0005596A

Part of subcall function 0005A408: GetModuleFileNameW.KERNEL32(00000000,000F43BA,00000104,?,00000001,00000000), ref: 0005A49A
Part of subcall function 0005A408: ___crtMessageBoxW.LIBCMT ref: 0005A548

Part of subcall function 000532DF: ___crtCorExitProcess.LIBCMT ref: 000532E5
Part of subcall function 000532DF: ExitProcess.KERNEL32 ref: 000532EE

Part of subcall function 00058D68: __getptd_noexit.LIBCMT ref: 00058D68

RtlAllocateHeap.NTDLL(00E40000,00000000,00000001,00000000,?,?,?,00051013,?), ref: 0005598F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: e1d7c5879f7a1051516eb052e7e27507815dd4ac72a749ca591d53ce27e2f743
Instruction ID: 0dd65ca78f199b9ac13f63a3f9ce4b2002f4df0390eb87ab96460de41f761116
Opcode Fuzzy Hash: e1d7c5879f7a1051516eb052e7e27507815dd4ac72a749ca591d53ce27e2f743
Instruction Fuzzy Hash: EC01D231304A11DEE6612B69EC62AAF73D89F42773F10012AFC00AA182EE789D499761

Uniqueness

Uniqueness Score: -1.00%

Function 00099B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,000997D2,?,?,?,?,?,00000004), ref: 00099B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000997D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00099B5B
CloseHandle.KERNEL32(00000000,?,000997D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00099B62

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 549af89737147b554ba7b35aa678f0ff0a121d9477d0ad5be5d06fbee896254d
Instruction ID: 0936fadfc89d89e9aa456ce8c43468bf25c6b5242e4ca0c5ffcb1f96ccad0f21
Opcode Fuzzy Hash: 549af89737147b554ba7b35aa678f0ff0a121d9477d0ad5be5d06fbee896254d
Instruction Fuzzy Hash: 42E08632180215B7FB211B58EC09FDA7B58AB05B75F144620FB147A0E087B526119798

Uniqueness

Uniqueness Score: -1.00%

Function 00098F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00098FA5

Part of subcall function 00052F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00059C64), ref: 00052FA9
Part of subcall function 00052F95: GetLastError.KERNEL32(00000000,?,00059C64), ref: 00052FBB

_free.LIBCMT ref: 00098FB6
_free.LIBCMT ref: 00098FC8

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: d7249bec2418d77c409ed52da558a29b09721f5e9a74b11b19c1393b91e380ff
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 71E012A16097014ACE64A578BD50BD357EE5F4A351B18183DB849DB243DE24E8859324

Uniqueness

Uniqueness Score: -1.00%

Function 0003AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0007002B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 7d873f4dc16df49a8adbbf948a3339dbf7f698e5aba11f56a4e5112539db7c53
Instruction ID: 083532f1ded928e45a8338c2e2cb00449e28f3b8311aa78f2cf2586291b072ee
Opcode Fuzzy Hash: 7d873f4dc16df49a8adbbf948a3339dbf7f698e5aba11f56a4e5112539db7c53
Instruction Fuzzy Hash: CD224874608341CFCB26DF14C494B6ABBE5BF85304F14896DE98A8B362D735ED85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00034DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00034E1A

Strings

EA06, xrefs: 0006DCF5

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: e80afb070122cf6faefc9ea38722880362d8f158d769862639e1d8a4334e3b89
Instruction ID: aa958c9f799ac4a85a63c00a4683ae33d9a5b5af7b887ff14e4e8717c1019ca0
Opcode Fuzzy Hash: e80afb070122cf6faefc9ea38722880362d8f158d769862639e1d8a4334e3b89
Instruction Fuzzy Hash: 68415971A042586BDF239B64CC917FE7FAEEB05301F284475EC829F283C661AD8487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00035DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00035981,?,?,?,?), ref: 00035E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00035981,?,?,?,?), ref: 0006E19C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9ea19e4cea7266c46bc58ee12ae62d76755cfacf144adc493cfd77859abfcf5c
Instruction ID: 1e6341c978f74556a8646ea1f0de3b3d60d052acd0420a790f1d07deabe60373
Opcode Fuzzy Hash: 9ea19e4cea7266c46bc58ee12ae62d76755cfacf144adc493cfd77859abfcf5c
Instruction Fuzzy Hash: 6A01B574244708BEF3691E28CC8AFB63BDCEB01769F108718BAE56B1E0C6B41E459F50

Uniqueness

Uniqueness Score: -1.00%

Function 00050FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0005594C: __FF_MSGBANNER.LIBCMT ref: 00055963
Part of subcall function 0005594C: __NMSG_WRITE.LIBCMT ref: 0005596A
Part of subcall function 0005594C: RtlAllocateHeap.NTDLL(00E40000,00000000,00000001,00000000,?,?,?,00051013,?), ref: 0005598F

std::exception::exception.LIBCMT ref: 0005102C
__CxxThrowException@8.LIBCMT ref: 00051041

Part of subcall function 000587DB: RaiseException.KERNEL32(?,?,?,000EBAF8,00000000,?,?,?,?,00051046,?,000EBAF8,?,00000001), ref: 00058830

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: fc0e60bbc2169cfc1d800d10d4b6b421b5614d1178ff5db962b975f7cc63d6fe
Instruction ID: 73a48c18f42bad604d886362f19f671cbc1eb7990d08f2b84cbfb2744e018fe8
Opcode Fuzzy Hash: fc0e60bbc2169cfc1d800d10d4b6b421b5614d1178ff5db962b975f7cc63d6fe
Instruction Fuzzy Hash: 08F0A43550425DA6CB21BB58EC05ADF77AC9F04362F104469FC04A6592EFB18AD893D1

Uniqueness

Uniqueness Score: -1.00%

Function 0005582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0005585C
__lock_file.LIBCMT ref: 0005587D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f95740c61b60034921880555c474bdb50326701c7a7219f21c2fcaadbb3f49b4
Instruction ID: 5b5fbd6a7a8137c37fff7fdbe472ca01816c87394bb3a44b4961c106352fa424
Opcode Fuzzy Hash: f95740c61b60034921880555c474bdb50326701c7a7219f21c2fcaadbb3f49b4
Instruction Fuzzy Hash: 8C018471800608EBCF22AF698C169EF7BA1AF44363F148215BC147B1A2DF328A15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 000555D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00058D68: __getptd_noexit.LIBCMT ref: 00058D68

__lock_file.LIBCMT ref: 0005561B

Part of subcall function 00056E4E: __lock.LIBCMT ref: 00056E71

__fclose_nolock.LIBCMT ref: 00055626

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 56a37f0859d006f7bd74ca9b01a8a28cedfe88753fbf53815080594abe7ef2f1
Instruction ID: 649bb909122a992f5c105e689fc8e6885635a464ff82399351e6ce67127af6d0
Opcode Fuzzy Hash: 56a37f0859d006f7bd74ca9b01a8a28cedfe88753fbf53815080594abe7ef2f1
Instruction Fuzzy Hash: 15F09071801A449AEB21AB768C167AF77E16F40337F658209AC14BB1D3CF7C8A099B55

Uniqueness

Uniqueness Score: -1.00%

Function 00D412FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00D41B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D41B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D41B73

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: e2c73fa5446c89a3d963f03c92105e49dbf40ba744ac032c7d55439f3b01b54b
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 7812CE24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0003F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0a24dc00a360efadce475ced011a5fdd26f435a04f9cc41e100917a97de796
Instruction ID: 995502167d7d67e3ceabef3aa908f65c71835bc85d13a391794df304b7fcdfdb
Opcode Fuzzy Hash: 8c0a24dc00a360efadce475ced011a5fdd26f435a04f9cc41e100917a97de796
Instruction Fuzzy Hash: 9261BC70A0060A9FCB25DF64C980ABBB7F8EF05300F148579E90A8B282E775ED51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00042123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d97014b08c3580c505cae8dac6adb2dcceeddc5b5a758955d5f1fc88ec21a3
Instruction ID: d3061383e4c246da4a661fc1279f3583735826fbe13a3263822ea3bc983b02db
Opcode Fuzzy Hash: 88d97014b08c3580c505cae8dac6adb2dcceeddc5b5a758955d5f1fc88ec21a3
Instruction Fuzzy Hash: E9516C35700604ABCF15EB68C991FAE77EAAF45310F1480A8F90AAB293DB35ED04DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00035C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00035CF6

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6f9ac80a04714cbc99a30174b284dcfbd118d7988c45497097d1ae447e688dd3
Instruction ID: 2dab65723ea359135a8c159dffb2fb0c19c7edd43743a99b937356ebc80f5a5c
Opcode Fuzzy Hash: 6f9ac80a04714cbc99a30174b284dcfbd118d7988c45497097d1ae447e688dd3
Instruction Fuzzy Hash: 75316C71A10B09AFCB59CF2DC884AADB7F9FF48315F148629E81993720D731B960DB90

Uniqueness

Uniqueness Score: -1.00%

Function 000700D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 000700E1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b0e183b56960741ab6be4bf074cf8ab0442871b2dd4e743639e977da3196a9a9
Instruction ID: 1d1fe684f9246067b7060fcb605e25a365c8cd2a1c921dd56af06e0563b4d27e
Opcode Fuzzy Hash: b0e183b56960741ab6be4bf074cf8ab0442871b2dd4e743639e977da3196a9a9
Instruction Fuzzy Hash: 80411974604341CFDB25DF14C484B5ABBE4BF45318F1989ACE98A4B362C376EC85CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0003C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0003C73D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: bf9e178b732a1b23a89ac6a9f2f8fcb5f004d6dfc3e3d51fe6a9397e8eec635b
Instruction ID: 21923e41bb7b5493a86ecee6fc6df7a4dd0d29819cccfcbd44910019921d58ac
Opcode Fuzzy Hash: bf9e178b732a1b23a89ac6a9f2f8fcb5f004d6dfc3e3d51fe6a9397e8eec635b
Instruction Fuzzy Hash: 4611C071D04218EBDB26ABA9DC81DEEF7BCEF95350F108126E815A71A1EB309D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000380D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00038109

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
Instruction ID: 88b462e5f3c96d3810b6ccfc463172b23e4f3883aab069cb3315d76d9bd356f6
Opcode Fuzzy Hash: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
Instruction Fuzzy Hash: BC111976204705DFC724DF28D481A56B7E9FF49354B20C86EF98ACB662DB32E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00034F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00034D13: FreeLibrary.KERNEL32(00000000,?), ref: 00034D4D

Part of subcall function 0005548B: __wfsopen.LIBCMT ref: 00055496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,000F62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00034F6F

Part of subcall function 00034CC8: FreeLibrary.KERNEL32(00000000), ref: 00034D02

Part of subcall function 00034DD0: _memmove.LIBCMT ref: 00034E1A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 7d567bc7742a8f464af64375db7d897ab9066a4c475ebe67c72d6dd9852db5c4
Instruction ID: 21827fd97355fa637e30d5a1665c286436f0b99b9a16aef31ba0b97deece93d3
Opcode Fuzzy Hash: 7d567bc7742a8f464af64375db7d897ab9066a4c475ebe67c72d6dd9852db5c4
Instruction Fuzzy Hash: B811E731A00205AACB16BF70DC52FEE77AD9F40701F108429F545AB1C2DA71AE159BA0

Uniqueness

Uniqueness Score: -1.00%

Function 000701AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 000701BB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 748027c10f12b4e9ccea1b7aba88e6685404a87b9f91bc8c6107cfe4cdf909d4
Instruction ID: 7053c65646fc3f2edb3c05deb86114cfda85dff567e8d1dc4e97a1b7c8feaa80
Opcode Fuzzy Hash: 748027c10f12b4e9ccea1b7aba88e6685404a87b9f91bc8c6107cfe4cdf909d4
Instruction Fuzzy Hash: 232122B4A08341CFCB25DF14C844B5BBBE4BF89314F05896CE88A47762D735E859CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00035D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00035807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00035D76

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 64a54dc7bf2c60fd65ebb3eb9e6df4f3caf0f1e1145181d5b8b4890e602c4c22
Instruction ID: 2e931d6e442fa3e50935c5e057ecbbe66aa0ef24206f31b2eb34bd8bcd0e0b48
Opcode Fuzzy Hash: 64a54dc7bf2c60fd65ebb3eb9e6df4f3caf0f1e1145181d5b8b4890e602c4c22
Instruction Fuzzy Hash: 91113A35200B019FD3728F15C888B66B7E9EF45751F10C92EE4AA86A60D770E945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0003C6DA Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0003C73D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: c3e928119964f737a7211340c94219c6686774ab25af1b018b69d800823b07a8
Instruction ID: 80d036f290b2c5f86732f1ea155fe5ccc59d97a1befdae3f1efd563f4aad2ce5
Opcode Fuzzy Hash: c3e928119964f737a7211340c94219c6686774ab25af1b018b69d800823b07a8
Instruction Fuzzy Hash: CC110472D082459FE7179F29C851AEAFBB8EF5B350F19409BD810EB2A1D3309D01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00050941 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000509F4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: dc512faf4e31640b3805ca2a3b19a73ec3e020515cad1bf50d28d25b54f7e6d9
Instruction ID: d74da76f20c186bf800cc0acb4a0e834617edb2aac531f6f52426b1a68f38aeb
Opcode Fuzzy Hash: dc512faf4e31640b3805ca2a3b19a73ec3e020515cad1bf50d28d25b54f7e6d9
Instruction Fuzzy Hash: AA01286244E3C04FD313C7B8E8656A57FB4AE4712471D06DFD886CF023CA99185AF722

Uniqueness

Uniqueness Score: -1.00%

Function 00054A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00054AD6

Part of subcall function 00058D68: __getptd_noexit.LIBCMT ref: 00058D68

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 834d65138ca67c38218cbb4b9165cf94100e73c269c08719e8e03ff6fac320fc
Instruction ID: 5bc73e4d806491c37036252ff6280e085513b4c3b9149a90a37f2223231300d0
Opcode Fuzzy Hash: 834d65138ca67c38218cbb4b9165cf94100e73c269c08719e8e03ff6fac320fc
Instruction Fuzzy Hash: 93F0A4319402099BDFA1AF658C067DF36A5AF0032BF048514BC14AA1D2DB788E98DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00034FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,000F62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00034FDE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c3e0ab772b58979199bb680932ee9267351980ab1a1ca3da803f25950d3b7f4d
Instruction ID: b3538ff83de199a78e019e40b7cffc793fbb144da1910fc6d87c4744a1b4c62b
Opcode Fuzzy Hash: c3e0ab772b58979199bb680932ee9267351980ab1a1ca3da803f25950d3b7f4d
Instruction Fuzzy Hash: 02F0A971404B12CFCB358F24E8A0826BBF9FF0032A3288A3EE1C68A610C731A844CF00

Uniqueness

Uniqueness Score: -1.00%

Function 000509D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000509F4

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 06c1745a6bce93377b197208ff442d246007f48d4ba337a69f14603f4d33f9a3
Instruction ID: d15970c09e64576a5ac0e209d4301d218d2c0b8c67b60143e519b264b4625f8e
Opcode Fuzzy Hash: 06c1745a6bce93377b197208ff442d246007f48d4ba337a69f14603f4d33f9a3
Instruction Fuzzy Hash: 1BE0CD7690422857D721D6689C05FFA77EDDF89790F0401B6FD0CD7305DD659C818690

Uniqueness

Uniqueness Score: -1.00%

Function 00099129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0009914B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: c2ee0ae9d7ab995a75df8a4a5830ed3adb9107b83d69d2541cd6d018706757d7
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 09E092B0104B005FDB748A28DC117E373E0BB06315F00081CF69A93342EB627841D759

Uniqueness

Uniqueness Score: -1.00%

Function 00035DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0006E16B,?,?,00000000), ref: 00035DBF

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8211894749652dd950f361cedec96dbf1872bbf7fe02027fc7acb02404a24b5d
Instruction ID: e6703b65438afc40bc4d71893b41cf07cb2b0739685da83a1ed07a280fed7218
Opcode Fuzzy Hash: 8211894749652dd950f361cedec96dbf1872bbf7fe02027fc7acb02404a24b5d
Instruction Fuzzy Hash: 8CD0C77464020CBFE710DB84DC46FA9777CD705710F100294FD0457290D6B27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 0005548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00055496

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 249b9fa69e2e83097c06e4ae260c0ada0fc1f6218e5c3b057d0d1849490858be
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: DCB09B7544010C77DE011D41EC02A553B195740679F404010FF0C181629573A5645585

Uniqueness

Uniqueness Score: -1.00%

Function 0009D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0009D46A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 03698ff4b25828497fdb38a92d584cc4e32e94d4ca70598694df4e4c3a57d624
Instruction ID: f687a3c5904b99b96dbec7388908c7c74d5b2250f7c101e529d896d9cdf74a15
Opcode Fuzzy Hash: 03698ff4b25828497fdb38a92d584cc4e32e94d4ca70598694df4e4c3a57d624
Instruction Fuzzy Hash: 377187702487028FCB15EF24C4D1AAEB7E4BF84314F04496DF9968B2A2DB70ED09DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00050E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00050EF7

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 7cdca257ecace310a8cbd90b860f329b2b8915882a64c2dcc767e909eca34846
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: F231D371A00106DBC768DF58D48296EF7A6FF59301B788AA5E80ACB651D731EDC5CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00D42300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00D42311

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 4013bc0e593425114d843e29d7469bf8fcbd73c2e12b0edce7ff505690fc2d2c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A7E0BF7494010D9FDB00EFB8D5496AE7BB4EF04701F500565FD0192280D63099508A72

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000BCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000BCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000BCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 000BCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000BCF00
SendMessageW.USER32 ref: 000BCF29
_wcsncpy.LIBCMT ref: 000BCFA1
GetKeyState.USER32(00000011), ref: 000BCFC2
GetKeyState.USER32(00000009), ref: 000BCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000BCFE5
GetKeyState.USER32(00000010), ref: 000BCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000BD018
SendMessageW.USER32 ref: 000BD03F
SendMessageW.USER32(?,00001030,?,000BB602), ref: 000BD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000BD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000BD16E
SetCapture.USER32(?), ref: 000BD177
ClientToScreen.USER32(?,?), ref: 000BD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000BD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000BD203
ReleaseCapture.USER32 ref: 000BD20E
GetCursorPos.USER32(?), ref: 000BD248
ScreenToClient.USER32(?,?), ref: 000BD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 000BD2B1
SendMessageW.USER32 ref: 000BD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 000BD31C
SendMessageW.USER32 ref: 000BD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000BD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 000BD37B
GetCursorPos.USER32(?), ref: 000BD39B
ScreenToClient.USER32(?,?), ref: 000BD3A8
GetParent.USER32(?), ref: 000BD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 000BD431
SendMessageW.USER32 ref: 000BD462
ClientToScreen.USER32(?,?), ref: 000BD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000BD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 000BD51A
SendMessageW.USER32 ref: 000BD53D
ClientToScreen.USER32(?,?), ref: 000BD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000BD5C3

Part of subcall function 000325DB: GetWindowLongW.USER32(?,000000EB), ref: 000325EC

GetWindowLongW.USER32(?,000000F0), ref: 000BD65F

Strings

@GUI_DRAGID, xrefs: 000BD1AA
F, xrefs: 000BD543

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: dc1d80cb6bf3f1769c9e8ae5802576fb75da2c41d085437531e7016f0c436c38
Instruction ID: 3b31e6ae2d03822ffc0cfcd8725c79c146aa63e51e2a9e19fec4428c06a981ce
Opcode Fuzzy Hash: dc1d80cb6bf3f1769c9e8ae5802576fb75da2c41d085437531e7016f0c436c38
Instruction Fuzzy Hash: F7427930204241EFE725DF28C884EEABBE5FF48354F14062EF6A5972A1D735E851DB92

Uniqueness

Uniqueness Score: -1.00%

Function 000B804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 000B873F

Strings

%d/%02d/%02d, xrefs: 000B8478

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: be7d4a5fa486996b13b4c75492dc01c146caffec63b17190b3334850ab8c02b2
Instruction ID: 7caccc3fdd337f5ea8eed2549d29751f7f17c5f9f5cc34f412278144398253e4
Opcode Fuzzy Hash: be7d4a5fa486996b13b4c75492dc01c146caffec63b17190b3334850ab8c02b2
Instruction Fuzzy Hash: 7012BB71540209ABEB258F28CC49FEF7BF8EB49754F248229F915EB2A1DF749941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0004710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000475C2
_memset.LIBCMT ref: 000476B1
_memmove.LIBCMT ref: 00047C4B
_memmove.LIBCMT ref: 00047E4F

Strings

Q\E, xrefs: 000481C1
[:<:]], xrefs: 000475F1
[:>:]], xrefs: 0004760A
\b(?=\w), xrefs: 00083C34
DEFINE, xrefs: 000825AF
\b(?<=\w), xrefs: 00083C41

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 54db181158fa7d3ab8e25500387911f7b9dfabb026ac358b7d84da930ad1f297
Instruction ID: 6f08612047ed9129a15ad36d570fe9b5d52d74184d57b473f5c23daa7d6fd609
Opcode Fuzzy Hash: 54db181158fa7d3ab8e25500387911f7b9dfabb026ac358b7d84da930ad1f297
Instruction Fuzzy Hash: 59939071A04216DFDB24DF58C881BADB7F1FF48710F25856AE989EB281E7709E81CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00034A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00034A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0006DA8E
IsIconic.USER32(?), ref: 0006DA97
ShowWindow.USER32(?,00000009), ref: 0006DAA4
SetForegroundWindow.USER32(?), ref: 0006DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0006DAC4
GetCurrentThreadId.KERNEL32 ref: 0006DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0006DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0006DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0006DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0006DAF8
SetForegroundWindow.USER32(?), ref: 0006DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0006DB10
keybd_event.USER32(00000012,00000000), ref: 0006DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0006DB25
keybd_event.USER32(00000012,00000000), ref: 0006DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0006DB33
keybd_event.USER32(00000012,00000000), ref: 0006DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0006DB42
keybd_event.USER32(00000012,00000000), ref: 0006DB47
SetForegroundWindow.USER32(?), ref: 0006DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0006DB71

Strings

Shell_TrayWnd, xrefs: 0006DA89

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 4126503aa873e975cabeb582f3be8584f8a0d81c375a04f6503fd405d95b7076
Instruction ID: 7ead457b58601c624a03f309955e08cce8b89bed6fbf07c97981b51213519900
Opcode Fuzzy Hash: 4126503aa873e975cabeb582f3be8584f8a0d81c375a04f6503fd405d95b7076
Instruction Fuzzy Hash: 3C316271B80318BAFB316FA59C49FBE3E6DEB44B50F114166FA04EB1D0C6B45900AAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00088858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00088CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00088D0D
Part of subcall function 00088CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00088D3A
Part of subcall function 00088CC3: GetLastError.KERNEL32 ref: 00088D47

_memset.LIBCMT ref: 0008889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000888ED
CloseHandle.KERNEL32(?), ref: 000888FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00088915
GetProcessWindowStation.USER32 ref: 0008892E
SetProcessWindowStation.USER32(00000000), ref: 00088938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00088952

Part of subcall function 00088713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00088851), ref: 00088728
Part of subcall function 00088713: CloseHandle.KERNEL32(?,?,00088851), ref: 0008873A

Strings

default, xrefs: 0008894D
, xrefs: 000888AA
winsta0, xrefs: 00088910

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: d6957a755aa033d62f65400eeb59933459c203c399e1f6bdc2d0213438627c5c
Instruction ID: ab7f9c0282a425d3b777203486819b6d366557eaa2e21556bdfb309c7bb424c3
Opcode Fuzzy Hash: d6957a755aa033d62f65400eeb59933459c203c399e1f6bdc2d0213438627c5c
Instruction Fuzzy Hash: C6814D71900209AFEF25EFA4DC45AEE7BB8FF04304F58816AF950B61A1DB358E14DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000A425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(000BF910), ref: 000A4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 000A4292
GetClipboardData.USER32(0000000D), ref: 000A429A
CloseClipboard.USER32 ref: 000A42A6
GlobalLock.KERNEL32(00000000), ref: 000A42C2
CloseClipboard.USER32 ref: 000A42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 000A42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 000A42EE
GetClipboardData.USER32(00000001), ref: 000A42F6
GlobalLock.KERNEL32(00000000), ref: 000A4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 000A4337
CloseClipboard.USER32 ref: 000A4447

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 1e232a2653384ea778967df4498085e3523bbc8138c6cf53ef75f7af12fb20d2
Instruction ID: 9da11e3aad40fa95e5d82fa9b1322cc8be1ea91e948fa828540fd79702f07186
Opcode Fuzzy Hash: 1e232a2653384ea778967df4498085e3523bbc8138c6cf53ef75f7af12fb20d2
Instruction Fuzzy Hash: 8B519579204302ABE711EFA4DC85FFE77A8AF85B01F004629F556D31A2DBB4D9058B62

Uniqueness

Uniqueness Score: -1.00%

Function 0009C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0009C9F8
FindClose.KERNEL32(00000000), ref: 0009CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0009CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0009CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0009CAAF
__swprintf.LIBCMT ref: 0009CAFB
__swprintf.LIBCMT ref: 0009CB3E

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

__swprintf.LIBCMT ref: 0009CB92

Part of subcall function 000538D8: __woutput_l.LIBCMT ref: 00053931

__swprintf.LIBCMT ref: 0009CBE0

Part of subcall function 000538D8: __flsbuf.LIBCMT ref: 00053953
Part of subcall function 000538D8: __flsbuf.LIBCMT ref: 0005396B

__swprintf.LIBCMT ref: 0009CC2F
__swprintf.LIBCMT ref: 0009CC7E
__swprintf.LIBCMT ref: 0009CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0009CAF5
%02d, xrefs: 0009CB86, 0009CB90, 0009CBDE, 0009CC2D, 0009CC7C, 0009CCCB
%4d, xrefs: 0009CB38

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 90ec984bb54a8f9c946a21546bd718fe801747c100e34d566798196c1c6a2576
Instruction ID: fc79c91cf1a5fd820b89360c01d4f1c59e52bade38f94bc28bf3f390452c8d6c
Opcode Fuzzy Hash: 90ec984bb54a8f9c946a21546bd718fe801747c100e34d566798196c1c6a2576
Instruction Fuzzy Hash: D1A14BB2508305AFD715EB65CD86DEFB7ECAF84701F400929B58687192EB74DA08CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0009F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0009F221
_wcscmp.LIBCMT ref: 0009F236
_wcscmp.LIBCMT ref: 0009F24D
GetFileAttributesW.KERNEL32(?), ref: 0009F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0009F279
FindNextFileW.KERNEL32(00000000,?), ref: 0009F291
FindClose.KERNEL32(00000000), ref: 0009F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0009F2B8
_wcscmp.LIBCMT ref: 0009F2DF
_wcscmp.LIBCMT ref: 0009F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0009F308
SetCurrentDirectoryW.KERNEL32(000EA5A0), ref: 0009F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0009F330
FindClose.KERNEL32(00000000), ref: 0009F33D
FindClose.KERNEL32(00000000), ref: 0009F34F

Strings

*.*, xrefs: 0009F2B3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 3cd0550077b668757c83abefd237d8588d459e445331600dd4b5c0fdbf02e6eb
Instruction ID: 993bf0050ba1bcd23c1cb8620d1a14d06147565981dd578f1f5cd4de9c128b5a
Opcode Fuzzy Hash: 3cd0550077b668757c83abefd237d8588d459e445331600dd4b5c0fdbf02e6eb
Instruction Fuzzy Hash: 8231C37660021A6EDF20DBB4DC48AFE73EC9F09361F144275E914E30A0EB38DB45DA60

Uniqueness

Uniqueness Score: -1.00%

Function 000B0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000B0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,000BF910,00000000,?,00000000,?,?), ref: 000B0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000B0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 000B0D1D
RegCloseKey.ADVAPI32(?), ref: 000B103D
RegCloseKey.ADVAPI32(00000000), ref: 000B104A

Strings

REG_QWORD, xrefs: 000B0F8B
REG_BINARY, xrefs: 000B0FD8
REG_MULTI_SZ, xrefs: 000B0E05
REG_DWORD, xrefs: 000B0F0E
REG_EXPAND_SZ, xrefs: 000B0CBA
REG_SZ, xrefs: 000B0D5B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 73fa70f88c7a93b6cfc8250e2d422a826b7461d0610509017f1e8ba892fc4579
Instruction ID: 2e838baa6f4f2799e88c1aa6fff56ab3e071181ba21c5477f7867391ae34239b
Opcode Fuzzy Hash: 73fa70f88c7a93b6cfc8250e2d422a826b7461d0610509017f1e8ba892fc4579
Instruction Fuzzy Hash: FA027D752006119FCB15EF28C891EAAB7E5FF88710F04895DF99A9B362CB70ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0009F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0009F37E
_wcscmp.LIBCMT ref: 0009F393
_wcscmp.LIBCMT ref: 0009F3AA

Part of subcall function 000945C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000945DC

FindNextFileW.KERNEL32(00000000,?), ref: 0009F3D9
FindClose.KERNEL32(00000000), ref: 0009F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0009F400
_wcscmp.LIBCMT ref: 0009F427
_wcscmp.LIBCMT ref: 0009F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0009F450
SetCurrentDirectoryW.KERNEL32(000EA5A0), ref: 0009F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0009F478
FindClose.KERNEL32(00000000), ref: 0009F485
FindClose.KERNEL32(00000000), ref: 0009F497

Strings

*.*, xrefs: 0009F3FB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: a9d167ac5632b2b9bc0bb413569411a558b5d28866b789b48d991f0e27cac487
Instruction ID: 20a4265a286ea3286a1711ad073bb707fe4ce1e340b7c7224095c0dc5e5a504e
Opcode Fuzzy Hash: a9d167ac5632b2b9bc0bb413569411a558b5d28866b789b48d991f0e27cac487
Instruction Fuzzy Hash: F731B17260121A6EDF20ABA4EC88AFF77AC9F49364F144275E854E30A1DB34DA44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000881F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0008874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00088766
Part of subcall function 0008874A: GetLastError.KERNEL32(?,0008822A,?,?,?), ref: 00088770
Part of subcall function 0008874A: GetProcessHeap.KERNEL32(00000008,?,?,0008822A,?,?,?), ref: 0008877F
Part of subcall function 0008874A: HeapAlloc.KERNEL32(00000000,?,0008822A,?,?,?), ref: 00088786
Part of subcall function 0008874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0008879D

Part of subcall function 000887E7: GetProcessHeap.KERNEL32(00000008,00088240,00000000,00000000,?,00088240,?), ref: 000887F3
Part of subcall function 000887E7: HeapAlloc.KERNEL32(00000000,?,00088240,?), ref: 000887FA
Part of subcall function 000887E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00088240,?), ref: 0008880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0008825B
_memset.LIBCMT ref: 00088270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0008828F
GetLengthSid.ADVAPI32(?), ref: 000882A0
GetAce.ADVAPI32(?,00000000,?), ref: 000882DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000882F9
GetLengthSid.ADVAPI32(?), ref: 00088316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00088325
HeapAlloc.KERNEL32(00000000), ref: 0008832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0008834D
CopySid.ADVAPI32(00000000), ref: 00088354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00088385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000883AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000883BF

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: e52134c6e7aac14e9c131bcd980274304cb646941ca049256617033e730ac2e9
Instruction ID: 39b163c4d081e058ca2e5d8317b1aad464a9a5d74490c492c3fd2102140de5a2
Opcode Fuzzy Hash: e52134c6e7aac14e9c131bcd980274304cb646941ca049256617033e730ac2e9
Instruction Fuzzy Hash: 64616A7190020ABFDF00EFA4DC84AEEBBB9FF04710F448269F955A7291DB359A15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00046843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

UCP), xrefs: 00081546
NO_AUTO_POSSESS), xrefs: 00081567
NO_START_OPT), xrefs: 00081588
UTF16), xrefs: 00081508
CRLF), xrefs: 000816FA
ANYCRLF), xrefs: 00081734
UTF), xrefs: 00081533
CR), xrefs: 000816C0
BSR_ANYCRLF), xrefs: 00081757
PJ, xrefs: 000468B3
ANY), xrefs: 00081717
LF), xrefs: 000816DD
BSR_UNICODE), xrefs: 00081771
LIMIT_MATCH=, xrefs: 000815A9
LIMIT_RECURSION=, xrefs: 00081635

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ$UCP)$UTF)$UTF16)
API String ID: 0-1921582843
Opcode ID: 2a4e7d589685407cabe9cec717b60e6ff5d672e1c3edfd10fa5b2268707db7d1
Instruction ID: f9a2fa704cafc680d386d590bbed10db299cdebc9700b2b73c1297370b213e09
Opcode Fuzzy Hash: 2a4e7d589685407cabe9cec717b60e6ff5d672e1c3edfd10fa5b2268707db7d1
Instruction Fuzzy Hash: B4727FB1E002199BDB24DF58C8807EEB7F5FF49310F14816AE849EB281EB759D81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 000B0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000B10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000B0038,?,?), ref: 000B10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000B0737

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000B07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000B086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000B0AAD
RegCloseKey.ADVAPI32(00000000), ref: 000B0ABA

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: d1c32986d12bf646ada530c8074813a4813e0a125b1d67a918bf1d156cae909a
Instruction ID: d35c802b3650f3f895366fb5f14b5b6c3826198f9d53729ea0c27963033b9b4f
Opcode Fuzzy Hash: d1c32986d12bf646ada530c8074813a4813e0a125b1d67a918bf1d156cae909a
Instruction Fuzzy Hash: 1BE14F71604211AFCB15DF28C895EABBBE8FF89714F04896DF44AD7262DB30E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00090219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00090241
GetAsyncKeyState.USER32(000000A0), ref: 000902C2
GetKeyState.USER32(000000A0), ref: 000902DD
GetAsyncKeyState.USER32(000000A1), ref: 000902F7
GetKeyState.USER32(000000A1), ref: 0009030C
GetAsyncKeyState.USER32(00000011), ref: 00090324
GetKeyState.USER32(00000011), ref: 00090336
GetAsyncKeyState.USER32(00000012), ref: 0009034E
GetKeyState.USER32(00000012), ref: 00090360
GetAsyncKeyState.USER32(0000005B), ref: 00090378
GetKeyState.USER32(0000005B), ref: 0009038A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2739a851ba1885b5588c6ba6cab93fcfe4e0131bf31e90d4b1f8e0a59c074c16
Instruction ID: b37dff5a25667ac8f2a7152dbdd43f9fd7b3a8c93164de7c16c16d98a9352c30
Opcode Fuzzy Hash: 2739a851ba1885b5588c6ba6cab93fcfe4e0131bf31e90d4b1f8e0a59c074c16
Instruction Fuzzy Hash: 3141A9345047CA6EFFB19B6488083F5BEE46F12340F48C19ED6C6471C2E7955AC4E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000A447F
EmptyClipboard.USER32 ref: 000A4485
GlobalAlloc.KERNEL32(00000002,?), ref: 000A449A
CloseClipboard.USER32 ref: 000A4539

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8d843073ac80a72f9b60525893d5e775ebe80a26d57be3f9031aaf2c75c675ed
Instruction ID: 5e33c1c6467507d3385eea785a9b093444f2b9e1c9725e267b1c34fc698899b2
Opcode Fuzzy Hash: 8d843073ac80a72f9b60525893d5e775ebe80a26d57be3f9031aaf2c75c675ed
Instruction Fuzzy Hash: 9921C7393006119FEB11AFA4EC09BBD77A8EF44711F10812AF946DB272CBB9AC01CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00093A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000348A1,?,?,000337C0,?), ref: 000348CE

Part of subcall function 00094CD3: GetFileAttributesW.KERNEL32(?,00093947), ref: 00094CD4

FindFirstFileW.KERNEL32(?,?), ref: 00093ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00093B87
MoveFileW.KERNEL32(?,?), ref: 00093B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00093BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00093BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00093BF5

Strings

\*.*, xrefs: 00093A8A, 00093A93, 00093AA8

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 55426634739d8fca3e59f98b077936880b8730af24b6348d5015b26e28cec156
Instruction ID: 32b442775024f754f7dc0699a2618f16201fbb089202a5eb799d3eaa7cdb23dc
Opcode Fuzzy Hash: 55426634739d8fca3e59f98b077936880b8730af24b6348d5015b26e28cec156
Instruction Fuzzy Hash: 9E51617180514D9ACF16EBA0CD929FDB7B9AF14300F6441A9E446770A2EF316F09DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0009F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0009F6AB
Sleep.KERNEL32(0000000A), ref: 0009F6DB
_wcscmp.LIBCMT ref: 0009F6EF
_wcscmp.LIBCMT ref: 0009F70A
FindNextFileW.KERNEL32(?,?), ref: 0009F7A8
FindClose.KERNEL32(00000000), ref: 0009F7BE

Strings

*.*, xrefs: 0009F690

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 00c7e6ab2ac26d306d52f60a8d62befd7a1da9797201e81af4946483d9af0628
Instruction ID: fb22b069388210289c62321533b0cc5adab42f16fad93c84f8a26b003603e93c
Opcode Fuzzy Hash: 00c7e6ab2ac26d306d52f60a8d62befd7a1da9797201e81af4946483d9af0628
Instruction Fuzzy Hash: 36415D7190420A9FDF65DFA4CC85AFEBBB8FF09310F144566E815A71A1DB309E84DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00044140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00044520
VUUU, xrefs: 00077B0C
VUUU, xrefs: 000444ED
ERCP, xrefs: 0004421F
VUUU, xrefs: 000444DB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a9be10542600178f6d8272ab7d11b4ad2574b94e831349fbe81c3826d014a260
Instruction ID: 02d8014e5b057fc5b78da16c06d2fc11a73b0f3076c711935ff56e6fb7cb59e1
Opcode Fuzzy Hash: a9be10542600178f6d8272ab7d11b4ad2574b94e831349fbe81c3826d014a260
Instruction Fuzzy Hash: 92A29EB0E0421ACBDF74CF58C9847ADB7F1BB54354F24C1AAD81AA7280E7749E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 000458C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00045A05
_memmove.LIBCMT ref: 00045A55
_memmove.LIBCMT ref: 00045ABB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 046d31cdb78197d3cee96a27a768ca24e7802e652eb793d0aa52ff00fc16a062
Instruction ID: 17cdfa61beb3e75f5ebbc304f17e91788f011a08882745f78d9f630582315b5c
Opcode Fuzzy Hash: 046d31cdb78197d3cee96a27a768ca24e7802e652eb793d0aa52ff00fc16a062
Instruction Fuzzy Hash: 7712BDB0A00609DFDF14DFA4D981AEEB7F9FF48300F104169E846A7292EB35AD15CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0009545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00088CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00088D0D
Part of subcall function 00088CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00088D3A
Part of subcall function 00088CC3: GetLastError.KERNEL32 ref: 00088D47

ExitWindowsEx.USER32(?,00000000), ref: 0009549B

Strings

@, xrefs: 0009548E
, xrefs: 00095489
SeShutdownPrivilege, xrefs: 0009546B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1127194aae22287e55b27277a6b91ffbade4a0e384670955b8dd48bbf3f5dc66
Instruction ID: 002104fe5b46eced69b8df6cd5330d77c9ef3c9d5f405252516c3e38334e21bc
Opcode Fuzzy Hash: 1127194aae22287e55b27277a6b91ffbade4a0e384670955b8dd48bbf3f5dc66
Instruction Fuzzy Hash: 57012831655A025AFFF96276DC4ABFA72A8AB04347F200121FD46D60D3D5545C806390

Uniqueness

Uniqueness Score: -1.00%

Function 000A6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000A65EF
WSAGetLastError.WSOCK32(00000000), ref: 000A65FE
bind.WSOCK32(00000000,?,00000010), ref: 000A661A
listen.WSOCK32(00000000,00000005), ref: 000A6629
WSAGetLastError.WSOCK32(00000000), ref: 000A6643
closesocket.WSOCK32(00000000,00000000), ref: 000A6657

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 95a49ecdf4b4ef715d73c2b33de870c01075f77f4c0158140ab7ad512a6e3f6d
Instruction ID: 60580e44283bfec0cf6a41b319a662d72bf15b57bc60c5bde810d6cdc73d59fb
Opcode Fuzzy Hash: 95a49ecdf4b4ef715d73c2b33de870c01075f77f4c0158140ab7ad512a6e3f6d
Instruction Fuzzy Hash: 32219E346002119FDB10AFA4CC49BBEB7F9EF46720F148269E956A72D2CB74AD01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00045680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00050FF6: std::exception::exception.LIBCMT ref: 0005102C
Part of subcall function 00050FF6: __CxxThrowException@8.LIBCMT ref: 00051041

_memmove.LIBCMT ref: 0008062F
_memmove.LIBCMT ref: 00080744
_memmove.LIBCMT ref: 000807EB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 5bea54da3629bbbc4c589fbc1604bfc3502cfd3695c5e89560d69809f749f4d3
Instruction ID: 64227e3b2a47c2c2c20b26b3097e093e98923d7c6709f7fec73e1e7a28d172d5
Opcode Fuzzy Hash: 5bea54da3629bbbc4c589fbc1604bfc3502cfd3695c5e89560d69809f749f4d3
Instruction Fuzzy Hash: 0802A0B0E00205DBDF54DF64D9816AEBBB5FF44300F148079E846EB296EB31DA54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00031287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

DefDlgProcW.USER32(?,?,?,?,?), ref: 000319FA
GetSysColor.USER32(0000000F), ref: 00031A4E
SetBkColor.GDI32(?,00000000), ref: 00031A61

Part of subcall function 00031290: DefDlgProcW.USER32(?,00000020,?), ref: 000312D8

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 6f6885745c57bda2f57582c9c3495fdf57ee9447010b95482192efea12df25af
Instruction ID: 2253e21eccb03c741b3854f5a8105ad08bebe654b1c2c677c19fe880e3268d78
Opcode Fuzzy Hash: 6f6885745c57bda2f57582c9c3495fdf57ee9447010b95482192efea12df25af
Instruction Fuzzy Hash: 66A148B1105944BAE63AAB298C55EFF36DEDF4E392F14021AF402D6193CF259D41E2B3

Uniqueness

Uniqueness Score: -1.00%

Function 000A6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000A80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000A80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000A6AB1
WSAGetLastError.WSOCK32(00000000), ref: 000A6ADA
bind.WSOCK32(00000000,?,00000010), ref: 000A6B13
WSAGetLastError.WSOCK32(00000000), ref: 000A6B20
closesocket.WSOCK32(00000000,00000000), ref: 000A6B34

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 683385c9f74d2fcc0bbd31bfd9feb61488761e2b0d3048331e5e8b209befbb4e
Instruction ID: bc5a7261cfcad819ae20ff45182009305db09b14dde8366d1b02dcb8a7b9155f
Opcode Fuzzy Hash: 683385c9f74d2fcc0bbd31bfd9feb61488761e2b0d3048331e5e8b209befbb4e
Instruction Fuzzy Hash: 0041B275600210AFEB11AF68DC86FBE77A89B09710F04855CF95AAB3C3CB749D008B92

Uniqueness

Uniqueness Score: -1.00%

Function 000B55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000B564C
IsWindowEnabled.USER32 ref: 000B565A
GetForegroundWindow.USER32(?,?,00000001), ref: 000B5667
IsIconic.USER32 ref: 000B5675
IsZoomed.USER32 ref: 000B5683

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 94b970396ff070bd407a07bdbd9d1f38a937186aeb2b60dc0927bfa684d6e8ca
Instruction ID: e23cd13e6479621168064c66870d23d5432f09c1a960b7738aaa62ab6748364b
Opcode Fuzzy Hash: 94b970396ff070bd407a07bdbd9d1f38a937186aeb2b60dc0927bfa684d6e8ca
Instruction Fuzzy Hash: 8811BF31700A116FE7222F26DC44BEFBBDCEF58722F814569E946D7241CB7499028AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0009C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0009C69D
CoCreateInstance.OLE32(000C2D6C,00000000,00000001,000C2BDC,?), ref: 0009C6B5

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

CoUninitialize.OLE32 ref: 0009C922

Strings

.lnk, xrefs: 0009C631, 0009C659, 0009C663

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 7405cda14c4f885220f1cd41075e01144775910bcbadd3d378b0a3f05ba28217
Instruction ID: 5f97561b64df287de11f0b59f1f6c9042b63956874fe2c247b238afbeed2d5d5
Opcode Fuzzy Hash: 7405cda14c4f885220f1cd41075e01144775910bcbadd3d378b0a3f05ba28217
Instruction Fuzzy Hash: 96A11A71108205AFD705EF54CC81EABB7ECFF94704F04492CF1969B1A2DBB1AA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00094021 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0009404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00094088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00094091

Strings

pb, xrefs: 00094024

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: pb
API String ID: 33631002-3672949377
Opcode ID: 6f1b23661f4f614bbc2d20920fda2aedda00cb0596b3c274d2d9673e9ea74fba
Instruction ID: 0f7197e17a7e185d1fa395fc90b580f57f0142bce644a09f8cb563e6c869c1a7
Opcode Fuzzy Hash: 6f1b23661f4f614bbc2d20920fda2aedda00cb0596b3c274d2d9673e9ea74fba
Instruction Fuzzy Hash: CF1182B1D00229BEEB209BE8DC48FBFBBFCEB48710F000656BA04E7191D2785D0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 000AC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00071D88,?), ref: 000AC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000AC324

Strings

GetSystemWow64DirectoryW, xrefs: 000AC31E
kernel32.dll, xrefs: 000AC30D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 1875fb5df800de4a78c5e4ef1a191f6c29ac99353048a3465b8fba35078545a1
Instruction ID: efcaff242effe20a90d037cb9741969c87a60f009eb4a5f94fd824f341b245cb
Opcode Fuzzy Hash: 1875fb5df800de4a78c5e4ef1a191f6c29ac99353048a3465b8fba35078545a1
Instruction Fuzzy Hash: B3E08C71200303CFEF204B69CC14ED676D8EB19314B80C839E895EB220E774D880CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00043190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 7e2434903b6e84fb75f69f7c00fd01615c96095bf44997385fae516380285f39
Instruction ID: a8cb6372187025d4528e093ae5d84919a10f20ad7c1d8595828f83e1bb7f5e30
Opcode Fuzzy Hash: 7e2434903b6e84fb75f69f7c00fd01615c96095bf44997385fae516380285f39
Instruction Fuzzy Hash: A122A0B15083019FD725DF24C881BAFB7E4BF84700F10892DF89A97292DB75EA04CB96

Uniqueness

Uniqueness Score: -1.00%

Function 000AF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000AF151
Process32FirstW.KERNEL32(00000000,?), ref: 000AF15F

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Process32NextW.KERNEL32(00000000,?), ref: 000AF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 000AF22E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 136f4d5460d133bdc47506a89c308c6b1aed7297213dcf630db069257bac76b2
Instruction ID: 5099f103633d55a8241fb7058d1fafe426cbe95f97cdb39fa17f51f6814bbcb9
Opcode Fuzzy Hash: 136f4d5460d133bdc47506a89c308c6b1aed7297213dcf630db069257bac76b2
Instruction Fuzzy Hash: 9C518E71508701AFD321EF64DC81EABB7E8FF95710F14492DF49597262EB70A904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0008EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0008EB19

Strings

|, xrefs: 0008EB49
(, xrefs: 0008EB5F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 1bdec94da169457d1ea787b9e0d341a15e92e02e73dcc13ae2ecbabbfe3629ba
Instruction ID: fdc953fd41c97e9b94ded94f5a3c0f5ba827e43d45340a57c7c69f2ad4091f49
Opcode Fuzzy Hash: 1bdec94da169457d1ea787b9e0d341a15e92e02e73dcc13ae2ecbabbfe3629ba
Instruction Fuzzy Hash: 94323775A007059FD728DF29C481A6AB7F1FF48310B11C56EE99ADB3A2E770E941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000A25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 000A26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 000A270C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 774496b34e79c7f94962af48623c5b46046b715dde219a89a1a029f318db4bb7
Instruction ID: 3c4440b6e233a1fc8265cdc763e5d7997bd657145ee13f5b09b1d329a59080a5
Opcode Fuzzy Hash: 774496b34e79c7f94962af48623c5b46046b715dde219a89a1a029f318db4bb7
Instruction Fuzzy Hash: 6D41C175A04209BFEB20DAD8DC85EFFB7FCEB41725F10407AFA01A6141EA719E459660

Uniqueness

Uniqueness Score: -1.00%

Function 0009B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0009B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0009B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0009B655

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e61f7ceedfa670ed434424d7ee606d206572e82462c2843be482d9a5491c9b85
Instruction ID: 6751c5ea890f2f4bcf0f98272f215a6b7af9c5c17d8a80acb8ce76d4dbf2e3ef
Opcode Fuzzy Hash: e61f7ceedfa670ed434424d7ee606d206572e82462c2843be482d9a5491c9b85
Instruction Fuzzy Hash: 04219035A00518EFCB00EFA5DC80EEDBBB8FF48310F0484A9E845AB362CB31A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00088CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00050FF6: std::exception::exception.LIBCMT ref: 0005102C
Part of subcall function 00050FF6: __CxxThrowException@8.LIBCMT ref: 00051041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00088D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00088D3A
GetLastError.KERNEL32 ref: 00088D47

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 97f8db053b41eafb3dc9f7f349e52fe3d500ab5228849033b8f6f0a9f6821bc6
Instruction ID: 942074bcef9c327629243d2542b6503b46dac9f734308b1790e0c15d8ed62bda
Opcode Fuzzy Hash: 97f8db053b41eafb3dc9f7f349e52fe3d500ab5228849033b8f6f0a9f6821bc6
Instruction Fuzzy Hash: 08118FB1414309AFE728AF58DC85DABB7F9FB44711B20852EF89693651EB70BC408B60

Uniqueness

Uniqueness Score: -1.00%

Function 00094C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00094C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00094C43
FreeSid.ADVAPI32(?), ref: 00094C53

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 237c7ac35b390ceb7ebeb71c39d3fd4bd33675da3d387b82de8ecfdf9c30410b
Instruction ID: 15cc898a5eda0c72cc2efc1f6326bb129d76fbdfce4d5350bc12e005ba99ae0c
Opcode Fuzzy Hash: 237c7ac35b390ceb7ebeb71c39d3fd4bd33675da3d387b82de8ecfdf9c30410b
Instruction Fuzzy Hash: 4DF03775A11209BFEF04DFE09C89ABEBBB8EB08201F0045A9A901E2191E6746A048B50

Uniqueness

Uniqueness Score: -1.00%

Function 0003E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df512fc503972567f2f4ddf8065264218cb47d4ec074efe1c2596fe6fdc3d24e
Instruction ID: 0de71532ed4210d88dd0e55ea877f40a47e613624bb2353ae31126aeb3334261
Opcode Fuzzy Hash: df512fc503972567f2f4ddf8065264218cb47d4ec074efe1c2596fe6fdc3d24e
Instruction Fuzzy Hash: 4122AF70A00256CFDB25DF54C484BAEB7F8FF08300F148669E856AB382E774AD85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0009C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0009C966
FindClose.KERNEL32(00000000), ref: 0009C996

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7a50ceee3bbcc91979102a534b8936779b2f9b722699ae8aa6759e81024aa61f
Instruction ID: f8c839e968b4895bc4f068bd75f480dfc566e0aef677b617f6c5920a11342aa4
Opcode Fuzzy Hash: 7a50ceee3bbcc91979102a534b8936779b2f9b722699ae8aa6759e81024aa61f
Instruction Fuzzy Hash: FA11A5316006009FDB10EF29D845A6AF7E9FF44320F008A1EF8A5D7291DB74AC00CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0009A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,000A977D,?,000BFB84,?), ref: 0009A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,000A977D,?,000BFB84,?), ref: 0009A314

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c46e2606698c7a100977da465a587c188c657e81eafd4a5b723321237338ba0e
Instruction ID: d9023e6c1ef8fed804b02c1b5cabd291b6e64af76bf6b55f3000b640af61a967
Opcode Fuzzy Hash: c46e2606698c7a100977da465a587c188c657e81eafd4a5b723321237338ba0e
Instruction Fuzzy Hash: 5DF0823564422DABEB21AFA4CC48FEA776DBF09761F008265F908D7281D6309A40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00088713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00088851), ref: 00088728
CloseHandle.KERNEL32(?,?,00088851), ref: 0008873A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 33465267dafadf245289af09e1bc0c768e13c2c60c99a9668bb3b702ba6f200c
Instruction ID: fa9e2a1266fe45c4b300c0649c53d2bca4b8f69134939039f21a10e3bb01c07e
Opcode Fuzzy Hash: 33465267dafadf245289af09e1bc0c768e13c2c60c99a9668bb3b702ba6f200c
Instruction Fuzzy Hash: 29E04632010601EEE7212B20EC08EB37BE9EB043617248929B89680471CB62ACA0DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0005A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00058F97,?,?,?,00000001), ref: 0005A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0005A3A3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a6e929a75846f69b7efce3e72ee89c41ad8718bbb8c4a2a204be363d89967d9d
Instruction ID: 82a33f715482fa61afaf38632ce3a9df181928919e2b2a014adab51e6f825a0d
Opcode Fuzzy Hash: a6e929a75846f69b7efce3e72ee89c41ad8718bbb8c4a2a204be363d89967d9d
Instruction Fuzzy Hash: EDB0923105420AABEA002B91EC09BE83FA8EB44EA2F408120F60E86060CBE656508A91

Uniqueness

Uniqueness Score: -1.00%

Function 0005F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8dbd421ec05ddc2e2b8d54beaff4ef374d50733e09c7f5a8e9cdf740078c49
Instruction ID: 4f3322c30e17f2ce0bc35387ca80e594868bc8b255186b630650bc8f8cb3b59b
Opcode Fuzzy Hash: 8f8dbd421ec05ddc2e2b8d54beaff4ef374d50733e09c7f5a8e9cdf740078c49
Instruction Fuzzy Hash: 6C322621D69F024DE7639634D932336A689AFB73C5F15D737EC1AB59A6EB2CC8834100

Uniqueness

Uniqueness Score: -1.00%

Function 0006267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4199e2ec85e5f52baad01c0056025bfa2ec62dbbd7e996b4bc752ced5e7cacf1
Instruction ID: dc72c767a6bfb2c1394b72ba0e4024906a4b14b7bfc35847242c688573348194
Opcode Fuzzy Hash: 4199e2ec85e5f52baad01c0056025bfa2ec62dbbd7e996b4bc752ced5e7cacf1
Instruction Fuzzy Hash: 6AB1F020E2AF454DE72397398835336BA4CAFBB2C9F51D71BFC2670D22EB2585834241

Uniqueness

Uniqueness Score: -1.00%

Function 00098B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00098B25

Part of subcall function 0005543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,000991F8,00000000,?,?,?,?,000993A9,00000000,?), ref: 00055443
Part of subcall function 0005543A: __aulldiv.LIBCMT ref: 00055463

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: fefbb2d0523ec48e97b2750593e98e1a18715f42b5975b9b4bc1840fd238e7e9
Instruction ID: cd501fb36684e64b34a18c021394dd8c233e8f6e89f3dfcdc434214ecd90a53c
Opcode Fuzzy Hash: fefbb2d0523ec48e97b2750593e98e1a18715f42b5975b9b4bc1840fd238e7e9
Instruction Fuzzy Hash: 082124726355108FD729CF25D841A62B3E1EBA5311B288E2CD0E9CB6D0CA74B904DB80

Uniqueness

Uniqueness Score: -1.00%

Function 000A41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000A4218

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6ca9359eee3e0ae6d80cc1b2e46c7e84d903da15c7177f9b78a8b01d7d1ab96a
Instruction ID: 5dd3e4397544e019b5e5fbc37ab135ad6a4074828e52ada64edbed7622ee3064
Opcode Fuzzy Hash: 6ca9359eee3e0ae6d80cc1b2e46c7e84d903da15c7177f9b78a8b01d7d1ab96a
Instruction Fuzzy Hash: 4CE04F352502149FD710EF99D844A9AF7ECAF95760F008526FD49C7352DAB0EC408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00094EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00094EEC

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: eefe7b78bfbd9fab9f386e19a6ba356e3221901ff289bf5bbac962b23fbf7c8f
Instruction ID: dfd0c730c05cee8cdb247d7227c78b82bb69bff898ad26d826c7c0412e30d67e
Opcode Fuzzy Hash: eefe7b78bfbd9fab9f386e19a6ba356e3221901ff289bf5bbac962b23fbf7c8f
Instruction Fuzzy Hash: 9AD0C7995647057AFDB84F249C5FFBB1149F304785FD4564AB106C90C2D8D46C577031

Uniqueness

Uniqueness Score: -1.00%

Function 00088C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000888D1), ref: 00088CB3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: d50c109cb214f9a6fb2f915f161c81c84681fb8820294aae7eda3cc8d5e95991
Instruction ID: 536891a197c7f53959932ae58d4ca95839497d07f01771e14d7d730865c9355c
Opcode Fuzzy Hash: d50c109cb214f9a6fb2f915f161c81c84681fb8820294aae7eda3cc8d5e95991
Instruction Fuzzy Hash: 65D05E3226050EABEF019EA4DC02EFE3B69EB04B01F408111FE15C60A1C775D835AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00072230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00072242

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 224ec59ddb800de6e8d35172cf9a7e7c850a7d1e743bfd85e33bf1222d382576
Instruction ID: ac119e2d79101896563f8d818e93dc2885431f28168f1d37dd5c3908dd2a53f6
Opcode Fuzzy Hash: 224ec59ddb800de6e8d35172cf9a7e7c850a7d1e743bfd85e33bf1222d382576
Instruction Fuzzy Hash: 30C04CF1C10109DBDB15EB90D988DFE77BCAB04304F108155A105F2150D7789B448B71

Uniqueness

Uniqueness Score: -1.00%

Function 0005A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0005A36A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a9adc61a77b482ef995ec9788af0f210c42c7c90ce157c803dc54b1d9d78f53e
Instruction ID: 1a83fe92ab395b886038882e390e0697b7d4e2031fc82037a3b5eb5984fc871b
Opcode Fuzzy Hash: a9adc61a77b482ef995ec9788af0f210c42c7c90ce157c803dc54b1d9d78f53e
Instruction Fuzzy Hash: C4A0123000010DA78A001B41EC044947F9CD7005907008020F40D4102187B255104580

Uniqueness

Uniqueness Score: -1.00%

Function 00048A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668a5e8d65626290186a4431d64e20e4efcc08b220ac013fd8ac97f53daafba9
Instruction ID: 57855033374b95077472c80453125c258279a4be37e2a52ea4177acd8ccdfb0e
Opcode Fuzzy Hash: 668a5e8d65626290186a4431d64e20e4efcc08b220ac013fd8ac97f53daafba9
Instruction Fuzzy Hash: 442268B0605656CBEF789B18C8C467D77E1FB01305F28C87AD8869B291EB309D81DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00052405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 899224310979befe311d6eee21f2958ee8ffcf6ce316b31e564879d7a3353240
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 85C1613220915309DBAD8639947417FBAE15FA37B231A076DECB2CB5C4EF20D968D720

Uniqueness

Uniqueness Score: -1.00%

Function 0005283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: d0bc631f170a28818f42a96c54dfe599407b42872a4e97c8ffb5365993261fc9
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 88C153322091930ADBAD4639943417FBAE15FA37B231A076DECB2DB5D5EF10D92C9620

Uniqueness

Uniqueness Score: -1.00%

Function 00051BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 71efa3fe1122b850b656be2c643c5df267531f5ef7a75f880e3faa05b8ac7ab8
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: FBC1753220915309DFAD463994342BFBAE15B927B731A076DECB2CB5C4EF10D968D760

Uniqueness

Uniqueness Score: -1.00%

Function 00D43640 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: f7399779f66d646d7c93528fd64e26d5f31d0eb985c4f4bb28b300c57dfd43c8
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 2241E3B1D1051CEBCF48CFADC890AEEBBF2AF88201F548299D516AB345D730AB01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00D434D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: c017c24c5b9f2d256c903d24bf03b6857d887814efd87096ee19d039476c1028
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 3B019D78A00209EFCB48DF98C5909AEF7B5FB48310F248599E809A7741E730EE41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00D43530 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 346799522ac54dd4f011bd6e7e8c58e628111a58e77768e335bd84a387ae1130
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: C0019D78A05209EFCB48DF98C5909AEF7B5FB48310F208699E809A7701E730EE51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D41ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123791295.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_d40000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 000A7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000A7B70
DeleteObject.GDI32(00000000), ref: 000A7B82
DestroyWindow.USER32 ref: 000A7B90
GetDesktopWindow.USER32 ref: 000A7BAA
GetWindowRect.USER32(00000000), ref: 000A7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 000A7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 000A7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7D4A
GetClientRect.USER32(00000000,?), ref: 000A7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000A7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7DF8
GlobalFree.KERNEL32(00000000), ref: 000A7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,000C2CAC,00000000), ref: 000A7E2B
GlobalFree.KERNEL32(00000000), ref: 000A7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 000A7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 000A7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000A808F

Strings

, xrefs: 000A8015
DISPLAY, xrefs: 000A7EF2
static, xrefs: 000A7D8A, 000A7EE1
AutoIt v3, xrefs: 000A7D42

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 99836a8ae1191fba3cb25623d453b5f7452ae126790d40316a027630bc802760
Instruction ID: 7d977608aa2288943bac3841ebc4480836b4eb68f3e488ecd19d8acab570f239
Opcode Fuzzy Hash: 99836a8ae1191fba3cb25623d453b5f7452ae126790d40316a027630bc802760
Instruction Fuzzy Hash: 82026E71900105EFDB14DFA8CC89EEE7BB9EB49310F148569F909AB2A1CB749D01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000B37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,000BF910), ref: 000B38AF
IsWindowVisible.USER32(?), ref: 000B38D3

Strings

TABRIGHT, xrefs: 000B3925
GETSELECTED, xrefs: 000B3B2B
UNCHECK, xrefs: 000B3B0B
SETCURRENTSELECTION, xrefs: 000B3A3E
TABLEFT, xrefs: 000B390F
ISCHECKED, xrefs: 000B3AC1
HIDEDROPDOWN, xrefs: 000B3988
GETLINECOUNT, xrefs: 000B3B4E
GETCURRENTSELECTION, xrefs: 000B3A6B
CHECK, xrefs: 000B3AF5
GETCURRENTLINE, xrefs: 000B3B75
GETLINE, xrefs: 000B3C23
ADDSTRING, xrefs: 000B399E
EDITPASTE, xrefs: 000B3BE7
FINDSTRING, xrefs: 000B39FE
SELECTSTRING, xrefs: 000B3A8E
SENDCOMMANDID, xrefs: 000B3C62
DELSTRING, xrefs: 000B39D1
ISVISIBLE, xrefs: 000B38BF
GETCURRENTCOL, xrefs: 000B3BB0
ISENABLED, xrefs: 000B38F3
CURRENTTAB, xrefs: 000B3945
SHOWDROPDOWN, xrefs: 000B3968

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: d474bbdabbee889a7dd443b36b432ae5a2c60896b534fe050a1130a52f2df3e3
Instruction ID: b542c0ff075a8835fafc5551020eb63ecdbac21974137b3ec55343b1cd78680a
Opcode Fuzzy Hash: d474bbdabbee889a7dd443b36b432ae5a2c60896b534fe050a1130a52f2df3e3
Instruction Fuzzy Hash: 93D181342043069FCB25EF54C951AEE7BE5AF54344F24455CB8866B3A3CB35EE0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 000BA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 000BA89F
GetSysColorBrush.USER32(0000000F), ref: 000BA8D0
GetSysColor.USER32(0000000F), ref: 000BA8DC
SetBkColor.GDI32(?,000000FF), ref: 000BA8F6
SelectObject.GDI32(?,?), ref: 000BA905
InflateRect.USER32(?,000000FF,000000FF), ref: 000BA930
GetSysColor.USER32(00000010), ref: 000BA938
CreateSolidBrush.GDI32(00000000), ref: 000BA93F
FrameRect.USER32(?,?,00000000), ref: 000BA94E
DeleteObject.GDI32(00000000), ref: 000BA955
InflateRect.USER32(?,000000FE,000000FE), ref: 000BA9A0
FillRect.USER32(?,?,?), ref: 000BA9D2
GetWindowLongW.USER32(?,000000F0), ref: 000BA9FD

Part of subcall function 000BAB60: GetSysColor.USER32(00000012), ref: 000BAB99
Part of subcall function 000BAB60: SetTextColor.GDI32(?,?), ref: 000BAB9D
Part of subcall function 000BAB60: GetSysColorBrush.USER32(0000000F), ref: 000BABB3
Part of subcall function 000BAB60: GetSysColor.USER32(0000000F), ref: 000BABBE
Part of subcall function 000BAB60: GetSysColor.USER32(00000011), ref: 000BABDB
Part of subcall function 000BAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000BABE9
Part of subcall function 000BAB60: SelectObject.GDI32(?,00000000), ref: 000BABFA
Part of subcall function 000BAB60: SetBkColor.GDI32(?,00000000), ref: 000BAC03
Part of subcall function 000BAB60: SelectObject.GDI32(?,?), ref: 000BAC10
Part of subcall function 000BAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 000BAC2F
Part of subcall function 000BAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000BAC46
Part of subcall function 000BAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 000BAC5B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 49d8533d61323bb84315e1c6d9f224fb6bf98ba05dce88ffb385324d3525224e
Instruction ID: 608192059d2de93680de5f16cda4be611404ca59e7ea194623dad076345d3cdf
Opcode Fuzzy Hash: 49d8533d61323bb84315e1c6d9f224fb6bf98ba05dce88ffb385324d3525224e
Instruction Fuzzy Hash: 29A18F72508702BFE7109F64DC08AAB7BE9FF89321F104B29FA62971A1D775D844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 000A77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 000A77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000A78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 000A78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 000A7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 000A7946
GetClientRect.USER32(00000000,?), ref: 000A7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 000A7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000A79A5
GetStockObject.GDI32(00000011), ref: 000A79B5
SelectObject.GDI32(00000000,00000000), ref: 000A79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 000A79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000A79D2
DeleteDC.GDI32(00000000), ref: 000A79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000A7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 000A7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 000A7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000A7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 000A7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 000A7AAE
GetStockObject.GDI32(00000011), ref: 000A7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000A7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 000A7ACE

Strings

DISPLAY, xrefs: 000A799B
static, xrefs: 000A7990, 000A7AA8
AutoIt v3, xrefs: 000A793E
msctls_progress32, xrefs: 000A7A4F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0149c9563649b2cfdcdbd1579f65bb5220d66e6aa0b0a160e8d8736e1ebc028f
Instruction ID: 2ad7029803e5e0c3a01579114da980dd88d47c5efea4ad3b58f203790f0068c1
Opcode Fuzzy Hash: 0149c9563649b2cfdcdbd1579f65bb5220d66e6aa0b0a160e8d8736e1ebc028f
Instruction Fuzzy Hash: 50A16171A40605BFEB149BA8DC4AFFE7BB9EB45710F008614FA15A72E1CB74AD00DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0009AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0009AF89
GetDriveTypeW.KERNEL32(?,000BFAC0,?,\\.\,000BF910), ref: 0009B066
SetErrorMode.KERNEL32(00000000,000BFAC0,?,\\.\,000BF910), ref: 0009B1C4

Strings

Network, xrefs: 0009B0A4
Removable, xrefs: 0009B0B8
iSCSI, xrefs: 0009B169
Fixed, xrefs: 0009B0AE
RAMDisk, xrefs: 0009B090
Unknown, xrefs: 0009B086, 0009B12A
Fibre, xrefs: 0009B154
\\.\, xrefs: 0009AFDB
SSD, xrefs: 0009B0F1
SAS, xrefs: 0009B170
USB, xrefs: 0009B15B
SATA, xrefs: 0009B177
ATA, xrefs: 0009B13F
SCSI, xrefs: 0009B131
SSA, xrefs: 0009B14D
ATAPI, xrefs: 0009B138
MMC, xrefs: 0009B185
RAID, xrefs: 0009B162
Virtual, xrefs: 0009B18C
PhysicalDrive, xrefs: 0009B012
1394, xrefs: 0009B146
FileBackedVirtual, xrefs: 0009B193
CDROM, xrefs: 0009B09A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 02bb892b5acad8c46eb57dd3da6369e7beb91382bff50cb85c21c76610ea421c
Instruction ID: dc60d976ad2d620f89604a090e172cecb13256a5d4198daca9db3badd6532073
Opcode Fuzzy Hash: 02bb892b5acad8c46eb57dd3da6369e7beb91382bff50cb85c21c76610ea421c
Instruction Fuzzy Hash: 6A51E330788345AFCF24DB11EFA29BD73B0EB5A361B604016E54ABB291C775AD41FB42

Uniqueness

Uniqueness Score: -1.00%

Function 00036A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00036A91
__wcsnicmp.LIBCMT ref: 00036AA9
__wcsnicmp.LIBCMT ref: 00036AC1
__wcsnicmp.LIBCMT ref: 00036AD9
__wcsnicmp.LIBCMT ref: 00036AF1
__wcsnicmp.LIBCMT ref: 00036B09
__wcsnicmp.LIBCMT ref: 00036B21
__wcsnicmp.LIBCMT ref: 00036B35
__wcsnicmp.LIBCMT ref: 00036B76
__wcsnicmp.LIBCMT ref: 00036B8A
__wcsnicmp.LIBCMT ref: 00036B9E
__wcsnicmp.LIBCMT ref: 00036BB2

Strings

Bad directive syntax error, xrefs: 0006E743
#include, xrefs: 00036B03
#pragma compile, xrefs: 00036A8B
#include-once, xrefs: 00036AEB
#comments-end, xrefs: 00036B98
#cs, xrefs: 00036B2F, 00036B84
#comments-start, xrefs: 00036B1B, 00036B70
#requireadmin, xrefs: 00036ABB
#ce, xrefs: 00036BAC
Unterminated group of comments, xrefs: 0006E82C
Cannot parse #include, xrefs: 0006E819
#OnAutoItStartRegister, xrefs: 00036AD3
#notrayicon, xrefs: 00036AA3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 05c955343a6148c5c4046f0044caf91f91de6ed2c903738477d582aa83b3e7d9
Instruction ID: 7b96f7031142625c8631352aff7cca13c9296a21e2ab5d7bb3fdb8aab8591619
Opcode Fuzzy Hash: 05c955343a6148c5c4046f0044caf91f91de6ed2c903738477d582aa83b3e7d9
Instruction Fuzzy Hash: A8813970604745BACB26AF60CC86FEF77ADAF14741F048024FD45AB1C3EB61EA45C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 000BAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 000BAB99
SetTextColor.GDI32(?,?), ref: 000BAB9D
GetSysColorBrush.USER32(0000000F), ref: 000BABB3
GetSysColor.USER32(0000000F), ref: 000BABBE
CreateSolidBrush.GDI32(?), ref: 000BABC3
GetSysColor.USER32(00000011), ref: 000BABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 000BABE9
SelectObject.GDI32(?,00000000), ref: 000BABFA
SetBkColor.GDI32(?,00000000), ref: 000BAC03
SelectObject.GDI32(?,?), ref: 000BAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 000BAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000BAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 000BAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000BACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000BACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 000BACEC
DrawFocusRect.USER32(?,?), ref: 000BACF7
GetSysColor.USER32(00000011), ref: 000BAD05
SetTextColor.GDI32(?,00000000), ref: 000BAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000BAD21
SelectObject.GDI32(?,000BA869), ref: 000BAD38
DeleteObject.GDI32(?), ref: 000BAD43
SelectObject.GDI32(?,?), ref: 000BAD49
DeleteObject.GDI32(?), ref: 000BAD4E
SetTextColor.GDI32(?,?), ref: 000BAD54
SetBkColor.GDI32(?,?), ref: 000BAD5E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 63863c7f9a1de44334bf572ad7fc0e83a844a3b0be45f4b480a36af059bf0f67
Instruction ID: 0f18ea31bd9652ff28151a01fac44429bc09bec69ec392acd5acaa96b12f1b8c
Opcode Fuzzy Hash: 63863c7f9a1de44334bf572ad7fc0e83a844a3b0be45f4b480a36af059bf0f67
Instruction Fuzzy Hash: C9611D71900219FFEB119FA8DC48EEE7BB9EB09320F104625F915AB2A1D7759D40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 000B8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000B8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000B8D45
CharNextW.USER32(0000014E), ref: 000B8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000B8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000B8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000B8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000B8DF9
SetWindowTextW.USER32(?,0000014E), ref: 000B8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000B8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 000B8E8C
_memset.LIBCMT ref: 000B8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000B8EFA
_memset.LIBCMT ref: 000B8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 000B8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 000B8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 000B9088
InvalidateRect.USER32(?,00000000,00000001), ref: 000B90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000B90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000B9121
DrawMenuBar.USER32(?), ref: 000B9130
SetWindowTextW.USER32(?,0000014E), ref: 000B9158

Strings

0, xrefs: 000B90C2

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 7826707743153fb3aa7b648ec88ac4ccee949ccbdcb73e898eb126581703fc11
Instruction ID: d56f3730fcfd1d2a1ac746fba435d423c14a783714d3b59e5d081f3697f4d68a
Opcode Fuzzy Hash: 7826707743153fb3aa7b648ec88ac4ccee949ccbdcb73e898eb126581703fc11
Instruction Fuzzy Hash: 32E18074900209ABDF209F64CC88EFE7BBDEF05750F108156FA15AB2A1DB749A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 000B4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000B4C51
GetDesktopWindow.USER32 ref: 000B4C66
GetWindowRect.USER32(00000000), ref: 000B4C6D
GetWindowLongW.USER32(?,000000F0), ref: 000B4CCF
DestroyWindow.USER32(?), ref: 000B4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000B4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000B4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000B4D68
SendMessageW.USER32(?,00000421,?,?), ref: 000B4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000B4D90
IsWindowVisible.USER32(?), ref: 000B4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 000B4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 000B4DDF
GetWindowRect.USER32(?,?), ref: 000B4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 000B4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 000B4E37
CopyRect.USER32(?,?), ref: 000B4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 000B4EB9

Strings

(, xrefs: 000B4E2A
0, xrefs: 000B4BFC
tooltips_class32, xrefs: 000B4D1D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b15c84e6f996c3cf83f7efd3744177ff398370a5df79f51c5c206ab9510750a5
Instruction ID: 6440ec21946cbe2287dd33dae7e9f1036f124a11bf918193f9612332d956a751
Opcode Fuzzy Hash: b15c84e6f996c3cf83f7efd3744177ff398370a5df79f51c5c206ab9510750a5
Instruction Fuzzy Hash: 2BB17D71604341AFDB54DF24C849BAABBE4FF88710F008A1DF5999B2A2DB75ED04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000946D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 000946E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0009470E
_wcscpy.LIBCMT ref: 0009473C
_wcscmp.LIBCMT ref: 00094747
_wcscat.LIBCMT ref: 0009475D
_wcsstr.LIBCMT ref: 00094768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00094784
_wcscat.LIBCMT ref: 000947CD
_wcscat.LIBCMT ref: 000947D4
_wcsncpy.LIBCMT ref: 000947FF

Strings

DefaultLangCodepage, xrefs: 000947E7
04090000, xrefs: 000947BA
StringFileInfo\, xrefs: 00094757
\VarFileInfo\Translation, xrefs: 0009477C
%u.%u.%u.%u, xrefs: 00094862

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 63c20fca53cdcee954956833bc24e6cc60efb3557ce9ccbe5bc9a2da2b00c6c7
Instruction ID: d33b8191526d7ce6a200887d79dc82d55a54ded05be9c372cfef29e47cb8ff33
Opcode Fuzzy Hash: 63c20fca53cdcee954956833bc24e6cc60efb3557ce9ccbe5bc9a2da2b00c6c7
Instruction Fuzzy Hash: 13410272A042057AEB10AB649C47EFF77ACDF46711F00016AFE04B6183EF64AA05A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 000327D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000328BC
GetSystemMetrics.USER32(00000007), ref: 000328C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000328EF
GetSystemMetrics.USER32(00000008), ref: 000328F7
GetSystemMetrics.USER32(00000004), ref: 0003291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00032939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00032949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0003297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00032990
GetClientRect.USER32(00000000,000000FF), ref: 000329AE
GetStockObject.GDI32(00000011), ref: 000329CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 000329D5

Part of subcall function 00032344: GetCursorPos.USER32(?), ref: 00032357
Part of subcall function 00032344: ScreenToClient.USER32(000F67B0,?), ref: 00032374
Part of subcall function 00032344: GetAsyncKeyState.USER32(00000001), ref: 00032399
Part of subcall function 00032344: GetAsyncKeyState.USER32(00000002), ref: 000323A7

SetTimer.USER32(00000000,00000000,00000028,00031256), ref: 000329FC

Strings

AutoIt v3 GUI, xrefs: 00032974

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 02ab2f088a25fb39ae1873ed111094ba74df8214b83ed1f68390b0511411e846
Instruction ID: f02afdd6ff5a0cb3eb5a9fa7958534a4fb8f6958b5570e70c1cce9918b669c8e
Opcode Fuzzy Hash: 02ab2f088a25fb39ae1873ed111094ba74df8214b83ed1f68390b0511411e846
Instruction Fuzzy Hash: 23B15F71A0021AEFEB15DFA8DC45BFE7BB5FB08314F108629FA15A7290DB74A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000B4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000B40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000B41B6

Strings

GETSELECTED, xrefs: 000B42E4
FINDITEM, xrefs: 000B4329
SELECTALL, xrefs: 000B421D
SELECT, xrefs: 000B4250
GETSELECTEDCOUNT, xrefs: 000B4199
VIEWCHANGE, xrefs: 000B4375
GETSUBITEMCOUNT, xrefs: 000B4141
GETTEXT, xrefs: 000B415F
SELECTCLEAR, xrefs: 000B4235
ISSELECTED, xrefs: 000B41C1
SELECTINVERT, xrefs: 000B4286
DESELECT, xrefs: 000B42A4
GETITEMCOUNT, xrefs: 000B4128

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: d7a7450d461797d7881e07bd477ccaa8c3cefa37f4cece58a8fb67069148f2e1
Instruction ID: f9d2ab4d7427526d8a6eabe018c6f67b1f99e3dbc012b9e7dfb933f6707af5bb
Opcode Fuzzy Hash: d7a7450d461797d7881e07bd477ccaa8c3cefa37f4cece58a8fb67069148f2e1
Instruction Fuzzy Hash: FAA17E302143029FCB54EF24C951AEEB7E9BF84314F14496DB896AB293DB74EE09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 000A52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 000A5309
LoadCursorW.USER32(00000000,00007F8A), ref: 000A5314
LoadCursorW.USER32(00000000,00007F00), ref: 000A531F
LoadCursorW.USER32(00000000,00007F03), ref: 000A532A
LoadCursorW.USER32(00000000,00007F8B), ref: 000A5335
LoadCursorW.USER32(00000000,00007F01), ref: 000A5340
LoadCursorW.USER32(00000000,00007F81), ref: 000A534B
LoadCursorW.USER32(00000000,00007F88), ref: 000A5356
LoadCursorW.USER32(00000000,00007F80), ref: 000A5361
LoadCursorW.USER32(00000000,00007F86), ref: 000A536C
LoadCursorW.USER32(00000000,00007F83), ref: 000A5377
LoadCursorW.USER32(00000000,00007F85), ref: 000A5382
LoadCursorW.USER32(00000000,00007F82), ref: 000A538D
LoadCursorW.USER32(00000000,00007F84), ref: 000A5398
LoadCursorW.USER32(00000000,00007F04), ref: 000A53A3
LoadCursorW.USER32(00000000,00007F02), ref: 000A53AE
GetCursorInfo.USER32(?), ref: 000A53BE
GetLastError.KERNEL32(00000001,00000000), ref: 000A53E9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: a544d7ce2202285b366e54aa079fedd01a2b481376d90bfc42529d17cd6f56cf
Instruction ID: 991224c96432100a9f1136047306183900b3d875211d69acec0475c963110018
Opcode Fuzzy Hash: a544d7ce2202285b366e54aa079fedd01a2b481376d90bfc42529d17cd6f56cf
Instruction Fuzzy Hash: 1D417370E083196ADB109FBA8C498AEFFF8EF55B10F10452FB509E7291DAB89501CE51

Uniqueness

Uniqueness Score: -1.00%

Function 0008AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0008AAA5
__swprintf.LIBCMT ref: 0008AB46
_wcscmp.LIBCMT ref: 0008AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0008ABAE
_wcscmp.LIBCMT ref: 0008ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0008AC21
GetDlgCtrlID.USER32(?), ref: 0008AC73
GetWindowRect.USER32(?,?), ref: 0008ACA9
GetParent.USER32(?), ref: 0008ACC7
ScreenToClient.USER32(00000000), ref: 0008ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0008AD48
_wcscmp.LIBCMT ref: 0008AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0008AD82
_wcscmp.LIBCMT ref: 0008AD96

Part of subcall function 0005386C: _iswctype.LIBCMT ref: 00053874

Strings

%s%u, xrefs: 0008AB40

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 38fbdab4a3e31447ef7b2f80665c8ca24fde941e116342043cd35a5be3a224e9
Instruction ID: a30d07c6dbb1bd1c9c89f2790ea9346a7ecd0b96bdd69324d35aca215a3afaf0
Opcode Fuzzy Hash: 38fbdab4a3e31447ef7b2f80665c8ca24fde941e116342043cd35a5be3a224e9
Instruction Fuzzy Hash: F1A1AF71204706AFE714EF24C884BEAB7E8FF05355F00462AF9DAD2951DB30E955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0008B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0008B3DB
_wcscmp.LIBCMT ref: 0008B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0008B414
CharUpperBuffW.USER32(?,00000000), ref: 0008B431
_wcscmp.LIBCMT ref: 0008B44F
_wcsstr.LIBCMT ref: 0008B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0008B498
_wcscmp.LIBCMT ref: 0008B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0008B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0008B518
_wcscmp.LIBCMT ref: 0008B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0008B550
GetWindowRect.USER32(00000004,?), ref: 0008B5B9

Strings

@, xrefs: 0008B3BC
ThumbnailClass, xrefs: 0008B4A3, 0008B523

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 69ba4592903d411cbecfc9fae8b61411685bf393d87d9b90b8457e60d0f71286
Instruction ID: f7c96bea5f592e4876ceebf2f7de7a35f9d5f60e0bc7d794dc1a74e87700d7f8
Opcode Fuzzy Hash: 69ba4592903d411cbecfc9fae8b61411685bf393d87d9b90b8457e60d0f71286
Instruction Fuzzy Hash: F7819E710083069BDB15EF14C885FAABBE8FF44354F088569FDC59A1A2EB34DE49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0008B23F

Strings

REGEXP=, xrefs: 0008B254
LAST, xrefs: 0008B204
[HANDLE:, xrefs: 0008B24B
ALL, xrefs: 0008B2D3
HANDLE=, xrefs: 0008B238
[REGEXPTITLE:, xrefs: 0008B267
CLASSNAME=, xrefs: 0008B27C
[CLASS:, xrefs: 0008B28F
[ACTIVE, xrefs: 0008B22C
ACTIVE, xrefs: 0008B21A
[LAST, xrefs: 0008B2EC
[ALL, xrefs: 0008B2E5

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 0ffeb371a8b999c80a2c5e3106c530c86389e68b95e97af715f76c3cc0b63a1b
Instruction ID: 1e4e99e2c42135baed7185f96f3c36a8a191b7de377b1bb5d22326f691e1a2bd
Opcode Fuzzy Hash: 0ffeb371a8b999c80a2c5e3106c530c86389e68b95e97af715f76c3cc0b63a1b
Instruction Fuzzy Hash: 7B31F571A08345AADF25FA61CD43EEE77B8AF20791F600429F985750E3EF616F08C651

Uniqueness

Uniqueness Score: -1.00%

Function 0008C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0008C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0008C4E6
SetWindowTextW.USER32(?,?), ref: 0008C4FD
GetDlgItem.USER32(?,000003EA), ref: 0008C512
SetWindowTextW.USER32(00000000,?), ref: 0008C518
GetDlgItem.USER32(?,000003E9), ref: 0008C528
SetWindowTextW.USER32(00000000,?), ref: 0008C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0008C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0008C569
GetWindowRect.USER32(?,?), ref: 0008C572
SetWindowTextW.USER32(?,?), ref: 0008C5DD
GetDesktopWindow.USER32 ref: 0008C5E3
GetWindowRect.USER32(00000000), ref: 0008C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0008C636
GetClientRect.USER32(?,?), ref: 0008C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0008C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0008C693

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 9db3cd5a9631f1f2ef430e37ca1a5c696f71cf17266ac096676c9f924feef61d
Instruction ID: 9332ab9f46f94a2bdd36c5c616b90c7525db12bb0fe869b23d442b19b3b82569
Opcode Fuzzy Hash: 9db3cd5a9631f1f2ef430e37ca1a5c696f71cf17266ac096676c9f924feef61d
Instruction Fuzzy Hash: 63514371900709AFEB20EFA8DD85FAEBBF5FF04705F004629E586A35A0D774A954CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000BA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000BA4C8
DestroyWindow.USER32(?,?), ref: 000BA542

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000BA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000BA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000BA5F1
DestroyWindow.USER32(00000000), ref: 000BA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00030000,00000000), ref: 000BA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000BA663
GetDesktopWindow.USER32 ref: 000BA67C
GetWindowRect.USER32(00000000), ref: 000BA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000BA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000BA6B3

Part of subcall function 000325DB: GetWindowLongW.USER32(?,000000EB), ref: 000325EC

Strings

tooltips_class32, xrefs: 000BA5B5, 000BA643
0, xrefs: 000BA4DE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 81391ae108dbc9bc73e2cbc038b5dcc6f5bce7f071ab9a28c4439b14eaa34193
Instruction ID: a4aa5b76f6b16e974bc272f76cf1136b8a45ff26f91c7fdb4ba1c254baf17317
Opcode Fuzzy Hash: 81391ae108dbc9bc73e2cbc038b5dcc6f5bce7f071ab9a28c4439b14eaa34193
Instruction Fuzzy Hash: C9718DB1240205AFE721CF28CC45FBA77E5EB89304F48462DF985C72A1DB75E906DB22

Uniqueness

Uniqueness Score: -1.00%

Function 000BC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

DragQueryPoint.SHELL32(?,?), ref: 000BC917

Part of subcall function 000BADF1: ClientToScreen.USER32(?,?), ref: 000BAE1A
Part of subcall function 000BADF1: GetWindowRect.USER32(?,?), ref: 000BAE90
Part of subcall function 000BADF1: PtInRect.USER32(?,?,000BC304), ref: 000BAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 000BC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000BC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000BC9AE
_wcscat.LIBCMT ref: 000BC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 000BC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 000BCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 000BCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 000BCA47
DragFinish.SHELL32(?), ref: 000BCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000BCB41

Strings

@GUI_DRAGID, xrefs: 000BCAB9
@GUI_DRAGFILE, xrefs: 000BCAF0
@GUI_DROPID, xrefs: 000BCA6E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: e678abe1f741f540a37e1da9bf2294b39e579b9e625ac2468b3e35502febcd28
Instruction ID: 36f7773c5e6fa35a88426d12fe1592d9d73781e7e572f9bdebd626b92ba18b69
Opcode Fuzzy Hash: e678abe1f741f540a37e1da9bf2294b39e579b9e625ac2468b3e35502febcd28
Instruction Fuzzy Hash: 16613971108301AFD711EF64CC85DAFBBE8EF89750F000A2EF596971A2DB719A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 000B4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000B46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000B46F6

Strings

CHECK, xrefs: 000B4716
GETTEXT, xrefs: 000B4849
GETSELECTED, xrefs: 000B4806
GETTOTALCOUNT, xrefs: 000B46DD
EXPAND, xrefs: 000B47A8
UNCHECK, xrefs: 000B48D2
ISCHECKED, xrefs: 000B4879
SELECT, xrefs: 000B48A7
GETITEMCOUNT, xrefs: 000B47D8
EXISTS, xrefs: 000B475F
COLLAPSE, xrefs: 000B473C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 2fe1d8e29e79daff92e447becf80449ff3b630fecdeb5a65e56dcf13ec4f652d
Instruction ID: 1ab6030c16886134676a683d38a2d4b4e38b2d163fc9302e716b5670d85f0d83
Opcode Fuzzy Hash: 2fe1d8e29e79daff92e447becf80449ff3b630fecdeb5a65e56dcf13ec4f652d
Instruction Fuzzy Hash: D6917D742047029FCB15EF14C851AEEB7E5AF44314F04486DB8966B3A3CB75EE0ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 000BBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000BBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000B9431), ref: 000BBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000BBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000BBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000BBC7D
FreeLibrary.KERNEL32(?), ref: 000BBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000BBC99
DestroyIcon.USER32(?,?,?,?,?,000B9431), ref: 000BBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000BBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000BBCD1

Part of subcall function 0005313D: __wcsicmp_l.LIBCMT ref: 000531C6

Strings

.dll, xrefs: 000BBB27
.exe, xrefs: 000BBB04
.icl, xrefs: 000BBAE4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 48c7ae2d9e8811886d9191e3d95760ffbb2da56a8dd1f97a26780fb9bfd6399a
Instruction ID: 279aad60884210588e06b9b78de06afcbe6beb64ce6718e69b76f7eaf8902818
Opcode Fuzzy Hash: 48c7ae2d9e8811886d9191e3d95760ffbb2da56a8dd1f97a26780fb9bfd6399a
Instruction Fuzzy Hash: 5261CE71500619BBEB24DF64CC86FFE7BA8EF08711F10461AF915D61C1DBB4A984CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

CharLowerBuffW.USER32(?,?), ref: 0009A636
GetDriveTypeW.KERNEL32 ref: 0009A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0009A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0009A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0009A730

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

Strings

set cd door , xrefs: 0009A6D1
wait, xrefs: 0009A6ED
close, xrefs: 0009A63C
open, xrefs: 0009A65D
close cd wait, xrefs: 0009A71B
closed, xrefs: 0009A64A, 0009A653
open , xrefs: 0009A692
type cdaudio alias cd wait, xrefs: 0009A6AE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 23e22747ccc0850861428998eff61f49c9948d424096b5a85426f79006600f7f
Instruction ID: 5000ce0abe6b6b2c01b7512fd5195932c8dcf3f0ff60ada19abd20d0fe13cda2
Opcode Fuzzy Hash: 23e22747ccc0850861428998eff61f49c9948d424096b5a85426f79006600f7f
Instruction Fuzzy Hash: 56517D712083059FC711EF25CC818AAB7F8FF89718F04496CF89957262DB31AE09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0009A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0009A47A
__swprintf.LIBCMT ref: 0009A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0009A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0009A4FE
_memset.LIBCMT ref: 0009A51D
_wcsncpy.LIBCMT ref: 0009A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0009A58E
CloseHandle.KERNEL32(00000000), ref: 0009A599
RemoveDirectoryW.KERNEL32(?), ref: 0009A5A2
CloseHandle.KERNEL32(00000000), ref: 0009A5AC

Strings

\, xrefs: 0009A4B2
:, xrefs: 0009A4BD
\??\%s, xrefs: 0009A496

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 5cc18e42be4b385181f9eddc7828053510d708a3e856a8e76cb8294d64f76627
Instruction ID: 276f756e306f932152c75c002084766dcca47ccc31bcee341ed7d400f80b2e7f
Opcode Fuzzy Hash: 5cc18e42be4b385181f9eddc7828053510d708a3e856a8e76cb8294d64f76627
Instruction Fuzzy Hash: 643180B560021AABDB219FA0DC49FFB73BCEF89701F1041B6F908D6161EB7497448B65

Uniqueness

Uniqueness Score: -1.00%

Function 0009DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0009DC7B
_wcscat.LIBCMT ref: 0009DC93
_wcscat.LIBCMT ref: 0009DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0009DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0009DCCE
GetFileAttributesW.KERNEL32(?), ref: 0009DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0009DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0009DD12

Strings

*.*, xrefs: 0009DD51

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 860c8d5f669f7a9d66f9830e4a47b9b32b905847a2cdd647c408f83e7d1c10af
Instruction ID: 106aeb4e919b177c6549f374cb15f3e0d566ba9070c904910130e5001c90f9eb
Opcode Fuzzy Hash: 860c8d5f669f7a9d66f9830e4a47b9b32b905847a2cdd647c408f83e7d1c10af
Instruction Fuzzy Hash: 758170B1544241DFCF64EF28C8459AEB7E8AF89314F19882FF889C7251E770D944EB52

Uniqueness

Uniqueness Score: -1.00%

Function 000BC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000BC4EC
GetFocus.USER32 ref: 000BC4FC
GetDlgCtrlID.USER32(00000000), ref: 000BC507
_memset.LIBCMT ref: 000BC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000BC65D
GetMenuItemCount.USER32(?), ref: 000BC67D
GetMenuItemID.USER32(?,00000000), ref: 000BC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000BC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000BC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000BC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000BC779

Strings

0, xrefs: 000BC62A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 06bf5d2b4d8f750ed303f510a463575185a4c61578075a83e8ad5b155191c610
Instruction ID: 7d8dfc2374f70911798ebea71d6a4a456244977208e157aea36f5b9dd595e655
Opcode Fuzzy Hash: 06bf5d2b4d8f750ed303f510a463575185a4c61578075a83e8ad5b155191c610
Instruction Fuzzy Hash: F3815C70608301AFE720DF14C984EEBBBE9FB88354F10452EF99597291DB71E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000883F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0008874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00088766
Part of subcall function 0008874A: GetLastError.KERNEL32(?,0008822A,?,?,?), ref: 00088770
Part of subcall function 0008874A: GetProcessHeap.KERNEL32(00000008,?,?,0008822A,?,?,?), ref: 0008877F
Part of subcall function 0008874A: HeapAlloc.KERNEL32(00000000,?,0008822A,?,?,?), ref: 00088786
Part of subcall function 0008874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0008879D

Part of subcall function 000887E7: GetProcessHeap.KERNEL32(00000008,00088240,00000000,00000000,?,00088240,?), ref: 000887F3
Part of subcall function 000887E7: HeapAlloc.KERNEL32(00000000,?,00088240,?), ref: 000887FA
Part of subcall function 000887E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00088240,?), ref: 0008880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00088458
_memset.LIBCMT ref: 0008846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0008848C
GetLengthSid.ADVAPI32(?), ref: 0008849D
GetAce.ADVAPI32(?,00000000,?), ref: 000884DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000884F6
GetLengthSid.ADVAPI32(?), ref: 00088513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00088522
HeapAlloc.KERNEL32(00000000), ref: 00088529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0008854A
CopySid.ADVAPI32(00000000), ref: 00088551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00088582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000885A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000885BC

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7d39aa4e4d3b7cd2814709f0945eff3af2725a60addf8d1c6f08cdd050d3146e
Instruction ID: 0ef7384c15cc8f0afa8005d35dca4dc6812c9fe8ce0ab68f3a03bd468c1c507c
Opcode Fuzzy Hash: 7d39aa4e4d3b7cd2814709f0945eff3af2725a60addf8d1c6f08cdd050d3146e
Instruction Fuzzy Hash: 9B615B7190020AAFDF10EFA4DC45AEEBBB9FF04310F448269F955A7291DB359A15CF60

Uniqueness

Uniqueness Score: -1.00%

Function 000A762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000A76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 000A76AE
CreateCompatibleDC.GDI32(?), ref: 000A76BA
SelectObject.GDI32(00000000,?), ref: 000A76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 000A771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 000A7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 000A777B
SelectObject.GDI32(00000006,?), ref: 000A7783
DeleteObject.GDI32(?), ref: 000A778C
DeleteDC.GDI32(00000006), ref: 000A7793
ReleaseDC.USER32(00000000,?), ref: 000A779E

Strings

(, xrefs: 000A7723

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3686d84c61b27df044a5ae0fe7a6a81118ea11cc937f4c4e45c303304e2acbc2
Instruction ID: 73f0fd392553fbc05c1e11326e41116b8fce3f0e47b082318976dac58fd9c7fd
Opcode Fuzzy Hash: 3686d84c61b27df044a5ae0fe7a6a81118ea11cc937f4c4e45c303304e2acbc2
Instruction Fuzzy Hash: A5515875904209EFDB25CFA8CC85EEEBBB9EF49310F14852DF94A97221D735A940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0009A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,000BFB78), ref: 0009A0FC

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0009A11E
__swprintf.LIBCMT ref: 0009A177
__swprintf.LIBCMT ref: 0009A190
_wprintf.LIBCMT ref: 0009A246
_wprintf.LIBCMT ref: 0009A264

Strings

Line %d (File "%s"):, xrefs: 0009A171, 0009A18A
Error: , xrefs: 0009A20E
"%s" (%d) : ==> %s:%s%s, xrefs: 0009A241
^ ERROR, xrefs: 0009A1E8
"%s" (%d) : ==> %s:, xrefs: 0009A25F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 5b5b6afe1c3baa4a8bd1b557ef40cefc336b44b734f9a334ce418707892338bb
Instruction ID: 4e98d466e8f616c84947e4e66e68a6e31fce23b5bba95fed1fd3d1fd405b2427
Opcode Fuzzy Hash: 5b5b6afe1c3baa4a8bd1b557ef40cefc336b44b734f9a334ce418707892338bb
Instruction Fuzzy Hash: 2A519171900609BBDF26EBE4CD82EEEB779AF09300F140165F509721A2EB356F48DB91

Uniqueness

Uniqueness Score: -1.00%

Function 000B10A5 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,000B0038,?,?), ref: 000B10BC

Strings

HKEY_USERS, xrefs: 000B11BD
HKEY_CURRENT_CONFIG, xrefs: 000B1179
HKEY_CURRENT_USER, xrefs: 000B119B
HKCC, xrefs: 000B118A
HKLM, xrefs: 000B113A
HKU, xrefs: 000B11CE
HKEY_LOCAL_MACHINE, xrefs: 000B1125
HKCU, xrefs: 000B11AC
HKEY_CLASSES_ROOT, xrefs: 000B114F
pb, xrefs: 000B1114
HKCR, xrefs: 000B1164

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$pb
API String ID: 3964851224-3426240939
Opcode ID: f67187c761b41377988414ecd664efefe12d7efa88c6e5471927db21efc213a8
Instruction ID: d8c7ae68ba45250f35a2a9bdc3cc83efea2a0172639b626c4a27c3a7d371a263
Opcode Fuzzy Hash: f67187c761b41377988414ecd664efefe12d7efa88c6e5471927db21efc213a8
Instruction Fuzzy Hash: 2C415C7415028B9FCF61EF94DDA1AEF3764AF15310F904454FC916B292DB34AE2ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00036BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00050B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00036C6C,?,00008000), ref: 00050BB7

Part of subcall function 000348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000348A1,?,?,000337C0,?), ref: 000348CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00036D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00036E5A

Part of subcall function 000359CD: _wcscpy.LIBCMT ref: 00035A05

Part of subcall function 0005387D: _iswctype.LIBCMT ref: 00053885

Strings

Bad directive syntax error, xrefs: 0006EBC6
>>>AUTOIT SCRIPT<<<, xrefs: 0006E8BF
Error opening the file, xrefs: 0006E866, 0006E8E1
Unterminated string, xrefs: 0006EC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0006E84A
EA06, xrefs: 0006E87B
AU3!, xrefs: 00036CC1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 2db8255200f8c09b7d43171bdf80d7484cd3c0a35cacc4f55c155620462ed7ed
Instruction ID: e786c32bf5c50321917dcfe15167dab0e6857c65bbd0a6de6587d545050073e8
Opcode Fuzzy Hash: 2db8255200f8c09b7d43171bdf80d7484cd3c0a35cacc4f55c155620462ed7ed
Instruction Fuzzy Hash: 76029E751083819FC725EF24C881AEFBBE9BF95314F04492DF489972A2DB31E949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000345DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000345F9
GetMenuItemCount.USER32(000F6890), ref: 0006D7CD
GetMenuItemCount.USER32(000F6890), ref: 0006D87D
GetCursorPos.USER32(?), ref: 0006D8C1
SetForegroundWindow.USER32(00000000), ref: 0006D8CA
TrackPopupMenuEx.USER32(000F6890,00000000,?,00000000,00000000,00000000), ref: 0006D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0006D8E9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: de4212d64b601cb0988578eeb408e052cbcba40119e92d7e34c0c2b1c5fcfefe
Instruction ID: 5e9075dd8c9706d0f806b05e6f233b5f536495d720e33d00f75e375dee09fe6f
Opcode Fuzzy Hash: de4212d64b601cb0988578eeb408e052cbcba40119e92d7e34c0c2b1c5fcfefe
Instruction Fuzzy Hash: 0D71C270B04206BEFB719F24DC49FEABFA9FB05364F200226F5146A1E1DBB56810DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00095569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

Part of subcall function 00037A84: _memmove.LIBCMT ref: 00037B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000955D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000955E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000955F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0009560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0009561C

Strings

play PlayMe wait, xrefs: 00095606
status PlayMe mode, xrefs: 000955CD
open , xrefs: 00095581
alias PlayMe, xrefs: 000955AB
play PlayMe, xrefs: 00095617
close PlayMe, xrefs: 000955E3, 00095610

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 161d4576a8bea433851ea69370ea7223fb274ff1433f3cf88c2db334d2fbf2cd
Instruction ID: 5901705af64b9779fe788e5b57d09ff78c786d21e02beecaf4c165823de3a438
Opcode Fuzzy Hash: 161d4576a8bea433851ea69370ea7223fb274ff1433f3cf88c2db334d2fbf2cd
Instruction Fuzzy Hash: A311866065459979D721B673CC4ADFF7F7CEF96B00F400459B505A70D2DEA01E05C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 000948F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0009490E
gethostname.WSOCK32(?,00000100), ref: 00094928
gethostbyname.WSOCK32(?), ref: 00094935
_wcscpy.LIBCMT ref: 0009495D
_memmove.LIBCMT ref: 00094970
inet_ntoa.WSOCK32(?), ref: 0009497B
_strcat.LIBCMT ref: 00094989
_wcscpy.LIBCMT ref: 000949A0
WSACleanup.WSOCK32 ref: 000949AE
_wcscpy.LIBCMT ref: 000949BC

Strings

0.0.0.0, xrefs: 00094957

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d772d4ed483b5ddbc634913db13f381ed7da94053e4b96e7e1b9af7913acdeff
Instruction ID: 0af5cc96a2d3eb8957062de6ed344a5e63b3de5982c23b0c1449a0a520d7071b
Opcode Fuzzy Hash: d772d4ed483b5ddbc634913db13f381ed7da94053e4b96e7e1b9af7913acdeff
Instruction Fuzzy Hash: C511D532904115ABDB20AB64AC46EEF77ACDF05711F0402B5F948A7092EF749A869751

Uniqueness

Uniqueness Score: -1.00%

Function 00095217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0009521C

Part of subcall function 00050719: timeGetTime.WINMM(?,7694B400,00040FF9), ref: 0005071D

Sleep.KERNEL32(0000000A), ref: 00095248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0009526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0009528E
SetActiveWindow.USER32 ref: 000952AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000952BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 000952DA
Sleep.KERNEL32(000000FA), ref: 000952E5
IsWindow.USER32 ref: 000952F1
EndDialog.USER32(00000000), ref: 00095302

Strings

BUTTON, xrefs: 00095280

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 31d0d3d98ae6ceb57450182fd8c5bac999c4d7e392b0a85551b58199da159205
Instruction ID: f96529fb2d64d77bac9dcd1082e40a13f7965f8ce753d81be020ed8d9db82910
Opcode Fuzzy Hash: 31d0d3d98ae6ceb57450182fd8c5bac999c4d7e392b0a85551b58199da159205
Instruction Fuzzy Hash: 1521A470204B05AFFB125B31EC89B7A3B69EB45787F501524F505925B1DBE99D00FB22

Uniqueness

Uniqueness Score: -1.00%

Function 0009D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

CoInitialize.OLE32(00000000), ref: 0009D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0009D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0009D8FC
CoCreateInstance.OLE32(000C2D7C,00000000,00000001,000EA89C,?), ref: 0009D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0009D9B7
CoTaskMemFree.OLE32(?,?), ref: 0009DA0F
_memset.LIBCMT ref: 0009DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0009DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0009DAAB
CoTaskMemFree.OLE32(00000000), ref: 0009DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0009DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0009DAEB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 4553adf4b02518e2eedd0fd44e3f6b951f70446127093b102eb3583b3d89a040
Instruction ID: b2901fc52be95b7eb6b1e3fc24adc7faed866e57b701cfab9cd7dec440627dcb
Opcode Fuzzy Hash: 4553adf4b02518e2eedd0fd44e3f6b951f70446127093b102eb3583b3d89a040
Instruction Fuzzy Hash: 90B1EA75A00109AFDB04DFA4C888EAEBBF9EF48314F148469F90AEB251DB31ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0009052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000905A7
SetKeyboardState.USER32(?), ref: 00090612
GetAsyncKeyState.USER32(000000A0), ref: 00090632
GetKeyState.USER32(000000A0), ref: 00090649
GetAsyncKeyState.USER32(000000A1), ref: 00090678
GetKeyState.USER32(000000A1), ref: 00090689
GetAsyncKeyState.USER32(00000011), ref: 000906B5
GetKeyState.USER32(00000011), ref: 000906C3
GetAsyncKeyState.USER32(00000012), ref: 000906EC
GetKeyState.USER32(00000012), ref: 000906FA
GetAsyncKeyState.USER32(0000005B), ref: 00090723
GetKeyState.USER32(0000005B), ref: 00090731

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4c394cd658ed0b40f5c6c2614bba3786dc5b012d0a5fd5a3fb47e3c6605ab835
Instruction ID: 1deee457a607d61765f6ae24c0dc66467d0246551f6eb9f97408ce0bba75efbe
Opcode Fuzzy Hash: 4c394cd658ed0b40f5c6c2614bba3786dc5b012d0a5fd5a3fb47e3c6605ab835
Instruction Fuzzy Hash: 4151B970A04B852DFF75DBA088547FABFF49F01380F08859A95C2561C2DA64AB8CEB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0008C746
GetWindowRect.USER32(00000000,?), ref: 0008C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0008C7B6
GetDlgItem.USER32(?,00000002), ref: 0008C7C1
GetWindowRect.USER32(00000000,?), ref: 0008C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0008C827
GetDlgItem.USER32(?,000003E9), ref: 0008C835
GetWindowRect.USER32(00000000,?), ref: 0008C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0008C889
GetDlgItem.USER32(?,000003EA), ref: 0008C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0008C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0008C8C1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 95674d58572c86672355567d080c872e6b45778a38f252e0a5a7bbc6c96f4bc6
Instruction ID: e2fdefa8d84ddf0308b372720376edee90ebc3e6946c04e2760c8057cb7f84d0
Opcode Fuzzy Hash: 95674d58572c86672355567d080c872e6b45778a38f252e0a5a7bbc6c96f4bc6
Instruction Fuzzy Hash: D3513071B40205ABEB18DF69DD99EBEBBB6FB88310F14822DF915D7290DB749D008B50

Uniqueness

Uniqueness Score: -1.00%

Function 0003201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00031B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00032036,?,00000000,?,?,?,?,000316CB,00000000,?), ref: 00031B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000320D3
KillTimer.USER32(-00000001,?,?,?,?,000316CB,00000000,?,?,00031AE2,?,?), ref: 0003216E
DestroyAcceleratorTable.USER32(00000000), ref: 0006BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000316CB,00000000,?,?,00031AE2,?,?), ref: 0006BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000316CB,00000000,?,?,00031AE2,?,?), ref: 0006BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000316CB,00000000,?,?,00031AE2,?,?), ref: 0006BF5A
DeleteObject.GDI32(00000000), ref: 0006BF6C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2ffb71582001df432e1dcc1e6801cb51fe4dc00658163cdb3c330b7512c67462
Instruction ID: 898ea6462ed3471b5dfd580bee211d3a8ce7be3848247eb680816c1e2366cb54
Opcode Fuzzy Hash: 2ffb71582001df432e1dcc1e6801cb51fe4dc00658163cdb3c330b7512c67462
Instruction Fuzzy Hash: 89616A30104611DFEB7AAF14DD48B7AB7F6FB50312F104628E54287971CB7AA886EF80

Uniqueness

Uniqueness Score: -1.00%

Function 000321A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 000325DB: GetWindowLongW.USER32(?,000000EB), ref: 000325EC

GetSysColor.USER32(0000000F), ref: 000321D3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: cd1fed94f44746a0d259747a27fac64ed763bae182dfcea21cf7212d39c47b73
Instruction ID: 6737590fd356ee6442cef55ace44e26c485937a05d725a83e113e06133526364
Opcode Fuzzy Hash: cd1fed94f44746a0d259747a27fac64ed763bae182dfcea21cf7212d39c47b73
Instruction Fuzzy Hash: 63419331100640EFEB665F28DC48BBA3BAAEB46331F144765FE658B1E6C7358C42DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0009AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,000BF910), ref: 0009AB76
GetDriveTypeW.KERNEL32(00000061,000EA620,00000061), ref: 0009AC40
_wcscpy.LIBCMT ref: 0009AC6A

Strings

ramdisk, xrefs: 0009ABEA
removable, xrefs: 0009ABA8
unknown, xrefs: 0009AC01
all, xrefs: 0009AB7C
fixed, xrefs: 0009ABBE
cdrom, xrefs: 0009AB92
network, xrefs: 0009ABD4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 6c99b12b1023600059d920dd02ad819e664857bcd7791d381fd1e3eb03a3a01e
Instruction ID: 41b63d6344579936bf4612fad375fcfc15b8e26b83650dbec4741a2995fb4a4f
Opcode Fuzzy Hash: 6c99b12b1023600059d920dd02ad819e664857bcd7791d381fd1e3eb03a3a01e
Instruction Fuzzy Hash: BA5182712083019FCB24EF14C981AAFB7E9EF86305F54482DF496572A3DB719909DB93

Uniqueness

Uniqueness Score: -1.00%

Function 00039997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 000399C2
__swprintf.LIBCMT ref: 00039A0C
__i64tow.LIBCMT ref: 0006FA0F

Strings

False, xrefs: 0006F9D7
%.15g, xrefs: 00039A06
True, xrefs: 0006F9D0
0x%p, xrefs: 0006F9F1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a1b0b8452377b5523d00f8541815fa113f3ce15cbc690cde1ae2d4cd1ebfb4ef
Instruction ID: 852e561dbaa1233b14373c527a5ceafc13edb9b78392d896e698a3f31f813da2
Opcode Fuzzy Hash: a1b0b8452377b5523d00f8541815fa113f3ce15cbc690cde1ae2d4cd1ebfb4ef
Instruction Fuzzy Hash: 5B41D471604606AFEB35EB38EC42FBB73E9EF45300F20486FE549D7292EA7199418B11

Uniqueness

Uniqueness Score: -1.00%

Function 000B73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000B73D9
CreateMenu.USER32 ref: 000B73F4
SetMenu.USER32(?,00000000), ref: 000B7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000B7490
IsMenu.USER32(?), ref: 000B74A6
CreatePopupMenu.USER32 ref: 000B74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000B74DD
DrawMenuBar.USER32 ref: 000B74E5

Strings

0, xrefs: 000B73CF
F, xrefs: 000B74D1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 5032f31a384a561233dd18a8c02e38c24363b8336c61b22aced7388ec5a26aab
Instruction ID: 8494dec854257e9994758f44699f121cf41b0c21cd825a968f0305b6d34ae41f
Opcode Fuzzy Hash: 5032f31a384a561233dd18a8c02e38c24363b8336c61b22aced7388ec5a26aab
Instruction Fuzzy Hash: 5A415A74A00205EFEB20DF64D884EEABBF5FF49341F144128FA5997350DB35A910CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000B772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000B77CD
CreateCompatibleDC.GDI32(00000000), ref: 000B77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000B77E7
SelectObject.GDI32(00000000,00000000), ref: 000B77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 000B77FA
DeleteDC.GDI32(00000000), ref: 000B7803
GetWindowLongW.USER32(?,000000EC), ref: 000B780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 000B7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 000B782D

Strings

static, xrefs: 000B7765

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b3c1e784705956e225433e3201a5a7a581f37e609016c7f60d0133e7e7c81d47
Instruction ID: 778eff8dc941d09f6a02bea888dd5b89bddef6326bb2a931f57a1244ec67e91d
Opcode Fuzzy Hash: b3c1e784705956e225433e3201a5a7a581f37e609016c7f60d0133e7e7c81d47
Instruction Fuzzy Hash: CF317E31145216BBEF129F74DC08FEA3BA9FF49720F110325FA19A60A0DB35D811DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00057040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0005707B

Part of subcall function 00058D68: __getptd_noexit.LIBCMT ref: 00058D68

__gmtime64_s.LIBCMT ref: 00057114
__gmtime64_s.LIBCMT ref: 0005714A
__gmtime64_s.LIBCMT ref: 00057167
__allrem.LIBCMT ref: 000571BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000571D9
__allrem.LIBCMT ref: 000571F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0005720E
__allrem.LIBCMT ref: 00057225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00057243
__invoke_watson.LIBCMT ref: 000572B4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 9967f4c902dfb81bbb1e9d475f3a0940a342828889151c52956903408defa5ff
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 4D711671A04706ABD7149F79DC42B9BB3E9AF11321F10422AFC18E76C2EB70D94897D0

Uniqueness

Uniqueness Score: -1.00%

Function 00092A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00092A31
GetMenuItemInfoW.USER32(000F6890,000000FF,00000000,00000030), ref: 00092A92
SetMenuItemInfoW.USER32(000F6890,00000004,00000000,00000030), ref: 00092AC8
Sleep.KERNEL32(000001F4), ref: 00092ADA
GetMenuItemCount.USER32(?), ref: 00092B1E
GetMenuItemID.USER32(?,00000000), ref: 00092B3A
GetMenuItemID.USER32(?,-00000001), ref: 00092B64
GetMenuItemID.USER32(?,?), ref: 00092BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00092BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00092C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00092C24

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 38426b564df8a93206b1726e38c60fe1024075fb03c530982670c35ea734948a
Instruction ID: 5aea19909816515511a235b7e0429e26b30c953f26ea716a8fbaa38d9bbe200e
Opcode Fuzzy Hash: 38426b564df8a93206b1726e38c60fe1024075fb03c530982670c35ea734948a
Instruction Fuzzy Hash: 976167B190024ABFEF21DF64DC88EFEBBB8EB01304F144569E841A7252D735AD45EB21

Uniqueness

Uniqueness Score: -1.00%

Function 000B7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000B7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000B7217
GetWindowLongW.USER32(?,000000F0), ref: 000B723B
_memset.LIBCMT ref: 000B724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000B725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000B72D6

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 360b43eb1cad4f7be3f3739734d749d6aa53203355b44174c63b05ee631c7306
Instruction ID: f2e730a02b1c52ca80635f14ce62ee47febde899b7b9e1ec155003ce74b601ad
Opcode Fuzzy Hash: 360b43eb1cad4f7be3f3739734d749d6aa53203355b44174c63b05ee631c7306
Instruction Fuzzy Hash: 07618B71A00208AFDB20DFA8CC81EEE77F8EB49700F144159FA15A73A2D775AE45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0008710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00087135
SafeArrayAllocData.OLEAUT32(?), ref: 0008718E
VariantInit.OLEAUT32(?), ref: 000871A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 000871C0
VariantCopy.OLEAUT32(?,?), ref: 00087213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00087227
VariantClear.OLEAUT32(?), ref: 0008723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00087249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00087252
VariantClear.OLEAUT32(?), ref: 00087264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0008726F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1f85ae80db4ad53f0c4ecf2a4fec1a1d9d15bf5d17145f7eddc446940bb94275
Instruction ID: b4b0d79340a238ca57cfc08ff511e719689554949385e3864e1e2773fc38811b
Opcode Fuzzy Hash: 1f85ae80db4ad53f0c4ecf2a4fec1a1d9d15bf5d17145f7eddc446940bb94275
Instruction Fuzzy Hash: C7417F31A00219AFDF04EFA8DC489EEBBB8FF08354F108169F945A7261CB34E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000A86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

CoInitialize.OLE32 ref: 000A8718
CoUninitialize.OLE32 ref: 000A8723
CoCreateInstance.OLE32(?,00000000,00000017,000C2BEC,?), ref: 000A8783
IIDFromString.OLE32(?,?), ref: 000A87F6
VariantInit.OLEAUT32(?), ref: 000A8890
VariantClear.OLEAUT32(?), ref: 000A88F1

Strings

Failed to create object, xrefs: 000A878E, 000A8844
NULL Pointer assignment, xrefs: 000A87C8
Invalid parameter, xrefs: 000A880F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 95cde310c9871db26cabf335eca24283dd06e227081022c6c22451a0bedb4ec6
Instruction ID: 71a33a1dc1bec848d1941fcf7e89bc40e174a54d3fd02a253fab873619787a90
Opcode Fuzzy Hash: 95cde310c9871db26cabf335eca24283dd06e227081022c6c22451a0bedb4ec6
Instruction Fuzzy Hash: 4D619D706083019FD711DFA4C849BAEBBE8AF4A714F10891DF9859B291DF74ED48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 000A5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000A5AA6
inet_addr.WSOCK32(?,?,?), ref: 000A5AEB
gethostbyname.WSOCK32(?), ref: 000A5AF7
IcmpCreateFile.IPHLPAPI ref: 000A5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000A5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000A5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 000A5C00
WSACleanup.WSOCK32 ref: 000A5C06

Strings

Ping, xrefs: 000A5B29

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: aa440d987dc87aa66959c0f759229cf2ff271f73982e407c3f875147f9d2052c
Instruction ID: 63910dd15f83f67922475f857595f0cf29a14fe154d95997c2a1d7979a16ea60
Opcode Fuzzy Hash: aa440d987dc87aa66959c0f759229cf2ff271f73982e407c3f875147f9d2052c
Instruction Fuzzy Hash: 4E51BE31214B019FD721AF64CC85B6EB7E4FF49712F04896AF956DB2A2DB74E800CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0009B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0009B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0009B7B1
GetLastError.KERNEL32 ref: 0009B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0009B828

Strings

UNKNOWN, xrefs: 0009B7E0
NOTREADY, xrefs: 0009B7E7
READY, xrefs: 0009B801
INVALID, xrefs: 0009B7FA
READONLY, xrefs: 0009B7F3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 25534613ea939ba3859aa51111781683fb04499aa76b458996f33812ef8af2d6
Instruction ID: 4c6763c43c667eb15cfa65ec90ce6fb88684095da4dbaed644542499cba5bf92
Opcode Fuzzy Hash: 25534613ea939ba3859aa51111781683fb04499aa76b458996f33812ef8af2d6
Instruction Fuzzy Hash: F931B435A002059FDF10EFA8DE85AFEBBF8EF49720F104129E502EB292DB719946D751

Uniqueness

Uniqueness Score: -1.00%

Function 00089471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 0008B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0008B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000894F6
GetDlgCtrlID.USER32 ref: 00089501
GetParent.USER32 ref: 0008951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00089520
GetDlgCtrlID.USER32(?), ref: 00089529
GetParent.USER32(?), ref: 00089545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00089548

Strings

ListBox, xrefs: 000894B3
ComboBox, xrefs: 0008947E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a69ed1e6de646f48a084e6a5fca956e3ee619eaa8d611e17251cc5ff89464292
Instruction ID: bcb9d8b1aff32b0d1191d9c38a6eb338518eaa9d2659a6850b9c97476187b738
Opcode Fuzzy Hash: a69ed1e6de646f48a084e6a5fca956e3ee619eaa8d611e17251cc5ff89464292
Instruction Fuzzy Hash: 6F21C470900105BFDF05BB65CC85DFEBBB8FF45310F140226B961972A2DB795919DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0008955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 0008B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0008B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000895DF
GetDlgCtrlID.USER32 ref: 000895EA
GetParent.USER32 ref: 00089606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00089609
GetDlgCtrlID.USER32(?), ref: 00089612
GetParent.USER32(?), ref: 0008962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00089631

Strings

ListBox, xrefs: 0008959E
ComboBox, xrefs: 00089569

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 2e7496581bd9ad18a3396c7f6855fb7fedf99c352cf2f6d04f071f130ce02640
Instruction ID: e0ea3e7c10737a740eccc03a9ba98cfdc5473d654376299e177ed5944732a716
Opcode Fuzzy Hash: 2e7496581bd9ad18a3396c7f6855fb7fedf99c352cf2f6d04f071f130ce02640
Instruction Fuzzy Hash: 0021B375A00205BFDF01BB61CC85EFEBBB8FF48300F140126B951972A2DB7999199B20

Uniqueness

Uniqueness Score: -1.00%

Function 00089645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00089651
GetClassNameW.USER32(00000000,?,00000100), ref: 00089666
_wcscmp.LIBCMT ref: 00089678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000896F3

Strings

SHELLDLL_DefView, xrefs: 00089672
details, xrefs: 000896A1
list, xrefs: 000896D5
smallicons, xrefs: 000896BB
largeicons, xrefs: 00089687

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 5ba78fda830e8c56ac67fba082adb6bfea261e77c5a194d481627ab7bd82dbc1
Instruction ID: e97d587979f731e218efc9e426e632f5cdd8b0500914a91226bfcff6c8200d99
Opcode Fuzzy Hash: 5ba78fda830e8c56ac67fba082adb6bfea261e77c5a194d481627ab7bd82dbc1
Instruction Fuzzy Hash: AA110A77248747BAF6113631DC06DFB77DCAB043A1B200126FE00B50D2FE5159204B58

Uniqueness

Uniqueness Score: -1.00%

Function 000A8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000A8BEC
CoInitialize.OLE32(00000000), ref: 000A8C19
CoUninitialize.OLE32 ref: 000A8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 000A8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 000A8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,000C2C0C), ref: 000A8E84
CoGetObject.OLE32(?,00000000,000C2C0C,?), ref: 000A8EA7
SetErrorMode.KERNEL32(00000000), ref: 000A8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000A8F3A
VariantClear.OLEAUT32(?), ref: 000A8F4A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 47a932b1b196190b3de4ae9fb90b36a264c82de2842e2750cb36a9778db87aaa
Instruction ID: 27857d86ea569657c0cddf590f7ed3375bd0f72c23cc8fa1a630133d7bbdb049
Opcode Fuzzy Hash: 47a932b1b196190b3de4ae9fb90b36a264c82de2842e2750cb36a9778db87aaa
Instruction Fuzzy Hash: E7C12471608305AFD700EFA8C88496BB7E9FF89748F00896DF58A9B251DB71ED05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00094189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0009419D
__swprintf.LIBCMT ref: 000941AA

Part of subcall function 000538D8: __woutput_l.LIBCMT ref: 00053931

FindResourceW.KERNEL32(?,?,0000000E), ref: 000941D4
LoadResource.KERNEL32(?,00000000), ref: 000941E0
LockResource.KERNEL32(00000000), ref: 000941ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0009420D
LoadResource.KERNEL32(?,00000000), ref: 0009421F
SizeofResource.KERNEL32(?,00000000), ref: 0009422E
LockResource.KERNEL32(?), ref: 0009423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0009429B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 4071a82345fcae3ba1836814d040734926ce0eace0540d9c0fddb000947df2da
Instruction ID: 80263f73a69e05295a34297a920aac8adcf0ad26bbf34a99dff9b6ea98b06c4f
Opcode Fuzzy Hash: 4071a82345fcae3ba1836814d040734926ce0eace0540d9c0fddb000947df2da
Instruction Fuzzy Hash: 4B318CB160521AAFEF119F60DC48EBF7BA8FF08341F404625F905D2150E778DA52EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0003FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0003FC06
OleUninitialize.OLE32(?,00000000), ref: 0003FCA5
UnregisterHotKey.USER32(?), ref: 0003FDFC
DestroyWindow.USER32(?), ref: 00074A00
FreeLibrary.KERNEL32(?), ref: 00074A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00074A92

Strings

close all, xrefs: 0003FC01

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 68973f72d2673ac7eccd28a8044c63dfec2e4c59886a6c6b797f730a9f05bbaa
Instruction ID: 63321b1a347eca78f23051d78d53bac14c06ed31eca27af76b3f17203f0c5717
Opcode Fuzzy Hash: 68973f72d2673ac7eccd28a8044c63dfec2e4c59886a6c6b797f730a9f05bbaa
Instruction Fuzzy Hash: 9DA16370B012129FDB69EF14C995A7DF3A4BF04700F1582ADE80A6B262DB34AD16CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0008A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0008AA64), ref: 0008A9A2

Strings

CLASS, xrefs: 0008A721
CLASSNN, xrefs: 0008A744
INSTANCE, xrefs: 0008A8B0
TEXT, xrefs: 0008A8D9
NAME, xrefs: 0008A7D4
REGEXPCLASS, xrefs: 0008A767

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 9b2a7e27f94a54d6f923e56996a2b34ef811c46f3c2ea6a1914a0b77dc674604
Instruction ID: 1ebf2f9c79316c49ec447714d531ffaf2261adb8a90bd47a55c60dd1478ea980
Opcode Fuzzy Hash: 9b2a7e27f94a54d6f923e56996a2b34ef811c46f3c2ea6a1914a0b77dc674604
Instruction Fuzzy Hash: D7919770B04606EBEB58EF60C481BEEF7B4BF05304F10811AE8D9A7552DF346A59DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00032E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00032EAE

Part of subcall function 00031DB3: GetClientRect.USER32(?,?), ref: 00031DDC
Part of subcall function 00031DB3: GetWindowRect.USER32(?,?), ref: 00031E1D
Part of subcall function 00031DB3: ScreenToClient.USER32(?,?), ref: 00031E45

GetDC.USER32 ref: 0006CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0006CF95
SelectObject.GDI32(00000000,00000000), ref: 0006CFA3
SelectObject.GDI32(00000000,00000000), ref: 0006CFB8
ReleaseDC.USER32(?,00000000), ref: 0006CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0006D04B

Strings

U, xrefs: 0006CF20

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b2db91b7eeb656e99e31d2007e21292e0724cfe1342c5a36bce53895d838997a
Instruction ID: c8272384f1b50306d9d3ed76c6d2ab40a1a576f85de47d6ae14ae3a3f5a2ad32
Opcode Fuzzy Hash: b2db91b7eeb656e99e31d2007e21292e0724cfe1342c5a36bce53895d838997a
Instruction Fuzzy Hash: DC71C231900205DFEF618F64CC85AFA7BFAFF49350F14426AED955A2A6C7318C42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000BC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

Part of subcall function 00032344: GetCursorPos.USER32(?), ref: 00032357
Part of subcall function 00032344: ScreenToClient.USER32(000F67B0,?), ref: 00032374
Part of subcall function 00032344: GetAsyncKeyState.USER32(00000001), ref: 00032399
Part of subcall function 00032344: GetAsyncKeyState.USER32(00000002), ref: 000323A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 000BC2E4
ImageList_EndDrag.COMCTL32 ref: 000BC2EA
ReleaseCapture.USER32 ref: 000BC2F0
SetWindowTextW.USER32(?,00000000), ref: 000BC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000BC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 000BC48F

Strings

@GUI_DRAGFILE, xrefs: 000BC424
@GUI_DROPID, xrefs: 000BC3E1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: c2d3e5610c1379487bee2a10fd82ec4c5f1afb97e780daa574d14a167f4a056d
Instruction ID: efd4a03d62529d59d2ea0e1e4e6d668c8537db37a0b3667a8e0fe581cee5fa19
Opcode Fuzzy Hash: c2d3e5610c1379487bee2a10fd82ec4c5f1afb97e780daa574d14a167f4a056d
Instruction Fuzzy Hash: 4C51AD70204305AFE710EF24CC55FBA7BE5EB88310F00862DF5968B2E2CB75A945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 000A8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,000BF910), ref: 000A903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,000BF910), ref: 000A9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000A91EB
SysFreeString.OLEAUT32(?), ref: 000A9215

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 69f8a18916b3e03140cbbe7a7592de2e2135a59f105e56377cc349b569118cf8
Instruction ID: 6c80af4030b1aa261780ebd4ad7b1cf91ab9ce354ee12fde0614388960a81bb6
Opcode Fuzzy Hash: 69f8a18916b3e03140cbbe7a7592de2e2135a59f105e56377cc349b569118cf8
Instruction Fuzzy Hash: 97F11771A00209EFDF14DF94C888EEEB7B9BF4A314F108459F916AB291DB31AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000AF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000AF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000AFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000AFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000AFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000AFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000AFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 000AFD90
CloseHandle.KERNEL32(?), ref: 000AFDBF
CloseHandle.KERNEL32(?), ref: 000AFE36

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 152179a99d7f9cbc935e354be76edfedef9e1bea55ace211db251307e71d79a7
Instruction ID: 7f2ec59d12ea2357536c602b540996ba2532b9dd3e5e8a4e9b9ec5788a2f4011
Opcode Fuzzy Hash: 152179a99d7f9cbc935e354be76edfedef9e1bea55ace211db251307e71d79a7
Instruction Fuzzy Hash: 00E1C331204342DFCB15EF64C881BBABBE5AF85350F14896DF8999B2A2CB71DC44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00094F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000948AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000938D3,?), ref: 000948C7

Part of subcall function 000948AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000938D3,?), ref: 000948E0

Part of subcall function 00094CD3: GetFileAttributesW.KERNEL32(?,00093947), ref: 00094CD4

lstrcmpiW.KERNEL32(?,?), ref: 00094FE2
_wcscmp.LIBCMT ref: 00094FFC
MoveFileW.KERNEL32(?,?), ref: 00095017

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ccad481ae2a9a837a97a69ef5ddcb18cb25f9fc951ad4307a94d31a59b572d21
Instruction ID: c4e2d7027bab9be8b2ad543119ccdbb4f86afc8ce393370f6f9bb987b2be0fc1
Opcode Fuzzy Hash: ccad481ae2a9a837a97a69ef5ddcb18cb25f9fc951ad4307a94d31a59b572d21
Instruction Fuzzy Hash: A65170B24087859BCB65EB60DC819DFB3ECAF85341F00092EB589D3152EF74A68D8766

Uniqueness

Uniqueness Score: -1.00%

Function 000B88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000B896E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 94fbcf3834928cee1cbe264a2b6c7a586587dbf669aa295c48cc1ce205fef99e
Instruction ID: 2e720fa6c7836122825b8b2c5a4164b1a182c8156fbdcb28b981b6f5271ecbf0
Opcode Fuzzy Hash: 94fbcf3834928cee1cbe264a2b6c7a586587dbf669aa295c48cc1ce205fef99e
Instruction Fuzzy Hash: 9A51A130600209BBEF359F28CC85BEE7BADAB05350F648126F511E61F1DF71A980DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00032B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0006C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0006C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0006C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0006C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0006C5C0
DestroyIcon.USER32(00000000), ref: 0006C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0006C5EC
DestroyIcon.USER32(?), ref: 0006C5FB

Part of subcall function 000BA71E: DeleteObject.GDI32(00000000), ref: 000BA757

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 7f25e9bf1313cda2c8c20e8d4124c9162ac6452d578a940f8f528e35d1978a0a
Instruction ID: 82d723eab1db26877f1bdd07ccc958201f174daa00f790c02118531d5eebddb0
Opcode Fuzzy Hash: 7f25e9bf1313cda2c8c20e8d4124c9162ac6452d578a940f8f528e35d1978a0a
Instruction Fuzzy Hash: 50516870600609AFEB21DF24CC45FBA7BF9EB58350F104628F942976A0DB74ED91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00089B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0008AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0008AE77
Part of subcall function 0008AE57: GetCurrentThreadId.KERNEL32 ref: 0008AE7E
Part of subcall function 0008AE57: AttachThreadInput.USER32(00000000,?,00089B65,?,00000001), ref: 0008AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00089B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00089B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00089B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00089B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00089BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00089BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00089BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00089BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00089BDD

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f5552ba3d337029f4ee6e90d7b6d03b9b267370326b48b30c4d34bbd927bee93
Instruction ID: f7092d3c5b1cff59e773f0d446d7f0aa6c37726e4613655419414ef5ce4245c5
Opcode Fuzzy Hash: f5552ba3d337029f4ee6e90d7b6d03b9b267370326b48b30c4d34bbd927bee93
Instruction Fuzzy Hash: 0511E1B1A50218BEF6107B64EC89FBA3B2DEB4C755F100925F644AB0A1CAF25C10DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00088E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00088A84,00000B00,?,?), ref: 00088E0C
HeapAlloc.KERNEL32(00000000,?,00088A84,00000B00,?,?), ref: 00088E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00088A84,00000B00,?,?), ref: 00088E28
GetCurrentProcess.KERNEL32(?,00000000,?,00088A84,00000B00,?,?), ref: 00088E30
DuplicateHandle.KERNEL32(00000000,?,00088A84,00000B00,?,?), ref: 00088E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00088A84,00000B00,?,?), ref: 00088E43
GetCurrentProcess.KERNEL32(00088A84,00000000,?,00088A84,00000B00,?,?), ref: 00088E4B
DuplicateHandle.KERNEL32(00000000,?,00088A84,00000B00,?,?), ref: 00088E4E
CreateThread.KERNEL32(00000000,00000000,00088E74,00000000,00000000,00000000), ref: 00088E68

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 09e45e9e1e7b9b73a8311abccd75a75efea9b7c12cfdb2fb13b0ed25c0c77495
Instruction ID: f4a22f2d3b5353e6de9a5984c9e45b21158ab96b8bfed15d202de553b6d6aafe
Opcode Fuzzy Hash: 09e45e9e1e7b9b73a8311abccd75a75efea9b7c12cfdb2fb13b0ed25c0c77495
Instruction Fuzzy Hash: A60158B5640349FFE610AFA9DC49FAB7BACEB89711F414921FA05DB1A1CA759C008B60

Uniqueness

Uniqueness Score: -1.00%

Function 000A9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A947C
VariantInit.OLEAUT32(?), ref: 000A954D
VariantInit.OLEAUT32(?), ref: 000A964E
VariantClear.OLEAUT32(?), ref: 000A9658
VariantClear.OLEAUT32(?), ref: 000A96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 000A94DD, 000A960B, 000A96C3
Incorrect Object type in FOR..IN loop, xrefs: 000A9631

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 098310149f1046535fded5804c190f1f4961d56b5eb77dcec8ead1e306cd4b6d
Instruction ID: 9d7dccb9a47019d276e80b5573eebc4b615d05a1f56673b3f964dab8cb0d06b1
Opcode Fuzzy Hash: 098310149f1046535fded5804c190f1f4961d56b5eb77dcec8ead1e306cd4b6d
Instruction Fuzzy Hash: D3917A71E00219ABDF24DFA5C848FAFBBB8EF4A710F108559F515AB281D7709945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000A9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00087652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?,?,?,0008799D), ref: 0008766F
Part of subcall function 00087652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?,?), ref: 0008768A
Part of subcall function 00087652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?,?), ref: 00087698
Part of subcall function 00087652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?), ref: 000876A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 000A9B1B
_memset.LIBCMT ref: 000A9B28
_memset.LIBCMT ref: 000A9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 000A9C97
CoTaskMemFree.OLE32(?), ref: 000A9CA2

Strings

NULL Pointer assignment, xrefs: 000A9CF0

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 6c3da623d109f2ce15ffc298140326556b89587e2fb92fd5e138bab85482ed1e
Instruction ID: 3620358136801f4fa2d87b688bcb8db4714f3cd0358c72981061a0ef776ce506
Opcode Fuzzy Hash: 6c3da623d109f2ce15ffc298140326556b89587e2fb92fd5e138bab85482ed1e
Instruction Fuzzy Hash: 7C913971D00219ABDB21DFA4DC85ADEBBB8BF09710F20415AF519A7292DB719A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000B7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 000B70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000B70C1
_wcscat.LIBCMT ref: 000B711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 000B7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 000B7161

Strings

SysListView32, xrefs: 000B7065

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a8804c2a4e73734630f3415ee1577b5950b16b3788c59877c062b21bdddede11
Instruction ID: 00512c63a3ece48c4545b7e7a246b56237eab680decbed1a1f4bd9c9849ba4f2
Opcode Fuzzy Hash: a8804c2a4e73734630f3415ee1577b5950b16b3788c59877c062b21bdddede11
Instruction Fuzzy Hash: 77418471914309EFEB219F64CC85BEE77E8EF48350F10092AF948E7292D7759D848B60

Uniqueness

Uniqueness Score: -1.00%

Function 000AEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00093E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00093EB6
Part of subcall function 00093E91: Process32FirstW.KERNEL32(00000000,?), ref: 00093EC4
Part of subcall function 00093E91: CloseHandle.KERNEL32(00000000), ref: 00093F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000AECB8
GetLastError.KERNEL32 ref: 000AECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000AECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 000AED77
GetLastError.KERNEL32(00000000), ref: 000AED82
CloseHandle.KERNEL32(00000000), ref: 000AEDB7

Strings

SeDebugPrivilege, xrefs: 000AECD6

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e66c8d8c3b46126c76c603a3a48ee62a9c3e6fc20faf9785f2b4ddf36fcea111
Instruction ID: 1dc4edf481b248c1b0e187d9977893033ef071f22573643883dd92feec066577
Opcode Fuzzy Hash: e66c8d8c3b46126c76c603a3a48ee62a9c3e6fc20faf9785f2b4ddf36fcea111
Instruction Fuzzy Hash: 4841AE712002019FDB25EF68CC95FBDB7A5AF41714F088469F8829F2D3DBB5A904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00093226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000932C5

Strings

info, xrefs: 00093266
blank, xrefs: 00093247
stop, xrefs: 00093296
warning, xrefs: 000932AE
question, xrefs: 0009327E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ad3749685ca0cd47de2408f2758abe517b0ab3d10d188e44f9fed69371d3d02c
Instruction ID: 30af773cb64b5f1c2f26af1a556586e67d0bfe32d6a8c4fadf531e887b90498a
Opcode Fuzzy Hash: ad3749685ca0cd47de2408f2758abe517b0ab3d10d188e44f9fed69371d3d02c
Instruction Fuzzy Hash: 08112731708386BEAB115B65DC43DAFB3DCDF1A3B0F20006AFA01AA182E7656B405DA5

Uniqueness

Uniqueness Score: -1.00%

Function 00094534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0009454E
LoadStringW.USER32(00000000), ref: 00094555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0009456B
LoadStringW.USER32(00000000), ref: 00094572
_wprintf.LIBCMT ref: 00094598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000945B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00094593

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 026f9e6d0d400718e96f97f3222e078db82ec028bb436eb820f52608f59863ca
Instruction ID: dd6fa4ac916bb44a3f0e74e901e306ea217c9e288155e07196bedbc7bd4dec8b
Opcode Fuzzy Hash: 026f9e6d0d400718e96f97f3222e078db82ec028bb436eb820f52608f59863ca
Instruction Fuzzy Hash: E30162F2900209BFF750A7A4DD8AEFB776CD708301F0006A5BB45E3052EA789E858B70

Uniqueness

Uniqueness Score: -1.00%

Function 000BD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

GetSystemMetrics.USER32(0000000F), ref: 000BD78A
GetSystemMetrics.USER32(0000000F), ref: 000BD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 000BD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000BDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000BDA24
ShowWindow.USER32(00000003,00000000), ref: 000BDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 000BDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 000BDA8B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 66a1d2239373895a4fcb57e034f4239a9b03691eef5cfc8d85ef2f7ddc8804d2
Instruction ID: a22197fd8e98c37f713f07924e356ae2570b6f5be9894f3dd388fe74d603e115
Opcode Fuzzy Hash: 66a1d2239373895a4fcb57e034f4239a9b03691eef5cfc8d85ef2f7ddc8804d2
Instruction Fuzzy Hash: 87B15671600226ABDF14CF69C9C57FDBBF1BF44701F08816AEC48AB295EB35A950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00032A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0006C417,00000004,00000000,00000000,00000000), ref: 00032ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0006C417,00000004,00000000,00000000,00000000,000000FF), ref: 00032B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0006C417,00000004,00000000,00000000,00000000), ref: 0006C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0006C417,00000004,00000000,00000000,00000000), ref: 0006C4D6

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2ca79881b5511fecc9e51b7b6040c1d98fa5cbe51f97ec4fad7d3cae7b216908
Instruction ID: 4a4b0984ac457cb12f15a88ba6aef8ade87d14e41e68368b8835c319236ce1e5
Opcode Fuzzy Hash: 2ca79881b5511fecc9e51b7b6040c1d98fa5cbe51f97ec4fad7d3cae7b216908
Instruction Fuzzy Hash: F5412D30208B809BE7778B28CC9CBBF7BDAAF55300F15891DE08787561CB75A841D712

Uniqueness

Uniqueness Score: -1.00%

Function 00097368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0009737F

Part of subcall function 00050FF6: std::exception::exception.LIBCMT ref: 0005102C
Part of subcall function 00050FF6: __CxxThrowException@8.LIBCMT ref: 00051041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000973B6
EnterCriticalSection.KERNEL32(?), ref: 000973D2
_memmove.LIBCMT ref: 00097420
_memmove.LIBCMT ref: 0009743D
LeaveCriticalSection.KERNEL32(?), ref: 0009744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00097461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00097480

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 59a5815fcefc302fae067303634db6047942a0f89ce99244fa9af5226791f8cf
Instruction ID: 480a13729e17ae6f8f05fa9ca5c4ee180f2e3203c7f0005dc34c4731371d624f
Opcode Fuzzy Hash: 59a5815fcefc302fae067303634db6047942a0f89ce99244fa9af5226791f8cf
Instruction Fuzzy Hash: E2318D32904206EBDF10EF68DC85AAFBBB8EF44710B1441B5FD04AB246DB749E14DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000B645A
GetDC.USER32(00000000), ref: 000B6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000B646D
ReleaseDC.USER32(00000000,00000000), ref: 000B6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000B64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000B64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000B9299,?,?,000000FF,00000000,?,000000FF,?), ref: 000B6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000B6520

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ad1a12d11b1b73b9d6df24401728c183a615c874ca910c30102dc0d1a894d45c
Instruction ID: 6da6d64d4fff73d0ad0c14e901ef9904c37577a8f79ccc2301586a82b2784db5
Opcode Fuzzy Hash: ad1a12d11b1b73b9d6df24401728c183a615c874ca910c30102dc0d1a894d45c
Instruction Fuzzy Hash: CE317C72201614BFEB218F54CC8AFFA3FA9EF09761F044165FE089B2A1D6799C51CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0008C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0008C087
_memcmp.LIBCMT ref: 0008C0A9
_memcmp.LIBCMT ref: 0008C0C1
_memcmp.LIBCMT ref: 0008C0D4
_memcmp.LIBCMT ref: 0008C0EE
_memcmp.LIBCMT ref: 0008C101
_memcmp.LIBCMT ref: 0008C119
_memcmp.LIBCMT ref: 0008C134

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: dfc6e30360a3ce0667e64d799613e2ffbfa168c8bb6ef424008ba77a08d45fd2
Instruction ID: a05e1796c61704c11b4c6c1a22f43959212f22f9d32ec716669fb8d39908a488
Opcode Fuzzy Hash: dfc6e30360a3ce0667e64d799613e2ffbfa168c8bb6ef424008ba77a08d45fd2
Instruction Fuzzy Hash: B021A171A00205B6F660B6209D86FEF27ACBF213D9F044024FE859A683E771DD1587F5

Uniqueness

Uniqueness Score: -1.00%

Function 0009ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

Part of subcall function 0004FEC6: _wcscpy.LIBCMT ref: 0004FEE9

_wcstok.LIBCMT ref: 0009EEFF
_wcscpy.LIBCMT ref: 0009EF8E
_memset.LIBCMT ref: 0009EFC1

Strings

X, xrefs: 0009EFFE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 88f4507a1a6aa660b8940f521f9c9874efcca3eab6ec276811051b5be006f90e
Instruction ID: 51f47b40b3dea251828681009e389b36defdc5d59feb17d7f9cc456717bfcaf4
Opcode Fuzzy Hash: 88f4507a1a6aa660b8940f521f9c9874efcca3eab6ec276811051b5be006f90e
Instruction Fuzzy Hash: 6DC170715087419FCB65EF24C885AAEB7E8BF85310F04492DF899972A3DB70ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 000A6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000A6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000A6F35
WSAGetLastError.WSOCK32(00000000), ref: 000A6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 000A6FFE
inet_ntoa.WSOCK32(?), ref: 000A6FBB

Part of subcall function 0008AE14: _strlen.LIBCMT ref: 0008AE1E
Part of subcall function 0008AE14: _memmove.LIBCMT ref: 0008AE40

_strlen.LIBCMT ref: 000A7058
_memmove.LIBCMT ref: 000A70C1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: c7e54f02e5836b46670f1c51f27c9464fea4542f9265d5a1fbf441f95543d006
Instruction ID: f88f4dc75b53f0bc2d8c1907ec5459c18c0382b6d7072726b33b89cdeff1bd21
Opcode Fuzzy Hash: c7e54f02e5836b46670f1c51f27c9464fea4542f9265d5a1fbf441f95543d006
Instruction Fuzzy Hash: C681D071108300ABD720EB64CC86EAFB3EDAF85714F148A19F5599B2A2DB719D04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00031424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a340298ebdeca6d8f5bde2c808eb1b2fdce652512cbf448658e511076e309f
Instruction ID: afabd0da324d12fdada8096f876b34b27246f810fdd7191637d51d1224e79313
Opcode Fuzzy Hash: f5a340298ebdeca6d8f5bde2c808eb1b2fdce652512cbf448658e511076e309f
Instruction Fuzzy Hash: 8F715A70904109EFDB15DF98CC49AFEBBB9FF89310F148159F915AB251C734AA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000BB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E549F0), ref: 000BB6A5
IsWindowEnabled.USER32(00E549F0), ref: 000BB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 000BB795
SendMessageW.USER32(00E549F0,000000B0,?,?), ref: 000BB7CC
IsDlgButtonChecked.USER32(?,?), ref: 000BB809
GetWindowLongW.USER32(00E549F0,000000EC), ref: 000BB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000BB843

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2142189c31776d43f0019307651d08af49eb86ece9a04e0318ddd7f37a6fdce6
Instruction ID: 546180d220752925e0ba8cc78d6b391e8ed4befc03f8bba2d0a24b5dc558d17b
Opcode Fuzzy Hash: 2142189c31776d43f0019307651d08af49eb86ece9a04e0318ddd7f37a6fdce6
Instruction Fuzzy Hash: 6E71CE34644204AFEB609F64CC94FFABBF9FF89340F140069E94697261CBB6AD41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000AF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000AF75C
_memset.LIBCMT ref: 000AF825
ShellExecuteExW.SHELL32(?), ref: 000AF86A

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

Part of subcall function 0004FEC6: _wcscpy.LIBCMT ref: 0004FEE9

GetProcessId.KERNEL32(00000000), ref: 000AF8E1
CloseHandle.KERNEL32(00000000), ref: 000AF910

Strings

@, xrefs: 000AF839

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: d6ab1470a3180b3183b7bb776d2c4ee09ed1d913dc5f1bfa23b9f9c6fc62334d
Instruction ID: c7e2578de03a0bafce415c61022d973798f7be880778e669422a4519aef1e2e8
Opcode Fuzzy Hash: d6ab1470a3180b3183b7bb776d2c4ee09ed1d913dc5f1bfa23b9f9c6fc62334d
Instruction Fuzzy Hash: 71619175A0061ADFCF15DF94C884AAEBBF4FF49310F148569E845AB352CB34AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0009145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0009149C
GetKeyboardState.USER32(?), ref: 000914B1
SetKeyboardState.USER32(?), ref: 00091512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00091540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0009155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 000915A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000915C8

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e61b1f5145db0bfc4f8a38b8914d959a931d30c1cd1006eba1a402fa0c08ebfe
Instruction ID: 161d90e37dd154766f7b9ee36378f8446b174675bcba9e0bf4095109f2420c14
Opcode Fuzzy Hash: e61b1f5145db0bfc4f8a38b8914d959a931d30c1cd1006eba1a402fa0c08ebfe
Instruction Fuzzy Hash: 8451C0B0B087D77EFF3646648C45BFABEE96B46304F098589E1D5468D3C298AC84E750

Uniqueness

Uniqueness Score: -1.00%

Function 00091276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000912B5
GetKeyboardState.USER32(?), ref: 000912CA
SetKeyboardState.USER32(?), ref: 0009132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00091357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00091374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000913B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000913D9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1eda543b4a6c35aa310806e6ad96fc662896f4ce218d46cd53a7902970609948
Instruction ID: adc14701476ccbb6a0c97ee9af3c3465257bdeb1e4267041f0b1e6b4122a73e4
Opcode Fuzzy Hash: 1eda543b4a6c35aa310806e6ad96fc662896f4ce218d46cd53a7902970609948
Instruction Fuzzy Hash: 9451AFB0A486D77DFF3287248C45BFABEE95F0A300F088589E1D4568C2D295AD94F761

Uniqueness

Uniqueness Score: -1.00%

Function 0009589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000958AC
_wcsncpy.LIBCMT ref: 000958E1
_wcsncpy.LIBCMT ref: 00095913
_wcsncpy.LIBCMT ref: 00095946
_wcsncpy.LIBCMT ref: 00095988
_wcsncpy.LIBCMT ref: 000959C2
_wcsncpy.LIBCMT ref: 000959F1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 4bf0fca64fa84064431c6c56078fba3972715206682ab3be03863afe95228178
Instruction ID: d8ac3ecbe2414cfbeb7f0b85a93af3058bad17123e7d6f113ea32cdab24e7cd9
Opcode Fuzzy Hash: 4bf0fca64fa84064431c6c56078fba3972715206682ab3be03863afe95228178
Instruction Fuzzy Hash: 5041B666C2052876CF11EBB5CC8A9CF73AC9F05312F509952F918E3122E734E758C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 000938AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000948AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000938D3,?), ref: 000948C7

Part of subcall function 000948AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000938D3,?), ref: 000948E0

lstrcmpiW.KERNEL32(?,?), ref: 000938F3
_wcscmp.LIBCMT ref: 0009390F
MoveFileW.KERNEL32(?,?), ref: 00093927
_wcscat.LIBCMT ref: 0009396F
SHFileOperationW.SHELL32(?), ref: 000939DB

Strings

\*.*, xrefs: 00093969

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 89644eb1e6074601284e212378d17587f7e1d4d23886b54169979dde04bb52e8
Instruction ID: 2d9134fb25a8d24995c19c626b9ff0bc3cbd75c8cb37a83b63848b897066cf54
Opcode Fuzzy Hash: 89644eb1e6074601284e212378d17587f7e1d4d23886b54169979dde04bb52e8
Instruction Fuzzy Hash: 534162B250C3459ECB61EF64C445AEFB7ECAF89340F04092EB499C3152EA74D649DB52

Uniqueness

Uniqueness Score: -1.00%

Function 000B7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000B7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000B75C0
IsMenu.USER32(?), ref: 000B75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000B7620
DrawMenuBar.USER32 ref: 000B7633

Strings

0, xrefs: 000B750D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 2db7972a0c42daf121337af3d47ff511a07ab07ebd647a80b945f73c60b9cf30
Instruction ID: 83a315ef0b94e6e36574834da0e8473ca52a428c117d08344d8547b14f20586a
Opcode Fuzzy Hash: 2db7972a0c42daf121337af3d47ff511a07ab07ebd647a80b945f73c60b9cf30
Instruction Fuzzy Hash: F6412575A04609EFDB20DF58D884EEABBF8FB48350F058129E9199B290D731AD50DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 000B125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000B1286
FreeLibrary.KERNEL32(00000000), ref: 000B133D

Part of subcall function 000B122D: RegCloseKey.ADVAPI32(?), ref: 000B12A3
Part of subcall function 000B122D: FreeLibrary.KERNEL32(?), ref: 000B12F5
Part of subcall function 000B122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 000B1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 000B12E0

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: d0724ebacb02884899b6d9fce926d7a6414129962f0db7cd11d8c4dd709a9044
Instruction ID: b085918d415ccb8ca21184f8b1de4194ed967acedaa60241e3ab76ba133f8478
Opcode Fuzzy Hash: d0724ebacb02884899b6d9fce926d7a6414129962f0db7cd11d8c4dd709a9044
Instruction Fuzzy Hash: 813129B1911109BFEB149BA4DC99AFEB7BCEF08300F40016AF501E3251EA749F499AA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000B655B
GetWindowLongW.USER32(00E549F0,000000F0), ref: 000B658E
GetWindowLongW.USER32(00E549F0,000000F0), ref: 000B65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000B65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000B661F
GetWindowLongW.USER32(00000000,000000F0), ref: 000B6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000B664A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3332812f411920c0d390f37f8f81e3239234051cc1294258e9515df37662263d
Instruction ID: 8effad686cfa27c42795a90bc4f2162a1419af838072edfbbae338d6f8845d5b
Opcode Fuzzy Hash: 3332812f411920c0d390f37f8f81e3239234051cc1294258e9515df37662263d
Instruction Fuzzy Hash: 19310430604255AFEB30CF58DC85FA53BE1FB4A750F1902A8F9118B2B6CB7AAC50DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000A6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000A80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000A80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000A64D9
WSAGetLastError.WSOCK32(00000000), ref: 000A64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 000A6521
connect.WSOCK32(00000000,?,00000010), ref: 000A652A
WSAGetLastError.WSOCK32 ref: 000A6534
closesocket.WSOCK32(00000000), ref: 000A655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 000A6576

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 8bb77d7eee5d0fa3f780606a589e31d9600daed7989a19a94566280aef95f18a
Instruction ID: 29c0a19b416e5183db4305bece5c3aade05a3e0958fde987b8005cd3c3a044a3
Opcode Fuzzy Hash: 8bb77d7eee5d0fa3f780606a589e31d9600daed7989a19a94566280aef95f18a
Instruction Fuzzy Hash: EE31A131600218AFEB10AF64CC85BFE7BBCEB45710F048169F94997291CB75AD04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0008E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0008E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0008E120
SysAllocString.OLEAUT32(00000000), ref: 0008E123
SysAllocString.OLEAUT32 ref: 0008E144
SysFreeString.OLEAUT32 ref: 0008E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0008E167
SysAllocString.OLEAUT32(?), ref: 0008E175

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 582cf63c4a6a53b624eef005a5a2fd5f4633e01ca01e939a49c79c99ae78264b
Instruction ID: 92bc71e0237b7957455a9556ab83d22840e5e4b9ed71c0eee45b30ca33de281a
Opcode Fuzzy Hash: 582cf63c4a6a53b624eef005a5a2fd5f4633e01ca01e939a49c79c99ae78264b
Instruction Fuzzy Hash: 9C213035604149AFEB10AFA8DC88DBB77ECFB09760B108225F955CB2A5DB749C818B64

Uniqueness

Uniqueness Score: -1.00%

Function 0008FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0008FB81
__wcsnicmp.LIBCMT ref: 0008FBA2
__wcsnicmp.LIBCMT ref: 0008FBBC

Strings

#OnAutoItStartRegister, xrefs: 0008FBB6
#notrayicon, xrefs: 0008FB79
#requireadmin, xrefs: 0008FB9C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: b105187c8b00e7eae66a99eacb4499114496f3e2b74226dda5b35f94e2c5527e
Instruction ID: b5b78edc1a5f090151f32a668205b33d7e144d85c8e62b5df9c14efa52ea9d14
Opcode Fuzzy Hash: b105187c8b00e7eae66a99eacb4499114496f3e2b74226dda5b35f94e2c5527e
Instruction Fuzzy Hash: CC214572200252A6D235B634DE12FFB73D8BF11350F108435FDC586182FB91AA8183A5

Uniqueness

Uniqueness Score: -1.00%

Function 000B783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00031D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00031D73
Part of subcall function 00031D35: GetStockObject.GDI32(00000011), ref: 00031D87
Part of subcall function 00031D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00031D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000B78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000B78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000B78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000B78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000B78D4

Strings

Msctls_Progress32, xrefs: 000B7872

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3348cacf20c97500a1cbc8a9f1c1b3e16b3fc7a316d012e093af6bd138fe9175
Instruction ID: f63ff8ad1961e35d6db9032dcb18208a4b26ff028e29c220961861961abe4e5e
Opcode Fuzzy Hash: 3348cacf20c97500a1cbc8a9f1c1b3e16b3fc7a316d012e093af6bd138fe9175
Instruction Fuzzy Hash: D211B2B2154219BFEF159F60CC85EEB7F6DEF48798F014115FA08A60A0CB729C21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000541C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00054292,?), ref: 000541E3
GetProcAddress.KERNEL32(00000000), ref: 000541EA
EncodePointer.KERNEL32(00000000), ref: 000541F6
DecodePointer.KERNEL32(00000001,00054292,?), ref: 00054213

Strings

combase.dll, xrefs: 000541DE
RoInitialize, xrefs: 000541D2

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 19576e9ee6c28286bcafadaea6d8a74a66edc4d96acf35ecc998da68757ed0a9
Instruction ID: 941bbacc798c0485c5e49dae4c97b45701df87ffcc3bed955291e6fcf0543f63
Opcode Fuzzy Hash: 19576e9ee6c28286bcafadaea6d8a74a66edc4d96acf35ecc998da68757ed0a9
Instruction Fuzzy Hash: 55E012B0990301AEFB505F74EC4DBA635E4B720B07F504524B911DA5A0DBBD44D5DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0005429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000541B8), ref: 000542B8
GetProcAddress.KERNEL32(00000000), ref: 000542BF
EncodePointer.KERNEL32(00000000), ref: 000542CA
DecodePointer.KERNEL32(000541B8), ref: 000542E5

Strings

RoUninitialize, xrefs: 000542A7
combase.dll, xrefs: 000542B3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: e542555b87dcd5750e1609abf8f01d3e04bf658e92de8700ef08e659bb017d4f
Instruction ID: 460f155f3accabd8b7689513703e5d76a47ada2f3c579cee56d183448ea81fa3
Opcode Fuzzy Hash: e542555b87dcd5750e1609abf8f01d3e04bf658e92de8700ef08e659bb017d4f
Instruction Fuzzy Hash: E1E04F78541302ABFB409F60EC0CBA63AE4B720B46F100528FD01D65A0CB7C5594DB04

Uniqueness

Uniqueness Score: -1.00%

Function 0009675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 000968AD
_memmove.LIBCMT ref: 000967E8

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

_memmove.LIBCMT ref: 0009685B
_memmove.LIBCMT ref: 00096942
_memmove.LIBCMT ref: 0009695B
_memmove.LIBCMT ref: 00096977

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: ab4eb5b95743a44d51d7fadd3155ba3afd48b97ef46ff4ca0970a978f0b83e01
Instruction ID: d43d5c1419ec7f413f5083ee51d65996e43421bdade0b86738d5dbbb859bd6db
Opcode Fuzzy Hash: ab4eb5b95743a44d51d7fadd3155ba3afd48b97ef46ff4ca0970a978f0b83e01
Instruction Fuzzy Hash: CB61AA3050065AABCF22EF64CC82FFF77A8AF05308F044519F85A5B293DB75A905EB90

Uniqueness

Uniqueness Score: -1.00%

Function 000B046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 000B10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000B0038,?,?), ref: 000B10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000B0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000B0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000B05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000B05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000B0617
RegCloseKey.ADVAPI32(00000000), ref: 000B0624

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: b0ec0c07ed1fe6ffacacf24a7472c364c03480fdec8bb2209f55a92f67ed18ff
Instruction ID: 199f81a0c159ee59c848ba2990ca27a72b284c6b7fd349b3e026f78774987816
Opcode Fuzzy Hash: b0ec0c07ed1fe6ffacacf24a7472c364c03480fdec8bb2209f55a92f67ed18ff
Instruction Fuzzy Hash: 35514871108201AFD715EB64CC85EAFBBE8FF84314F04492DF585972A2DB71E904DB52

Uniqueness

Uniqueness Score: -1.00%

Function 000B5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 000B5A82
GetMenuItemCount.USER32(00000000), ref: 000B5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000B5AE1
GetMenuItemID.USER32(?,?), ref: 000B5B50
GetSubMenu.USER32(?,?), ref: 000B5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 000B5BAF

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9e9fb6ce5a1068761e01b2742606c33442e996c993979d9398304d0c91fa516d
Instruction ID: b6808e71ae7381950f84fbbf796b36b5901ff301c26636f66b4663824e4d02bd
Opcode Fuzzy Hash: 9e9fb6ce5a1068761e01b2742606c33442e996c993979d9398304d0c91fa516d
Instruction Fuzzy Hash: A4517D35A00615AFDF11EFA4CC45AEEB7F4EF48321F1044A9E906BB352CB74AE418B91

Uniqueness

Uniqueness Score: -1.00%

Function 0008F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0008F3F7
VariantClear.OLEAUT32(00000013), ref: 0008F469
VariantClear.OLEAUT32(00000000), ref: 0008F4C4
_memmove.LIBCMT ref: 0008F4EE
VariantClear.OLEAUT32(?), ref: 0008F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0008F569

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: fce9a8882d5f41114e6eb2465aa932f917ae6440c35417798d5d7ed02278aec6
Instruction ID: dd3e92cbe9144932f48b8f0fb90643c128b7eebef5fad8b3e4de8c721312729c
Opcode Fuzzy Hash: fce9a8882d5f41114e6eb2465aa932f917ae6440c35417798d5d7ed02278aec6
Instruction Fuzzy Hash: 6C516CB5A0020AEFDB10DF68D884AAAB7F8FF4C354B158569ED59DB300D730E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000926F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00092747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00092792
IsMenu.USER32(00000000), ref: 000927B2
CreatePopupMenu.USER32 ref: 000927E6
GetMenuItemCount.USER32(000000FF), ref: 00092844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00092875

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 2f04f1fc40df826969ffa30224b52c9600683b0cef2bc98279b80d7acf4a6f17
Instruction ID: 9e66a56d7595fb80fa48bc17df01f1c96e91e4a43e736a128c91bef01df00949
Opcode Fuzzy Hash: 2f04f1fc40df826969ffa30224b52c9600683b0cef2bc98279b80d7acf4a6f17
Instruction Fuzzy Hash: 3551A070A02306FFDF24DF68D888AEFBBF5AF44314F104669E825AB291DB709944DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00031765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0003179A
GetWindowRect.USER32(?,?), ref: 000317FE
ScreenToClient.USER32(?,?), ref: 0003181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0003182C
EndPaint.USER32(?,?), ref: 00031876

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 77771efdf01e44e7f0ecac1ed56596e91a93cef24a507109eeeb25a6288b6e97
Instruction ID: fa2a1beea22b62b4416d3cb6b9d6015f5aaf8898ccb3c0b8ff132c56c252b269
Opcode Fuzzy Hash: 77771efdf01e44e7f0ecac1ed56596e91a93cef24a507109eeeb25a6288b6e97
Instruction Fuzzy Hash: 4F418E70504301AFE711DF28CC84FFA7BF9EB49764F140629F994872A2CB359846DB62

Uniqueness

Uniqueness Score: -1.00%

Function 000BB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(000F67B0,00000000,00E549F0,?,?,000F67B0,?,000BB862,?,?), ref: 000BB9CC
EnableWindow.USER32(00000000,00000000), ref: 000BB9F0
ShowWindow.USER32(000F67B0,00000000,00E549F0,?,?,000F67B0,?,000BB862,?,?), ref: 000BBA50
ShowWindow.USER32(00000000,00000004,?,000BB862,?,?), ref: 000BBA62
EnableWindow.USER32(00000000,00000001), ref: 000BBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 000BBAA9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 49c41406c3c308cc8cf00e2c6c23d5d2a9956e49aaddb0b04aa31917c6f59825
Instruction ID: dc33411892da914a0cde9d02f360f45afbe7a40f96cd48d1785ee8a21aa313e3
Opcode Fuzzy Hash: 49c41406c3c308cc8cf00e2c6c23d5d2a9956e49aaddb0b04aa31917c6f59825
Instruction Fuzzy Hash: E6415234600241AFDB65CF15C899BE57BE1FF05314F1842B9FA489F6A2C7B1E845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 000A73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,000A5134,?,?,00000000,00000001), ref: 000A73BF

Part of subcall function 000A3C94: GetWindowRect.USER32(?,?), ref: 000A3CA7

GetDesktopWindow.USER32 ref: 000A73E9
GetWindowRect.USER32(00000000), ref: 000A73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 000A7422

Part of subcall function 000954E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0009555E

GetCursorPos.USER32(?), ref: 000A744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000A74AC

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 8c4713f1fa461306ca632074a9a87e6e78084f4923e674aea1a91c5d756a5ade
Instruction ID: 7378ce2e6c087ef9e2f23c1a8f9fdd1ea19c6043950081d9d7f59ae06d8c213e
Opcode Fuzzy Hash: 8c4713f1fa461306ca632074a9a87e6e78084f4923e674aea1a91c5d756a5ade
Instruction Fuzzy Hash: 8C31C472508306ABD720DF54DC49FABBBE9FF89314F004A19F58997191CB74E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00088D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000885F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00088608
Part of subcall function 000885F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00088612
Part of subcall function 000885F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00088621
Part of subcall function 000885F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00088628
Part of subcall function 000885F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0008863E

GetLengthSid.ADVAPI32(?,00000000,00088977), ref: 00088DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00088DB8
HeapAlloc.KERNEL32(00000000), ref: 00088DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00088DD8
GetProcessHeap.KERNEL32(00000000,00000000,00088977), ref: 00088DEC
HeapFree.KERNEL32(00000000), ref: 00088DF3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 629f640786686b987dd166deb2333493353e2167cc90a418c8a4230729ce45f6
Instruction ID: 7fc7f8202a235d6d6b43e27914b7d191e7d84f3885dd44ffe284a1560c05e029
Opcode Fuzzy Hash: 629f640786686b987dd166deb2333493353e2167cc90a418c8a4230729ce45f6
Instruction Fuzzy Hash: CA11DC71500606FFEB50AFA8CC08BFE7BA9FF50315F508529E885A7251CB36AD00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00088AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00088B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00088B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00088B40
CloseHandle.KERNEL32(00000004), ref: 00088B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00088B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00088B8E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 9de87dd318fe6fd951a01f6a00a96aa52bd675474d223060f682828da73eabbb
Instruction ID: 67ed1f6ea95e8efead9b8ead093d40dd85e6a06dfc5c1da5189e0d87989d6e30
Opcode Fuzzy Hash: 9de87dd318fe6fd951a01f6a00a96aa52bd675474d223060f682828da73eabbb
Instruction Fuzzy Hash: 7C115CB250020AABEF019FA8DD49FEE7BE9FF48304F044164FE44A2160C7758D609B60

Uniqueness

Uniqueness Score: -1.00%

Function 000BC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000312F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0003134D
Part of subcall function 000312F3: SelectObject.GDI32(?,00000000), ref: 0003135C
Part of subcall function 000312F3: BeginPath.GDI32(?), ref: 00031373
Part of subcall function 000312F3: SelectObject.GDI32(?,00000000), ref: 0003139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 000BC1C4
LineTo.GDI32(00000000,00000003,?), ref: 000BC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000BC1E6
LineTo.GDI32(00000000,00000000,?), ref: 000BC1F6
EndPath.GDI32(00000000), ref: 000BC206
StrokePath.GDI32(00000000), ref: 000BC216

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 72e538e4669be932940933508beab857c3ef8b6027bbdb2c66073b0b2bfb8fb4
Instruction ID: 90fde114ae4e10b835a2cf65972a3389389924f6d63075a7263b5600af2c00b3
Opcode Fuzzy Hash: 72e538e4669be932940933508beab857c3ef8b6027bbdb2c66073b0b2bfb8fb4
Instruction Fuzzy Hash: C911397600010DBFEB129F94DC88EEA3FACEB08390F048121BA085A161C7729D95DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000503A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 000503D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 000503DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000503E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 000503F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 000503F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00050401

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 648ad33c34271ce4ddecf8624f1e19ed6f12cdc05f1fe423fd68f659f749abf7
Instruction ID: 27dbfac2d36290ff9039c01f167dc4c05d5244c39b9a9b34b9ecd1df0be764bc
Opcode Fuzzy Hash: 648ad33c34271ce4ddecf8624f1e19ed6f12cdc05f1fe423fd68f659f749abf7
Instruction Fuzzy Hash: 8E016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0009568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0009569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000956B1
GetWindowThreadProcessId.USER32(?,?), ref: 000956C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000956CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000956D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000956E0

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fa900bb9f089d49e7e92209f0b6a5acb7cbdf6b4394b16f25d85b04f5668ea39
Instruction ID: 304157a6493313db60aed3aeedb58b8aba8e0055c12174549fbd061e4c8c9215
Opcode Fuzzy Hash: fa900bb9f089d49e7e92209f0b6a5acb7cbdf6b4394b16f25d85b04f5668ea39
Instruction Fuzzy Hash: F8F01D3264115ABBE7215BA6AC0EEFB7B7CEBCAB11F000269FA04D2050D6A51A0187B5

Uniqueness

Uniqueness Score: -1.00%

Function 000974D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 000974E5
EnterCriticalSection.KERNEL32(?,?,00041044,?,?), ref: 000974F6
TerminateThread.KERNEL32(00000000,000001F6,?,00041044,?,?), ref: 00097503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00041044,?,?), ref: 00097510

Part of subcall function 00096ED7: CloseHandle.KERNEL32(00000000,?,0009751D,?,00041044,?,?), ref: 00096EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00097523
LeaveCriticalSection.KERNEL32(?,?,00041044,?,?), ref: 0009752A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 95fa27bc206ebe09bb884818fc46e696a57c7faa518d5013402b819f6f535dd0
Instruction ID: 05d3835811a1ac01c982abbcb8a5d3846431211b4e2ba94fb4f7c55bf25fb56d
Opcode Fuzzy Hash: 95fa27bc206ebe09bb884818fc46e696a57c7faa518d5013402b819f6f535dd0
Instruction Fuzzy Hash: FAF03A3A140613EBEB522B64EC889EA776AAF45302B010631F202920A5CBB95C01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00088E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00088E7F
UnloadUserProfile.USERENV(?,?), ref: 00088E8B
CloseHandle.KERNEL32(?), ref: 00088E94
CloseHandle.KERNEL32(?), ref: 00088E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00088EA5
HeapFree.KERNEL32(00000000), ref: 00088EAC

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c0c2a399cc4c0ec13fbeee4fb8bd82eb71dd58ab26e0e9085eb23f67d7cea0ae
Instruction ID: 75961515bd25890f159899edaa13ea036a7410fd71e9e5ae96fc9aa3c85f300d
Opcode Fuzzy Hash: c0c2a399cc4c0ec13fbeee4fb8bd82eb71dd58ab26e0e9085eb23f67d7cea0ae
Instruction Fuzzy Hash: 51E05976104506FBE6012FE5EC0C9A5BB69FB997627544B31F215C2470CB365461DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000A8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000A8928
CharUpperBuffW.USER32(?,?), ref: 000A8A37
VariantClear.OLEAUT32(?), ref: 000A8BAF

Part of subcall function 00097804: VariantInit.OLEAUT32(00000000), ref: 00097844
Part of subcall function 00097804: VariantCopy.OLEAUT32(00000000,?), ref: 0009784D
Part of subcall function 00097804: VariantClear.OLEAUT32(00000000), ref: 00097859

Strings

AUTOIT.ERROR, xrefs: 000A8A3D
Incorrect Parameter format, xrefs: 000A8960, 000A8B22

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: c451d21a8e3369406d5a354aad93dd2f77ec0a192ec06ae926d42638c774e69a
Instruction ID: 3b068bba93ffd1f61649543f1958093205e3c8185a9f2d9bf8096f3678e78855
Opcode Fuzzy Hash: c451d21a8e3369406d5a354aad93dd2f77ec0a192ec06ae926d42638c774e69a
Instruction Fuzzy Hash: A7916F716083019FC710DF68C4859ABBBE4EF89354F04896EF89A8B362DB31E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00092F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0004FEC6: _wcscpy.LIBCMT ref: 0004FEE9

_memset.LIBCMT ref: 00093077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000930A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00093159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00093187

Strings

0, xrefs: 00093063

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: fcdfcf4695533b5c9eb06ad0a0a219b3dc6c0f20b0e482308eb9b4287b40cdd3
Instruction ID: ae9f8bd2aa92a94000f93a0f61f670f5c751275f0f5af9503fd33e63bd595ac9
Opcode Fuzzy Hash: fcdfcf4695533b5c9eb06ad0a0a219b3dc6c0f20b0e482308eb9b4287b40cdd3
Instruction Fuzzy Hash: 4251D0316083019BDB659F28D859AABB7E8EF85360F040A2DF995D31B1DB70CE44AB52

Uniqueness

Uniqueness Score: -1.00%

Function 0008DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0008DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0008DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0008DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0008DB8E

Strings

DllGetClassObject, xrefs: 0008DB01

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: fd7013470e040a0c71f1e2c2eb2d43673b25109760b54e2ce7cfea9183f3dcb5
Instruction ID: 3789f327a7ba556982ef7fc661313d53a7f3943be1c1e9891260a54070c28882
Opcode Fuzzy Hash: fd7013470e040a0c71f1e2c2eb2d43673b25109760b54e2ce7cfea9183f3dcb5
Instruction Fuzzy Hash: F741AEB1600209EFDB14DF54C884AAA7BE9FF44350F1582AAED059F286D7B1DD40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00092C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00092CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00092CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00092D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,000F6890,00000000), ref: 00092D5A

Strings

0, xrefs: 00092CA4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: f24c9a01de201f8592dae79f126ef97c61229fc302f2e20f45c2a445dfc1742a
Instruction ID: d9711d88e687c0b5944079b5d514090572c8be5e7003f69a87d81cf0d6d9e78d
Opcode Fuzzy Hash: f24c9a01de201f8592dae79f126ef97c61229fc302f2e20f45c2a445dfc1742a
Instruction Fuzzy Hash: 59416270206302AFDB24EF24C845B5BB7E8EF85320F14466DF965972E2D770E904DB92

Uniqueness

Uniqueness Score: -1.00%

Function 000ADAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 000ADAD9

Part of subcall function 000379AB: _memmove.LIBCMT ref: 000379F9

Strings

winapi, xrefs: 000ADB4A
cdecl, xrefs: 000ADB30
stdcall, xrefs: 000ADB5B
none, xrefs: 000ADBB4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 1fd6103fce07b7c9a3aaba18754d57014bd887d1b83a2a4674898dc2972e7dbb
Instruction ID: 2fadf55b34c6dfbbf62e3be1c99f50240e397c103a44ba9e77cc3636aebef9a6
Opcode Fuzzy Hash: 1fd6103fce07b7c9a3aaba18754d57014bd887d1b83a2a4674898dc2972e7dbb
Instruction Fuzzy Hash: BE31847451461AEFCF10EF94CC819EEB3B8FF55310F10862AE866A76D2DB71A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00089372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 0008B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0008B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000893F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00089409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00089439

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

Strings

ListBox, xrefs: 000893B5
ComboBox, xrefs: 00089380

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: e3f978ef6041a64b06357d0cd55832d01e9c0e6cb37c653e90af3920a890330f
Instruction ID: df82fba6de996db6ce206c33ab6904cec5408a642032b254307ab6a3d7a02032
Opcode Fuzzy Hash: e3f978ef6041a64b06357d0cd55832d01e9c0e6cb37c653e90af3920a890330f
Instruction Fuzzy Hash: 7121D2B1900104AFEB25BB65CC85CFFB7BCEF05360F144229F966A72E2DB350A0A9710

Uniqueness

Uniqueness Score: -1.00%

Function 000A1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000A1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000A1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000A1B96
InternetCloseHandle.WININET(00000000), ref: 000A1BDD

Part of subcall function 000A2777: GetLastError.KERNEL32(?,?,000A1B0B,00000000,00000000,00000001), ref: 000A278C
Part of subcall function 000A2777: SetEvent.KERNEL32(?,?,000A1B0B,00000000,00000000,00000001), ref: 000A27A1

Strings

, xrefs: 000A1B87

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3ab5904e87dd2877a6dad372415dd3c6a48c79fcf68bd588ee9c173bea95aacf
Instruction ID: 7985a61d0e436057bf56ce440c199a05c66ca848b024c3dba00732cb82406c7b
Opcode Fuzzy Hash: 3ab5904e87dd2877a6dad372415dd3c6a48c79fcf68bd588ee9c173bea95aacf
Instruction Fuzzy Hash: 8621CDB1654208BFEB219FA49C85EFF76ECEB4A794F10412AF405A3240EB349E0497B1

Uniqueness

Uniqueness Score: -1.00%

Function 000B6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00031D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00031D73
Part of subcall function 00031D35: GetStockObject.GDI32(00000011), ref: 00031D87
Part of subcall function 00031D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00031D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000B66D0
LoadLibraryW.KERNEL32(?), ref: 000B66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000B66EC
DestroyWindow.USER32(?), ref: 000B66F4

Strings

SysAnimate32, xrefs: 000B66AB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b604bb1b8162a6518d54f27c5020d7d176d594ff8e9f7d8f07153c00aafbe456
Instruction ID: 364300ab23fa308a51c2fdf001d0f7ccd725c785bce6cacb6a3fd450f2062da4
Opcode Fuzzy Hash: b604bb1b8162a6518d54f27c5020d7d176d594ff8e9f7d8f07153c00aafbe456
Instruction Fuzzy Hash: AE216A71200206AFEF104F64EC80EFB77EDEB59768F104629FA11971A0DB7ADC519764

Uniqueness

Uniqueness Score: -1.00%

Function 0009703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0009705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00097091
GetStdHandle.KERNEL32(0000000C), ref: 000970A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 000970DD

Strings

nul, xrefs: 000970D8

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6e769a4f6967395db206c9fbb6cb5bdd75e3802047d4e8e9007300ecd47ce046
Instruction ID: b8b4dec21acba190ead9ee56bff3bd077348762ff0c0408ccacee47b2a4f1473
Opcode Fuzzy Hash: 6e769a4f6967395db206c9fbb6cb5bdd75e3802047d4e8e9007300ecd47ce046
Instruction Fuzzy Hash: A9218176614209EBDF209F28DC05A9A7BE8BF84720F204B29FCA4D72D0D771A8509B50

Uniqueness

Uniqueness Score: -1.00%

Function 0009710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0009712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0009715D
GetStdHandle.KERNEL32(000000F6), ref: 0009716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000971A8

Strings

nul, xrefs: 000971A3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: dfbd878a1b2c59d7cded3b722f832b7ff274c21031761ef2dbe51e858f26fd48
Instruction ID: 2f277fcc6e82d155dc2ea4c7459993cb236fc3573ae7994386b754fc8c15d28b
Opcode Fuzzy Hash: dfbd878a1b2c59d7cded3b722f832b7ff274c21031761ef2dbe51e858f26fd48
Instruction Fuzzy Hash: E8218376614206ABDF209F6C9C04AAAB7E8AF55720F200B19FDA5D72D0D7709841DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0009AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0009AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0009AF13
__swprintf.LIBCMT ref: 0009AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,000BF910), ref: 0009AF6A

Strings

%lu, xrefs: 0009AF26

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: bae6c0596efcac7c03b9b75ad74155f31168725d3e4e6613640d0b5629454fc4
Instruction ID: 2ccd978ebf163bd0d5c1a723d8fabf5fc43c6d266f8d8f17e313a5ad0a814b8f
Opcode Fuzzy Hash: bae6c0596efcac7c03b9b75ad74155f31168725d3e4e6613640d0b5629454fc4
Instruction Fuzzy Hash: 82218630A00109AFDB10DF54CD85DEE77B8EF49704B004469F905EB252DB71EA41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

Part of subcall function 0008A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0008A399
Part of subcall function 0008A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0008A3AC
Part of subcall function 0008A37C: GetCurrentThreadId.KERNEL32 ref: 0008A3B3
Part of subcall function 0008A37C: AttachThreadInput.USER32(00000000), ref: 0008A3BA

GetFocus.USER32 ref: 0008A554

Part of subcall function 0008A3C5: GetParent.USER32(?), ref: 0008A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0008A59D
EnumChildWindows.USER32(?,0008A615), ref: 0008A5C5
__swprintf.LIBCMT ref: 0008A5DF

Strings

%s%d, xrefs: 0008A5D9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: c5082df85303015437ba5c64cf7aa4666ff48cc2a953a6efff419ad9ea083bc4
Instruction ID: 54b976515bced92012aab83df326c78ca5bb279493d77db3648a0141cdc0be87
Opcode Fuzzy Hash: c5082df85303015437ba5c64cf7aa4666ff48cc2a953a6efff419ad9ea083bc4
Instruction Fuzzy Hash: 3E1190B12002097BEF117F64DC85FEA37BCAF49700F044076FE48AA153DA715A558B75

Uniqueness

Uniqueness Score: -1.00%

Function 00092017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00092048

Strings

REMOVE, xrefs: 0009204E
APPEND, xrefs: 00092081
KEYS, xrefs: 0009205F
EXISTS, xrefs: 00092070

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 111880a2af874c72d727419617f185484f1bb59a4b1b284345aac129933fb9e4
Instruction ID: 5c0b2f0fa88bcc7dc4739bce8588e7fa670534e42f1c435747c489cc528068ff
Opcode Fuzzy Hash: 111880a2af874c72d727419617f185484f1bb59a4b1b284345aac129933fb9e4
Instruction Fuzzy Hash: A7115B3890010ADFCF50EFA4D9414EEB7B4FF5A304F1084A8D855A7253EB32690ADB50

Uniqueness

Uniqueness Score: -1.00%

Function 000AEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000AEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 000AEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 000AF07E
CloseHandle.KERNEL32(?), ref: 000AF0FF

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 4d4b3a001deea1a8bafd6bdeaba8a8196467a11471f37baa1836dff4c6aee567
Instruction ID: 97f6946832cf9c166c12b5ab9785e241fe725d1e9786ad09782e137e7b0a3d69
Opcode Fuzzy Hash: 4d4b3a001deea1a8bafd6bdeaba8a8196467a11471f37baa1836dff4c6aee567
Instruction Fuzzy Hash: FB8170716047019FD725EF68CC46F6AB7E9EF48710F04892DF595DB292DBB0AC408B92

Uniqueness

Uniqueness Score: -1.00%

Function 000B02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 000B10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000B0038,?,?), ref: 000B10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000B0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000B03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000B040E
RegCloseKey.ADVAPI32(?,?), ref: 000B043A
RegCloseKey.ADVAPI32(00000000), ref: 000B0447

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: a4b8a36e30b39252a1819c124536a410408fc988c4a90a0e61e4c9bf6bf0017a
Instruction ID: ffd6af9ac050ec1f082f1c48e81d2f7bcb4a5d833570c695e89352aada7b0afd
Opcode Fuzzy Hash: a4b8a36e30b39252a1819c124536a410408fc988c4a90a0e61e4c9bf6bf0017a
Instruction Fuzzy Hash: 9D515871208205AFD715EB64CC85EAFB7E8FF84704F04892DB596972A2DB30EA04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0009E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0009E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0009E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0009E8F2

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0009E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0009E91F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 804f62cd6269c0836bb6b33c2e5e9fe39da778df9219c58de14cee13ab28f88c
Instruction ID: 2e7ae34919d650dbb82c939cd73ba010e3f2ddda5ae198e091c8a3dc9a85207d
Opcode Fuzzy Hash: 804f62cd6269c0836bb6b33c2e5e9fe39da778df9219c58de14cee13ab28f88c
Instruction Fuzzy Hash: D3510F35A00105DFCF05DF64C981AAEBBF9EF08310F1480A9E849AB362DB71ED51DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000BA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c8b60b815e43679b04caa03eb8b0ef2f452df6e8e102b8fa06ab19ac24143c
Instruction ID: c984b71db128094f0332dc92e0bfab0ae2e41591fa30f1128c2b68a397bdbd12
Opcode Fuzzy Hash: a7c8b60b815e43679b04caa03eb8b0ef2f452df6e8e102b8fa06ab19ac24143c
Instruction Fuzzy Hash: B641F235A00204AFD760DF28CC48FF9BBE8EB0A720F144265F955A72E1DB74AE41DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00032344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00032357
ScreenToClient.USER32(000F67B0,?), ref: 00032374
GetAsyncKeyState.USER32(00000001), ref: 00032399
GetAsyncKeyState.USER32(00000002), ref: 000323A7

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: fbf36620216ce165df2f54adfa5358599c6935db1e0dac0538d4f0fbb82ecbec
Instruction ID: 9a5cfb18cb4f9c931023df3ede9c00fa2c240217b7b139d626ed7200a5476b22
Opcode Fuzzy Hash: fbf36620216ce165df2f54adfa5358599c6935db1e0dac0538d4f0fbb82ecbec
Instruction Fuzzy Hash: 0F41813150411AFBEF269F68C844EFDBBB9FB05320F20432AF86996290C7755A94DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00086920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0008695D
TranslateAcceleratorW.USER32(?,?,?), ref: 000869A9
TranslateMessage.USER32(?), ref: 000869D2
DispatchMessageW.USER32(?), ref: 000869DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000869EB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: b8bab32949046a1c432bc4187fed0e3acd242d5994c5e8f3bcfe572aae9d0e9e
Instruction ID: c7773f2d909b2894171584d57ae6017ed3d0c7b1c3c8831ff9d7ec54aaba08ae
Opcode Fuzzy Hash: b8bab32949046a1c432bc4187fed0e3acd242d5994c5e8f3bcfe572aae9d0e9e
Instruction Fuzzy Hash: 9931F8319006069AEBA4EF74DC44FF67BECBB01310F114169E4E1C35A1DB7B9445DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00088F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00088F12
PostMessageW.USER32(?,00000201,00000001), ref: 00088FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00088FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00088FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00088FDA

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e81cc20b29c82fc344740ac916f602efff114bd7f7ae293fe59e2c437261d7af
Instruction ID: 5593f614f207b3c5c3faa9e551b2d839af005499d86cd549b7a6efbc9631dfe0
Opcode Fuzzy Hash: e81cc20b29c82fc344740ac916f602efff114bd7f7ae293fe59e2c437261d7af
Instruction Fuzzy Hash: C331DF71500219EBDB14DF68DD48AEE7BB6FB04325F108229FA64EB1D1C7B09910CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0008B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0008B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0008B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0008B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0008B742
_wcsstr.LIBCMT ref: 0008B74C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e6ead178dbaf667867f602a8b0d11b0dfae96f9f2cfcf3fd01e897051b3cb412
Instruction ID: ca18c30531eaf15b03a56b017886c8511601ac82c69f877c6fa398e053a06f6a
Opcode Fuzzy Hash: e6ead178dbaf667867f602a8b0d11b0dfae96f9f2cfcf3fd01e897051b3cb412
Instruction Fuzzy Hash: 38210732208205BBEB256B399C49EBF7BD8EF49760F00403AFC05CA1A2EF65DC409360

Uniqueness

Uniqueness Score: -1.00%

Function 000BB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

GetWindowLongW.USER32(?,000000F0), ref: 000BB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 000BB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000BB489
GetSystemMetrics.USER32(00000004), ref: 000BB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,000A1184,00000000), ref: 000BB4D0

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 1d99063e0b25421aa2e8566d8395f1507ed0319ef3c984669a7854fdb61b52b8
Instruction ID: 13e5a6974c79aa483cddda6d25e8ade10ca565320937d711e2959d12b103c9f4
Opcode Fuzzy Hash: 1d99063e0b25421aa2e8566d8395f1507ed0319ef3c984669a7854fdb61b52b8
Instruction Fuzzy Hash: 27216D71910656AFDB609F38CC04BBA3BA4FB05720F144B38F926D71E2E7749911DB90

Uniqueness

Uniqueness Score: -1.00%

Function 000897E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00089802

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00089834
__itow.LIBCMT ref: 0008984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00089874
__itow.LIBCMT ref: 00089885

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 2534f8fc9f959a2ba942263a27994e506c3e9d2358cfc7cc579c7b6b87ee7150
Instruction ID: d937fcc737d55c6bc2953593e69f8c748392968448b23b1d23ceb6424b7cba73
Opcode Fuzzy Hash: 2534f8fc9f959a2ba942263a27994e506c3e9d2358cfc7cc579c7b6b87ee7150
Instruction Fuzzy Hash: D321C871B00209EBEB21BB658C8AEFE7BEDEF49720F080025FD44DB252DA708D458791

Uniqueness

Uniqueness Score: -1.00%

Function 000312F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0003134D
SelectObject.GDI32(?,00000000), ref: 0003135C
BeginPath.GDI32(?), ref: 00031373
SelectObject.GDI32(?,00000000), ref: 0003139C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e9600a0de4d651b5a764999a47d5948b96c19c39be3981dfb14ce272d38563bb
Instruction ID: 9c9026e9a6015c4ce3e47a149e8189ed7a14247f2326275a7cd3b74cdffb3725
Opcode Fuzzy Hash: e9600a0de4d651b5a764999a47d5948b96c19c39be3981dfb14ce272d38563bb
Instruction Fuzzy Hash: F8213170804305EFEB119F25DC047F97BF9EB04351F244329F810975A0DB7A9996EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0008C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0008C176
_memcmp.LIBCMT ref: 0008C194
_memcmp.LIBCMT ref: 0008C1A7
_memcmp.LIBCMT ref: 0008C1BF
_memcmp.LIBCMT ref: 0008C1D7

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6ff7620d2fffe6affaf9c990ad284d04b2ac45e87391617d0733747355ecd11c
Instruction ID: 818c8f475c903baadc132a5004b6b38f17dc8e24c2cd36a8beb1d962d0242070
Opcode Fuzzy Hash: 6ff7620d2fffe6affaf9c990ad284d04b2ac45e87391617d0733747355ecd11c
Instruction Fuzzy Hash: 530192B16042057BFA14B6205CC6FEF63ACEB22398F444025FE459A683E670AE1583F0

Uniqueness

Uniqueness Score: -1.00%

Function 00094D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00094D5C
__beginthreadex.LIBCMT ref: 00094D7A
MessageBoxW.USER32(?,?,?,?), ref: 00094D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00094DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00094DAC

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 0101cb851db3a6f3db166426a082266e8b2afc8e603ea00fe6b8f1e5d99f76f2
Instruction ID: ff45083af9015922c9144c6ffaff0b157ce8e16d68edaf27af3ed5be865737c7
Opcode Fuzzy Hash: 0101cb851db3a6f3db166426a082266e8b2afc8e603ea00fe6b8f1e5d99f76f2
Instruction Fuzzy Hash: EA1144B6904608BBEB018BA89C48EEB7FECEB85321F144365F914D32A1C6798D00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00088766
GetLastError.KERNEL32(?,0008822A,?,?,?), ref: 00088770
GetProcessHeap.KERNEL32(00000008,?,?,0008822A,?,?,?), ref: 0008877F
HeapAlloc.KERNEL32(00000000,?,0008822A,?,?,?), ref: 00088786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0008879D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 92a4f5133bcebb89fb66bfd421f55a822ccf0bf0a5363059caee34e05345bc56
Instruction ID: 720e5ab8c93e80c62a79908465ae68a9eb0ef8167851abd2be495a7a88f08b66
Opcode Fuzzy Hash: 92a4f5133bcebb89fb66bfd421f55a822ccf0bf0a5363059caee34e05345bc56
Instruction Fuzzy Hash: 28014BB1204215EFEB245FAADC88DAB7BBCFF897957604529F849C3260DA31CD00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000954E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00095502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00095510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00095518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00095522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0009555E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d82be1277088d61b268bbcae70062ecab292134ceb9a150f9edf3f2b9d7e2f94
Instruction ID: e25490168677c8f1e219aacc2c482bb89c1ad4ea1d2d79a5075d5eaf1926f4f3
Opcode Fuzzy Hash: d82be1277088d61b268bbcae70062ecab292134ceb9a150f9edf3f2b9d7e2f94
Instruction Fuzzy Hash: 12016D71C01A1ADBDF00EFE9EC586EDBB79FB09712F410956E801F2141DB349950D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00087652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?,?,?,0008799D), ref: 0008766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?,?), ref: 0008768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?,?), ref: 00087698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?), ref: 000876A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0008758C,80070057,?,?), ref: 000876B4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 43ee1d1c4c846b16b7001fe8e7d995dfa08a495f7c6647f41c5d168e816ee4ac
Instruction ID: 22d805495a8b8ba46442260eb7cf772e9df3b62bd24eb67efcd628bc2153601b
Opcode Fuzzy Hash: 43ee1d1c4c846b16b7001fe8e7d995dfa08a495f7c6647f41c5d168e816ee4ac
Instruction Fuzzy Hash: 2601D472604605BBEB10AF18DC04BAA7BEDFB44B61F200128FD48D3215FB35DE1087A0

Uniqueness

Uniqueness Score: -1.00%

Function 000885F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00088608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00088612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00088621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00088628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0008863E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 61ebb8f75f616b0b283dd57949eb63519bf2f593685eca58ed4d1f7939f74a40
Instruction ID: 1f1a99efa22bcd4f5f03cd5a86576791cdcba8b53efa87547bb5a0a9fdf9c1bc
Opcode Fuzzy Hash: 61ebb8f75f616b0b283dd57949eb63519bf2f593685eca58ed4d1f7939f74a40
Instruction Fuzzy Hash: FBF0AF70200205BFEB102FA8DC89EBB3BACFF89754B444525F945C3160DB649C51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00088652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00088669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00088673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00088682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00088689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0008869F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2b0de82e62e6ca9f348be4472ba13ac4d482d7d246b2e6a3409a7c5675d573cb
Instruction ID: 7ceb141ff553e2b8240b455cedba54d79144141dcdc534c32b78b44918d1393b
Opcode Fuzzy Hash: 2b0de82e62e6ca9f348be4472ba13ac4d482d7d246b2e6a3409a7c5675d573cb
Instruction Fuzzy Hash: 17F0AF70200215BFEB112FA8EC88EB73BACFF89754B500525F945D3160DA649D10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0008C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0008C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0008C6D1
MessageBeep.USER32(00000000), ref: 0008C6E9
KillTimer.USER32(?,0000040A), ref: 0008C705
EndDialog.USER32(?,00000001), ref: 0008C71F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7b8f3e04c53437b66a81d46aec79fbd876539b47c7005a3c639a959886df1c81
Instruction ID: ef2a85a212a8bfd146ebf033a4607ef1d540b611a030b612b2a797f840309bca
Opcode Fuzzy Hash: 7b8f3e04c53437b66a81d46aec79fbd876539b47c7005a3c639a959886df1c81
Instruction Fuzzy Hash: BE014F30504705ABFB316B24ED8EFE677B8BB00705F000669F586A24E1EBF4A9548F90

Uniqueness

Uniqueness Score: -1.00%

Function 000313B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000313BF
StrokeAndFillPath.GDI32(?,?,0006BAD8,00000000,?), ref: 000313DB
SelectObject.GDI32(?,00000000), ref: 000313EE
DeleteObject.GDI32 ref: 00031401
StrokePath.GDI32(?), ref: 0003141C

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 430740a3e6f6f8fdf015ba49de2bfac5161676294ab3e08519f1d59f89d57176
Instruction ID: 8075440c11c152b18bc250125b7fd535e0e7ee31b1e2e295f61ed7bc1633e180
Opcode Fuzzy Hash: 430740a3e6f6f8fdf015ba49de2bfac5161676294ab3e08519f1d59f89d57176
Instruction Fuzzy Hash: 0BF0CD31004209EBEB125F56EC0C7B83BA8A705366F148328E429465F1CB3B8996EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00042E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00050FF6: std::exception::exception.LIBCMT ref: 0005102C
Part of subcall function 00050FF6: __CxxThrowException@8.LIBCMT ref: 00051041

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 00037BB1: _memmove.LIBCMT ref: 00037C0B

__swprintf.LIBCMT ref: 0004302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00042EC6

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: f13941cd00fdd835fbb63fc648ed9c617ee8a2de669d9cf0b2774438f7b22135
Instruction ID: 376c262ff31e14a5cf27e5b2f0590b07d81ada21aa41bdf536a4a7694d95e073
Opcode Fuzzy Hash: f13941cd00fdd835fbb63fc648ed9c617ee8a2de669d9cf0b2774438f7b22135
Instruction Fuzzy Hash: 36919DB15087019FC729EF24C895DAFB7E8EF85700F00492DF846972A2DB21EE48CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0009BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 000348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000348A1,?,?,000337C0,?), ref: 000348CE

CoInitialize.OLE32(00000000), ref: 0009BC26
CoCreateInstance.OLE32(000C2D6C,00000000,00000001,000C2BDC,?), ref: 0009BC3F
CoUninitialize.OLE32 ref: 0009BC5C

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

Strings

.lnk, xrefs: 0009BC08, 0009BC16

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 9ef1b1a4a9e35918df8da7f448a2bb6588ae6b04eabc2ed3dac80d0c97289a03
Instruction ID: eea1dcdcc22d7e7d22441058deece96072d60fae6649b1a5560cc774f20cfdad
Opcode Fuzzy Hash: 9ef1b1a4a9e35918df8da7f448a2bb6588ae6b04eabc2ed3dac80d0c97289a03
Instruction Fuzzy Hash: AEA137756043019FCB10DF14C984EAABBE9FF89324F148999F8999B362CB31ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0005524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000552DD

Part of subcall function 00060340: __87except.LIBCMT ref: 0006037B

Strings

pow, xrefs: 000552B5, 000552D2

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 438a263211c8baeedd77cc95e3b1da2f007bd8705992fb9eabc39a48f112ac8c
Instruction ID: c84546825392cf01a21e67399cf8523404766b0aa760b02cbf6e06166fcf6ab2
Opcode Fuzzy Hash: 438a263211c8baeedd77cc95e3b1da2f007bd8705992fb9eabc39a48f112ac8c
Instruction Fuzzy Hash: 5B518C61A0DA0287DB657714CDA13BF3BD59B00753F208D58E8D9822E6EF788DC8DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0005023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00050280
+, xrefs: 00050277

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 34fdcd04a7871feacfc0e0ef35ca03d7f9f7851bd05627d4f4632c9cd816301e
Instruction ID: 9f8c8c09c9ae28ea6587702736d34c0dee40e70731ad2aafe2804d471b12453b
Opcode Fuzzy Hash: 34fdcd04a7871feacfc0e0ef35ca03d7f9f7851bd05627d4f4632c9cd816301e
Instruction Fuzzy Hash: 26510C755047468FDF35AF28C888AFE7BA8FF1A312F184055EC919B2A1D7349D4ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 000462F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000463A8
_memmove.LIBCMT ref: 00046446
_memset.LIBCMT ref: 0004646A

Strings

ERCP, xrefs: 00046313

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: f923d47a83ba35426e0986692a3f0ce078f1253d4c363088eb7ac9f1b74a7f9e
Instruction ID: 44de30877c93be4419d19fd252a2c4d5444366e12e7e197394086b2a84224fae
Opcode Fuzzy Hash: f923d47a83ba35426e0986692a3f0ce078f1253d4c363088eb7ac9f1b74a7f9e
Instruction Fuzzy Hash: B351BEB19003099FCF24CF65C8857EBBBE8EF44711F20857EEA8ACA241E7719685CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000B7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000B76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000B76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 000B7708

Strings

SysMonthCal32, xrefs: 000B769B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f3172f3c958fdfd6e00563a7b8c5a70a40e9b5066eb795c57137dd0dbd797e1e
Instruction ID: 8c9be4ed000f4a04cd9db427e1aeaface2a305a16ab911424fdc5e234bb80dc8
Opcode Fuzzy Hash: f3172f3c958fdfd6e00563a7b8c5a70a40e9b5066eb795c57137dd0dbd797e1e
Instruction Fuzzy Hash: 5121D132504219BBDF16CF64CC46FEA3BA9EF88714F110214FE19AB1D1DAB5AC50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000B6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000B6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000B6FDF

Strings

Listbox, xrefs: 000B6F77

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 2e845cb82358d010203ec2ea79e9ffbae4df852098ac31cc2207e8dacd696d3f
Instruction ID: 8367234f6ac87264f4e2917c7d81c968b7442304a79ee9c17da7bef47af68744
Opcode Fuzzy Hash: 2e845cb82358d010203ec2ea79e9ffbae4df852098ac31cc2207e8dacd696d3f
Instruction Fuzzy Hash: A0218032614119BFEF118F54DC85EFB37AAEF89754F018124F9149B1A0CA76AC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000B79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000B79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000B7A03

Strings

msctls_trackbar32, xrefs: 000B79B8

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c0e5d8186ea064e058951a865bf47da02100b817d4e315aac4958962909d1d38
Instruction ID: c3418ee02d0fc4e087ab7ace31b0542f24e2eed66c273f452b223070ebe09fb4
Opcode Fuzzy Hash: c0e5d8186ea064e058951a865bf47da02100b817d4e315aac4958962909d1d38
Instruction Fuzzy Hash: 5A11E332244208BBEF219F60CC05FEB77A9EFC9B64F010529FA45A6091D672D811DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00040A8D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00033C26,000F62F8,?,?,?), ref: 00040ACE

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

_wcscat.LIBCMT ref: 000750E1

Strings

@e, xrefs: 00040AE8
F, xrefs: 00040ADA

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: F$@e
API String ID: 257928180-1765875470
Opcode ID: 7002043eb30ced961d5a2a132c0e48c3be0b78fd8fde91273624bb7b9e5e50da
Instruction ID: 51a00f428e4ed8ebb14df6af4f8cf84fa8586f7868f66b02994968772b046b55
Opcode Fuzzy Hash: 7002043eb30ced961d5a2a132c0e48c3be0b78fd8fde91273624bb7b9e5e50da
Instruction Fuzzy Hash: 2E11A5B0A0420CAACB51EBA4DC05EED73FCEF08340F0044B5BA4CE7242EB759B889759

Uniqueness

Uniqueness Score: -1.00%

Function 00034C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00034C2E), ref: 00034CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00034CB5

Strings

GetNativeSystemInfo, xrefs: 00034CAF
kernel32.dll, xrefs: 00034C9E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 3c79b94080c42e69c307b6b120bd8fd55ab7d6c5f26b30e40fe43ceac3a39e21
Instruction ID: 8c5946dd2df52346763abd3a5ed85f34fc7b6b33795360eb339c27156dc10ed8
Opcode Fuzzy Hash: 3c79b94080c42e69c307b6b120bd8fd55ab7d6c5f26b30e40fe43ceac3a39e21
Instruction Fuzzy Hash: 08D0C230520323CFD7204F38CD29A9272D8AF00740F10CC39D881DB150D774D480C610

Uniqueness

Uniqueness Score: -1.00%

Function 00034D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00034D2E,?,00034F4F,?,000F62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00034D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00034D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00034D7B
kernel32.dll, xrefs: 00034D6A

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 4a5268dbd5d8818690827c920102d07afbbbd885df04a34db3ac1c0c2b58e213
Instruction ID: e8faaf6caecba5a2b93466df6a9dc45a6e7235877800337d1c1063466f50e9c7
Opcode Fuzzy Hash: 4a5268dbd5d8818690827c920102d07afbbbd885df04a34db3ac1c0c2b58e213
Instruction Fuzzy Hash: 68D01730510713CFE7219F39DC186A676ECAF15352F11CD3AD496EB250E7B4E880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00034D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00034CE1,?), ref: 00034DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00034DB4

Strings

kernel32.dll, xrefs: 00034D9D
Wow64RevertWow64FsRedirection, xrefs: 00034DAE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 1c2bcc6f67d199cddb10fc6d74ef95e02fdca4a6e4a08940dfcd21483bb9e115
Instruction ID: 08ff5120e049722cac3f177d0228818ec8040a5f744706c67da6effd1d7a22db
Opcode Fuzzy Hash: 1c2bcc6f67d199cddb10fc6d74ef95e02fdca4a6e4a08940dfcd21483bb9e115
Instruction Fuzzy Hash: E5D0E231550713CFE7209B39DC18A9676E8AF05355B128C3AD896EA160E7B4E8808A50

Uniqueness

Uniqueness Score: -1.00%

Function 000B1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,000B12C1), ref: 000B1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000B1092

Strings

RegDeleteKeyExW, xrefs: 000B108C
advapi32.dll, xrefs: 000B107B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 9d8b6ede0894851cf5f9fdc47cb6275ae24bfc6eacc67da0aa7be98b6cae05bb
Instruction ID: 69a9ef97c7b0d4e84c1757bc851c9f567194f878b3e74765633e3545c7e19a85
Opcode Fuzzy Hash: 9d8b6ede0894851cf5f9fdc47cb6275ae24bfc6eacc67da0aa7be98b6cae05bb
Instruction Fuzzy Hash: 13D01230510753CFD7205F79DC285AB76E4AF05391B11CD3DE595DA150D7B4C4C0C650

Uniqueness

Uniqueness Score: -1.00%

Function 000A93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,000A9009,?,000BF910), ref: 000A9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 000A9415

Strings

GetModuleHandleExW, xrefs: 000A940F
kernel32.dll, xrefs: 000A93FE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: fff59f2fcd66fc1bb27008b9f05b10e52140126bc7791112451231eda4b5d486
Instruction ID: e11932bebe8b1e3dbe7df7ca7fb6af019911dd2c4da21821ab0f1bb72aa0ade8
Opcode Fuzzy Hash: fff59f2fcd66fc1bb27008b9f05b10e52140126bc7791112451231eda4b5d486
Instruction Fuzzy Hash: 05D0C730A10313CFE7208F79DD08A9272E8AF0A341B20CD3AE482EB550E7B4D8C0CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00071B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00071B42
__swprintf.LIBCMT ref: 00071B73

Strings

%.3d, xrefs: 00071B4D
WIN_XPe, xrefs: 00071BB2

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: f65bf3f9154b8791687af234e7adedefc3efcf53c872a74275e3090e83a43595
Instruction ID: eca6c479ba95da560f3cf28de9d9cdb4919824b1c043bf3825e690014571f2ef
Opcode Fuzzy Hash: f65bf3f9154b8791687af234e7adedefc3efcf53c872a74275e3090e83a43595
Instruction Fuzzy Hash: B5D012B1C08158EADB399B948C44CFE737CAB08301F108592B90AE2080F33C9B849B29

Uniqueness

Uniqueness Score: -1.00%

Function 000876C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de5e6239a53b777ec5b4f261eb59b4a751b5e7865a9b6124decdb44c4732c73
Instruction ID: 2dc342318042e0191f420cd4de579c981ad87a42017a222af976b882ebe80ab7
Opcode Fuzzy Hash: 8de5e6239a53b777ec5b4f261eb59b4a751b5e7865a9b6124decdb44c4732c73
Instruction Fuzzy Hash: B2C19275A04216EFCB14DF94C884EAEBBF5FF48714B218598E889EB255D730DE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000AE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 000AE3D2
CharLowerBuffW.USER32(?,?), ref: 000AE415

Part of subcall function 000ADAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 000ADAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 000AE615
_memmove.LIBCMT ref: 000AE628

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 94cb4bf5af719094b032a88a3a52c539e0c3e1f8215478e35d4be9333b223b48
Instruction ID: f9674cd53268b8daf79ff03cc70567b2a8115acf2a0b62dd299ca50bd0eadd6e
Opcode Fuzzy Hash: 94cb4bf5af719094b032a88a3a52c539e0c3e1f8215478e35d4be9333b223b48
Instruction Fuzzy Hash: 96C17A71A083419FC754DF68C480AAABBE4FF89714F14896EF8999B352D730E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 000A83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000A83D8
CoUninitialize.OLE32 ref: 000A83E3

Part of subcall function 0008DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0008DAC5

VariantInit.OLEAUT32(?), ref: 000A83EE
VariantClear.OLEAUT32(?), ref: 000A86BF

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c69086d23200016a589028089b6e816efa39d2d1f713b9520b0117400aee0ab3
Instruction ID: 5260eef7fbbedfebcfa279a81262ed174e25ff72e8c3fe37403ccb296a6059cb
Opcode Fuzzy Hash: c69086d23200016a589028089b6e816efa39d2d1f713b9520b0117400aee0ab3
Instruction Fuzzy Hash: 2AA169356047019FDB11DF68C881B6AB7E4BF89314F04894DF99A9B3A2CB70ED04CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00087A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000C2C7C,?), ref: 00087C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000C2C7C,?), ref: 00087C4A
CLSIDFromProgID.OLE32(?,?,00000000,000BFB80,000000FF,?,00000000,00000800,00000000,?,000C2C7C,?), ref: 00087C6F
_memcmp.LIBCMT ref: 00087C90

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 20109bcaa4154acca7733551806efd380c5d4e768af9e4d067fc6b31f791e080
Instruction ID: 047c03aa57ebd410fe48585a82e8f9ae147e90f267497f5bb438d53131bd81f3
Opcode Fuzzy Hash: 20109bcaa4154acca7733551806efd380c5d4e768af9e4d067fc6b31f791e080
Instruction Fuzzy Hash: 63813C71A00109EFCB04DF94C984EEEB7B9FF89315F204198F54AAB254DB71AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00086DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00086E04
SysAllocString.OLEAUT32(00000000), ref: 00086EAD
VariantCopy.OLEAUT32 ref: 00086EDC
VariantClear.OLEAUT32(?), ref: 00086F03

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 97bf3a6fd19347a39b11e1a8f543c3fb36d4b20d34c30d9a53ad0ef27774fe28
Instruction ID: b296f215cab566ea5cc28423693d0825fed92c79319427ad8bd221957e9402ac
Opcode Fuzzy Hash: 97bf3a6fd19347a39b11e1a8f543c3fb36d4b20d34c30d9a53ad0ef27774fe28
Instruction Fuzzy Hash: ED519631608306DADB70BF65D895A6EB3E5BF44310F70882FE6DAC7292DB71D8409B11

Uniqueness

Uniqueness Score: -1.00%

Function 000B9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00E5DB90,?), ref: 000B9AD2
ScreenToClient.USER32(00000002,00000002), ref: 000B9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 000B9B72

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 3a28a07dedbf10d9e831732e5568e4ee01db1278fe0995d79ca43b903ef645f5
Instruction ID: b46f3a11a8060076ab602487f2284246acfbf6c674889e554aa6bd7aea2f6c79
Opcode Fuzzy Hash: 3a28a07dedbf10d9e831732e5568e4ee01db1278fe0995d79ca43b903ef645f5
Instruction Fuzzy Hash: 11512934A00609AFDB20DF68D981EEE7BF5EF45360F108669FA159B2A1D730AD41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 000A6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 000A6CE4
WSAGetLastError.WSOCK32(00000000), ref: 000A6CF4

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000A6D58
WSAGetLastError.WSOCK32(00000000), ref: 000A6D64

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 677008462c82393f169ee275c965ab8cea4e9d275ca3c561c27718a054ff8239
Instruction ID: 8f63f944e8538a1ae8c4ab21ea9ec4f944dd217ed4891ecabae0513bb2d210a4
Opcode Fuzzy Hash: 677008462c82393f169ee275c965ab8cea4e9d275ca3c561c27718a054ff8239
Instruction Fuzzy Hash: 9841B174740200AFEB25AF64DC86FBA77E9AB04B10F448558FA599B2D3DBB59C008B91

Uniqueness

Uniqueness Score: -1.00%

Function 000A672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,000BF910), ref: 000A67BA
_strlen.LIBCMT ref: 000A67EC

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 1a8edaa3838cc90b3cf54f48b909d9a894d7bcfaaba90ec584db78eb0f0df23f
Instruction ID: 5b6cc0959c31fae3f3ef90b83ec4556df6a935d5e10c399f742584d095772eb9
Opcode Fuzzy Hash: 1a8edaa3838cc90b3cf54f48b909d9a894d7bcfaaba90ec584db78eb0f0df23f
Instruction Fuzzy Hash: 9741BF35A00104ABCB14EBA4DCC5EEEB3BCAF49310F188265F81A9B292DF75AD04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0009BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0009BB09
GetLastError.KERNEL32(?,00000000), ref: 0009BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0009BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0009BB80

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 0f284fbadd14c21e7502a969829b5e32f3d034a9b35aba8ee736fc4c3eef6eb2
Instruction ID: 83e8f23df022c6452c5ce7234c3ed259dd51d5b0c05e688e211e16e7695632f6
Opcode Fuzzy Hash: 0f284fbadd14c21e7502a969829b5e32f3d034a9b35aba8ee736fc4c3eef6eb2
Instruction Fuzzy Hash: 47412639600611DFCF11EF19C984A9DBBE5EF89320F098499E84A9B362CB74FD01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 000B8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000B8B4D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5d246d3b54a254d87ac959c82f3526ce22f20d4f861dd66808c779ed952d218b
Instruction ID: 4ce7398245f625de7282d99fa354be1295b21a779b4c9feb03620b86d9c25e83
Opcode Fuzzy Hash: 5d246d3b54a254d87ac959c82f3526ce22f20d4f861dd66808c779ed952d218b
Instruction Fuzzy Hash: 7E31ADB4600208BEEB749E28CC95FE937A8EB09311F24CA16FA51D72B1DF35A940DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000BADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000BAE1A
GetWindowRect.USER32(?,?), ref: 000BAE90
PtInRect.USER32(?,?,000BC304), ref: 000BAEA0
MessageBeep.USER32(00000000), ref: 000BAF11

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fde373eb6e39c88374fc3d906fbcd7cd714f8258189d12794f13f18bb8068461
Instruction ID: 8a76d4f5eee865c9ca2ed973417734ad9e4032af4272a516dfea6fc7b01ddfce
Opcode Fuzzy Hash: fde373eb6e39c88374fc3d906fbcd7cd714f8258189d12794f13f18bb8068461
Instruction Fuzzy Hash: FC415B7070011ADFDB21CF58C884AE9BBF5FF4A350F1482B9E8649B251D731E942DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00090FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00091037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00091053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 000910B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0009110B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 40434fec03c9198adca80b6eda9463695e717e114ab2c7c8c56dac35fedcdc04
Instruction ID: bf30c5403a159db93b3d13e019062efd571cdaee8787502217949acc342940fa
Opcode Fuzzy Hash: 40434fec03c9198adca80b6eda9463695e717e114ab2c7c8c56dac35fedcdc04
Instruction Fuzzy Hash: 0E313930F4468AAEFF308A658C097FDBBE9AF84310F04431AF591521D1C3B689C0A791

Uniqueness

Uniqueness Score: -1.00%

Function 00091121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00091176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00091192
PostMessageW.USER32(00000000,00000101,00000000), ref: 000911F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00091243

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7269b718c06b33049378209c883d66e626ba36c6556362f4c9fdd30a5ee29df1
Instruction ID: 17295128cf11f6d56ae666d6cabd98ef4a5da8e45448cc1cfca404ab7155632a
Opcode Fuzzy Hash: 7269b718c06b33049378209c883d66e626ba36c6556362f4c9fdd30a5ee29df1
Instruction Fuzzy Hash: 2B313830B4460EBEFF319B698C047FEBBFAAB49310F04431AF694921D1C3788955A751

Uniqueness

Uniqueness Score: -1.00%

Function 00066415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0006644B
__isleadbyte_l.LIBCMT ref: 00066479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000664A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000664DD

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3401308613c9aa91de7f1b9ce0266a7ec244c5a3afa2053d9c25b7975bb45d19
Instruction ID: 5ba41b242002e4bb6f6ec013a6c13352f48e39835f43cf422886a3bbdb6bb830
Opcode Fuzzy Hash: 3401308613c9aa91de7f1b9ce0266a7ec244c5a3afa2053d9c25b7975bb45d19
Instruction Fuzzy Hash: 9E31ED31600256AFDB218F65CC45BBA7BEAFF40360F158429E864972A1EF32E850DB90

Uniqueness

Uniqueness Score: -1.00%

Function 000B5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000B5189

Part of subcall function 0009387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00093897
Part of subcall function 0009387D: GetCurrentThreadId.KERNEL32 ref: 0009389E
Part of subcall function 0009387D: AttachThreadInput.USER32(00000000,?,000952A7), ref: 000938A5

GetCaretPos.USER32(?), ref: 000B519A
ClientToScreen.USER32(00000000,?), ref: 000B51D5
GetForegroundWindow.USER32 ref: 000B51DB

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 53ae3866c144d231b3bc0795880ecfcfae1454b26fae5a50291579f580f26662
Instruction ID: 1924a8f499b3524253cf8ad868d8f1b4417c87e386354f81c0b364a71604d97d
Opcode Fuzzy Hash: 53ae3866c144d231b3bc0795880ecfcfae1454b26fae5a50291579f580f26662
Instruction Fuzzy Hash: 94312D71900108AFDB04EFA5CC85AEFB7FDEF98300F10446AE555E7242EA759E05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000BC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

GetCursorPos.USER32(?), ref: 000BC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0006BBFB,?,?,?,?,?), ref: 000BC7D7
GetCursorPos.USER32(?), ref: 000BC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0006BBFB,?,?,?), ref: 000BC85E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f8c0ca3a9e6a9744e499a4c5add09d0869c3aa2b6f902ab582e52682add82a3f
Instruction ID: 20e07505fb245cac539f220e4452db1263c1dafd59bc30b82ed3490f40c0d2b5
Opcode Fuzzy Hash: f8c0ca3a9e6a9744e499a4c5add09d0869c3aa2b6f902ab582e52682add82a3f
Instruction Fuzzy Hash: 7A317E35600418AFEB25CF58CC98EFA7BFAEB49310F044169F9058B261CB35AD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00088B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00088652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00088669
Part of subcall function 00088652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00088673
Part of subcall function 00088652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00088682
Part of subcall function 00088652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00088689
Part of subcall function 00088652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0008869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00088BEB
_memcmp.LIBCMT ref: 00088C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00088C44
HeapFree.KERNEL32(00000000), ref: 00088C4B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 53ac9a3b5e98c5edbc1510856ba4f1caa8773a1f05b1f9447b7a57611c3a0512
Instruction ID: 209a95b1f4a4afe45ae90c0b0de54016206909fd80365fa7167fb54b271a6808
Opcode Fuzzy Hash: 53ac9a3b5e98c5edbc1510856ba4f1caa8773a1f05b1f9447b7a57611c3a0512
Instruction Fuzzy Hash: F0216971E01209EBDB10EFA4C949BEEB7F8FF44355F548459E894A7241EB31AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00050BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00050BF2

Part of subcall function 00035B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00097B20,?,?,00000000), ref: 00035B8C
Part of subcall function 00035B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00097B20,?,?,00000000,?,?), ref: 00035BB0

_fprintf.LIBCMT ref: 00050C29
OutputDebugStringW.KERNEL32(?), ref: 00086331

Part of subcall function 00054CDA: _flsall.LIBCMT ref: 00054CF3

__setmode.LIBCMT ref: 00050C5E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 43fc6a013ad9e36c35f36151678f4328bf3a12c5d66dbd606d393bcb1f15db21
Instruction ID: 645f39feb2c4d65c9732a7a43623143c620aa758b8c997c45efb23c5675af9ab
Opcode Fuzzy Hash: 43fc6a013ad9e36c35f36151678f4328bf3a12c5d66dbd606d393bcb1f15db21
Instruction Fuzzy Hash: 4D1136329046087BDB05B7B89C439FF7B6C9F46322F14411AF60457293EF611D899391

Uniqueness

Uniqueness Score: -1.00%

Function 000A1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000A1A97

Part of subcall function 000A1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000A1B40
Part of subcall function 000A1B21: InternetCloseHandle.WININET(00000000), ref: 000A1BDD

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: d261215d5f9cd3f7c478221def1e7a0e73e9adc3bc1dd699e0fb2bfca8b2a178
Instruction ID: 33ca12220878c39a65b7f28ebd64a6db40ee34501d73f8f055cd44d67de6adb7
Opcode Fuzzy Hash: d261215d5f9cd3f7c478221def1e7a0e73e9adc3bc1dd699e0fb2bfca8b2a178
Instruction Fuzzy Hash: 0A21A135244A01BFEB219FA48C01FFFB7ADFF5A701F10012AFA5196651EB71D9119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0008E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0008F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0008E1C4,?,?,?,0008EFB7,00000000,000000EF,00000119,?,?), ref: 0008F5BC
Part of subcall function 0008F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0008F5E2
Part of subcall function 0008F5AD: lstrcmpiW.KERNEL32(00000000,?,0008E1C4,?,?,?,0008EFB7,00000000,000000EF,00000119,?,?), ref: 0008F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0008EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0008E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0008E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0008EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0008E237

Strings

cdecl, xrefs: 0008E22E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a81f969e72bb7023e39712ec730c9e5fdc273290ae20970bbef2ab8ad8b03e1d
Instruction ID: 8773889a90666ea07c6f7b7f6b439a2347e1f44662b3c3234d1b6339e4174be1
Opcode Fuzzy Hash: a81f969e72bb7023e39712ec730c9e5fdc273290ae20970bbef2ab8ad8b03e1d
Instruction Fuzzy Hash: 0411B136100341EFDB25AF74DC459BA77A8FF44310B40412AE946CB2A0EB719850C790

Uniqueness

Uniqueness Score: -1.00%

Function 00065332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00065351

Part of subcall function 0005594C: __FF_MSGBANNER.LIBCMT ref: 00055963
Part of subcall function 0005594C: __NMSG_WRITE.LIBCMT ref: 0005596A
Part of subcall function 0005594C: RtlAllocateHeap.NTDLL(00E40000,00000000,00000001,00000000,?,?,?,00051013,?), ref: 0005598F

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d3b4f9b4cebdb2d18f9ee803d9c09ab0499d0122611de08e0442bd32d1d7edb4
Instruction ID: e9762988ed41500d4bdb51da0c6cc72acba7ae54c80d94ef0738645daac9a525
Opcode Fuzzy Hash: d3b4f9b4cebdb2d18f9ee803d9c09ab0499d0122611de08e0442bd32d1d7edb4
Instruction Fuzzy Hash: ED11E732504A26AFDB312F74EC056AF37E99F10BE3F104529FD44AA292EE758B409790

Uniqueness

Uniqueness Score: -1.00%

Function 00034531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00034560

Part of subcall function 0003410D: _memset.LIBCMT ref: 0003418D
Part of subcall function 0003410D: _wcscpy.LIBCMT ref: 000341E1
Part of subcall function 0003410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000341F1

KillTimer.USER32(?,00000001,?,?), ref: 000345B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000345C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0006D6CE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 4fa64f584ea933a8aca56ab4e15dfaf75f8f8ae4ef0a3ee4a831d56cd6526a60
Instruction ID: 0446b1089a9e110732363f0e4c3b289d5e15787d46d4a072c79edada9dc4adb7
Opcode Fuzzy Hash: 4fa64f584ea933a8aca56ab4e15dfaf75f8f8ae4ef0a3ee4a831d56cd6526a60
Instruction Fuzzy Hash: 72218670D047849BE7728B24DC55BEBBBED9F11304F04009EE69E5B142C7746A849B51

Uniqueness

Uniqueness Score: -1.00%

Function 000940B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 000940D1
_memset.LIBCMT ref: 000940F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00094144
CloseHandle.KERNEL32(00000000), ref: 0009414D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 2eb9b26c20440a6d7aeef1ed7152031de9c3ab9e80fc44e094a6cb554df53af2
Instruction ID: 73330d0e3db2c4e4bbf9a87c5fd5471db6ea8c4be4dae432bb79f0702bfe2583
Opcode Fuzzy Hash: 2eb9b26c20440a6d7aeef1ed7152031de9c3ab9e80fc44e094a6cb554df53af2
Instruction Fuzzy Hash: 8911AB75D013287AE7305BA59C4DFEBBBBCEF44760F1046A6F908D7180D6744E848BA4

Uniqueness

Uniqueness Score: -1.00%

Function 000A667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00035B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00097B20,?,?,00000000), ref: 00035B8C
Part of subcall function 00035B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00097B20,?,?,00000000,?,?), ref: 00035BB0

gethostbyname.WSOCK32(?,?,?), ref: 000A66AC
WSAGetLastError.WSOCK32(00000000), ref: 000A66B7
_memmove.LIBCMT ref: 000A66E4
inet_ntoa.WSOCK32(?), ref: 000A66EF

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 09e939359f2ddd68d73da47518dba15782f893556de3e20471264b9e44c354f8
Instruction ID: 5100fe0c762f1b7b7ad042ed920b119153bd189855a28a1e08b1e5f47b45e5f2
Opcode Fuzzy Hash: 09e939359f2ddd68d73da47518dba15782f893556de3e20471264b9e44c354f8
Instruction Fuzzy Hash: B5119D35500509AFCB05FBA4DD86DEEB7BCAF08311B084125F506A71A2DF30AF04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00089023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00089043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00089055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0008906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00089086

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1066c1e73024df25f97ade7d673e60851269a32b17f47f22001bc257693ef3e1
Instruction ID: 05cfa766a9f38f87f7b297f715eb5615043c67a066917a24379e6596445365c0
Opcode Fuzzy Hash: 1066c1e73024df25f97ade7d673e60851269a32b17f47f22001bc257693ef3e1
Instruction Fuzzy Hash: 8C115E79900218FFEB10EFA5CC84EEDBBB4FB48310F2040A5E944B7250D6726E10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00031290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00032612: GetWindowLongW.USER32(?,000000EB), ref: 00032623

DefDlgProcW.USER32(?,00000020,?), ref: 000312D8
GetClientRect.USER32(?,?), ref: 0006B84B
GetCursorPos.USER32(?), ref: 0006B855
ScreenToClient.USER32(?,?), ref: 0006B860

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9327069f5906bd30f152fb897e2c908e0c50b0cff2a8a19b630b81d1fc0f034d
Instruction ID: 1d55283541dd74936f2bee4e25ead946b66ef2dd79911d6d81bea3d694ea88d3
Opcode Fuzzy Hash: 9327069f5906bd30f152fb897e2c908e0c50b0cff2a8a19b630b81d1fc0f034d
Instruction Fuzzy Hash: 52110635A0011AAFDB11EFA8D8859FF77BCEB09301F100556FA11E7251CB34BA619BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00091652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000901FD,?,00091250,?,00008000), ref: 0009166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,000901FD,?,00091250,?,00008000), ref: 00091694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000901FD,?,00091250,?,00008000), ref: 0009169E
Sleep.KERNEL32(?,?,?,?,?,?,?,000901FD,?,00091250,?,00008000), ref: 000916D1

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 5cdf152c73ec6a738501486ab23d6f82d99ec86c9dbc6ef87ea1a75786df073e
Instruction ID: 3665641117cab7806017a215316c6670024fe946ec7377719172469b04d1c322
Opcode Fuzzy Hash: 5cdf152c73ec6a738501486ab23d6f82d99ec86c9dbc6ef87ea1a75786df073e
Instruction Fuzzy Hash: 40115A31E0051ED7CF009FA5EC48AFEBB78FF09741F054555E940B6280CB3455609B96

Uniqueness

Uniqueness Score: -1.00%

Function 00067207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0006722B

Part of subcall function 00067912: __fltout2.LIBCMT ref: 0006793B

__cftog_l.LIBCMT ref: 00067251
__cftoe_l.LIBCMT ref: 00067283

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: bdcde39ddcbd8014d89e72f5797368d9144c5afc1899668072833b22f3a9f338
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 20014C3604814ABBCF565F94CC118EE3FA3BF69359B588615FA1C58031D237C9B5AB81

Uniqueness

Uniqueness Score: -1.00%

Function 000BB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000BB59E
ScreenToClient.USER32(?,?), ref: 000BB5B6
ScreenToClient.USER32(?,?), ref: 000BB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000BB5F5

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e29f8098295a945eff381c6d7a04ac95fb6b6fd627b6dc075a228066054acc2a
Instruction ID: 5a1a89e81d5e2250603f5d9bda0596a16b1768c44b21c01bd967dd3e03a9e00d
Opcode Fuzzy Hash: e29f8098295a945eff381c6d7a04ac95fb6b6fd627b6dc075a228066054acc2a
Instruction Fuzzy Hash: 431146B5D0020AEFDB41DF99C844AEEFBF5FB18310F108166E954E3220D775AA558F51

Uniqueness

Uniqueness Score: -1.00%

Function 000BB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000BB8FE
_memset.LIBCMT ref: 000BB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,000F7F20,000F7F64), ref: 000BB93C
CloseHandle.KERNEL32 ref: 000BB94E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: d09ca321c291fee666428af3889cd453e33ae7bc6d463104649de498a9e24e2c
Instruction ID: 1bbd6479da705d91c04af77811236eff1fc77cc6d31e254596e6697d3fa0272a
Opcode Fuzzy Hash: d09ca321c291fee666428af3889cd453e33ae7bc6d463104649de498a9e24e2c
Instruction Fuzzy Hash: C1F05EB25443047BF2102B61EC0AFBB3A9CEB08794F040031FB0CD6592D7794908D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00096E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00096E88

Part of subcall function 0009794E: _memset.LIBCMT ref: 00097983

_memmove.LIBCMT ref: 00096EAB
_memset.LIBCMT ref: 00096EB8
LeaveCriticalSection.KERNEL32(?), ref: 00096EC8

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 5deb296a23b1a7a9b85b08025d7431999fa09e5409319230c7e6c1064a5d90d6
Instruction ID: aa2cd3d9db55a03fe68f1cf71933eaffe3ecc9d37382174b31f6b6d155db9d0c
Opcode Fuzzy Hash: 5deb296a23b1a7a9b85b08025d7431999fa09e5409319230c7e6c1064a5d90d6
Instruction Fuzzy Hash: 3CF05E3A200210BBCF016F55DC85ADABB2AEF45361B08C065FE089F26BC735A911DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 000BC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000312F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0003134D
Part of subcall function 000312F3: SelectObject.GDI32(?,00000000), ref: 0003135C
Part of subcall function 000312F3: BeginPath.GDI32(?), ref: 00031373
Part of subcall function 000312F3: SelectObject.GDI32(?,00000000), ref: 0003139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000BC030
LineTo.GDI32(00000000,?,?), ref: 000BC03D
EndPath.GDI32(00000000), ref: 000BC04D
StrokePath.GDI32(00000000), ref: 000BC05B

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a31f7f9b278a4cd8c12f194bf08fbfd2ce98a1670d3b0d07b0b78957295ed48a
Instruction ID: 3055512e1d24ab839d3d6bd79bd1ca896797dfb149477bb96ed11b61e3857cbe
Opcode Fuzzy Hash: a31f7f9b278a4cd8c12f194bf08fbfd2ce98a1670d3b0d07b0b78957295ed48a
Instruction Fuzzy Hash: BDF05E3101525ABBEB226F54EC09FEE3FA9AF05311F044214FA11620E28B7A5961DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0008A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0008A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0008A3AC
GetCurrentThreadId.KERNEL32 ref: 0008A3B3
AttachThreadInput.USER32(00000000), ref: 0008A3BA

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: bc323738ff6a7c7ca974632fb889824c2187de17a89efc96293334cda27354b9
Instruction ID: ef38915283022fd84106f2eaea0ffc68adeb70cb9bef212df86e2b3d51c9ac15
Opcode Fuzzy Hash: bc323738ff6a7c7ca974632fb889824c2187de17a89efc96293334cda27354b9
Instruction Fuzzy Hash: 5FE03931641328BAEB202FA2DC0CEEB3F5CFF167A1F008125F948D6460C6799A40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00032218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00032231
SetTextColor.GDI32(?,000000FF), ref: 0003223B
SetBkMode.GDI32(?,00000001), ref: 00032250
GetStockObject.GDI32(00000005), ref: 00032258
GetWindowDC.USER32(?,00000000), ref: 0006C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0006C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0006C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0006C112
GetPixel.GDI32(00000000,?,?), ref: 0006C132
ReleaseDC.USER32(?,00000000), ref: 0006C13D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 70d0af9715eaf7eba3e70823de53224e419bd7087442a4d943aa76465cfa0fe1
Instruction ID: c1b348108df1605fe4ee942b05b0e0a88af93959c924165c88dfabcf33d5abf0
Opcode Fuzzy Hash: 70d0af9715eaf7eba3e70823de53224e419bd7087442a4d943aa76465cfa0fe1
Instruction Fuzzy Hash: 11E06D32100245FAFB615F68FC0DBE83B55EB06332F008766FBA9580E187758980DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00088C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00088C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0008882E), ref: 00088C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0008882E), ref: 00088C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0008882E), ref: 00088C7E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e18bd9b7fec20c01aac5ba0ead42ea0fbd934299d923863b33b3757a5b2b35eb
Instruction ID: 58f63d702d64794073da6ea74e7e87cff5d2be9a17e009e8c29444566c50630a
Opcode Fuzzy Hash: e18bd9b7fec20c01aac5ba0ead42ea0fbd934299d923863b33b3757a5b2b35eb
Instruction Fuzzy Hash: 5AE08636642212EBE7606FB06E0CBE63BECFF54792F048938B685CB050DA388441CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00072187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00072187
GetDC.USER32(00000000), ref: 00072191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000721B1
ReleaseDC.USER32(?), ref: 000721D2

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d00474187b4be451268f1353a112d482ba565acab4d61371e65454216c4f3ecf
Instruction ID: af818308b99015342b4ef4e27b96996beb6f02ada6f390f2432ffbf926e1756b
Opcode Fuzzy Hash: d00474187b4be451268f1353a112d482ba565acab4d61371e65454216c4f3ecf
Instruction Fuzzy Hash: 0DE0E575800605EFEB119FA0CC08AAD7BB5EB5C350F108525FD5AA7220CB7881419F40

Uniqueness

Uniqueness Score: -1.00%

Function 0007219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0007219B
GetDC.USER32(00000000), ref: 000721A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000721B1
ReleaseDC.USER32(?), ref: 000721D2

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fbe3feb940974870c091f1d162f400b6b57b5196b84458a18c950c853e3ec1cb
Instruction ID: 2be640d8c2ee6e7f095be74f80d5b3db4a9e5120f50268e019a556ca6108b652
Opcode Fuzzy Hash: fbe3feb940974870c091f1d162f400b6b57b5196b84458a18c950c853e3ec1cb
Instruction Fuzzy Hash: A7E0EEB5800206AFEB12AFA0CC08AAD7BA5AB4C310F108529FD5AA7220CB7891419F40

Uniqueness

Uniqueness Score: -1.00%

Function 0008B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0008B981

Strings

Container, xrefs: 0008B8FE
AutoIt3GUI, xrefs: 0008B8F9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: c192680d8b46faa285688bdb87428e7d73f77f4be04745c8cff44aef2208c336
Instruction ID: 549a86520bb64a5c6d7f1da02d43be5b7debc33143e48cad7c91806b6e37b7ed
Opcode Fuzzy Hash: c192680d8b46faa285688bdb87428e7d73f77f4be04745c8cff44aef2208c336
Instruction Fuzzy Hash: F4914A70600602DFDB64DF68C884A6ABBF9FF49710F14856EF98ADB691DB71E840CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0009B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0004FEC6: _wcscpy.LIBCMT ref: 0004FEE9

Part of subcall function 00039997: __itow.LIBCMT ref: 000399C2
Part of subcall function 00039997: __swprintf.LIBCMT ref: 00039A0C

__wcsnicmp.LIBCMT ref: 0009B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0009B361

Strings

LPT, xrefs: 0009B292

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 4b12a56d1d851da4ef2f91237ff5364407c09963220b450ac087c3b016c047cc
Instruction ID: c81859d12ce613ada54eac96e184167817028d78651848b433134fe51bc92870
Opcode Fuzzy Hash: 4b12a56d1d851da4ef2f91237ff5364407c09963220b450ac087c3b016c047cc
Instruction Fuzzy Hash: 2F617075A00215AFCF14DF98D985EEEB7F4EF48320F11816AF946AB291DB70AE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00042AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00042AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00042AE1

Strings

@, xrefs: 00042AD5

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6c1fd933c3643786e40f84bd2255e9492fed75b3e6734e42aed505f798601c2a
Instruction ID: 985dab9baf243299347ef774bbdca3c1446fcaf68eb15b70cee776c7eaa5cb47
Opcode Fuzzy Hash: 6c1fd933c3643786e40f84bd2255e9492fed75b3e6734e42aed505f798601c2a
Instruction Fuzzy Hash: 58515671418B449BE321AF10DC86BABBBECFF84310F42895DF2D9510A2DB758529CB66

Uniqueness

Uniqueness Score: -1.00%

Function 000999BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0003506B: __fread_nolock.LIBCMT ref: 00035089

_wcscmp.LIBCMT ref: 00099AAE
_wcscmp.LIBCMT ref: 00099AC1

Strings

FILE, xrefs: 000999FA

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: b7656b9cf412d4d6e2297deb12bb1013a42aa58045d098dffc4cf3e49bdfcee3
Instruction ID: 56e09d65cf79e344fe747cf58bbb1be8e887c5dcfb428446658bdb230acfbd82
Opcode Fuzzy Hash: b7656b9cf412d4d6e2297deb12bb1013a42aa58045d098dffc4cf3e49bdfcee3
Instruction Fuzzy Hash: B441C671A00619BADF219EA4DC45FEFB7FDDF49710F004069BA00B7192DB75AA049BA1

Uniqueness

Uniqueness Score: -1.00%

Function 000A2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000A2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000A28C8

Strings

|, xrefs: 000A2899

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 5f349e5b53ec02f2c9c77f1e12049af262655545c3f97136d282480e23561c84
Instruction ID: 417693ffee8daafe7beade703b2fda3bb69c8bbeaeebcb33c8288366aa13bdab
Opcode Fuzzy Hash: 5f349e5b53ec02f2c9c77f1e12049af262655545c3f97136d282480e23561c84
Instruction Fuzzy Hash: 39311971800119AFDF51EFA5CC85EEEBFB9FF09300F10406AF815A6166DB315A56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000B6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 000B6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000B6DC2

Strings

static, xrefs: 000B6D22

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f9eb6d6c5ac7ce9d6ceef197f88429ca1d8c9ce514392d5441e669a6ab08bc54
Instruction ID: d89c6a0e88085c93b3ba82a769ccea55ac872cce1de45166044a48219d3aa9af
Opcode Fuzzy Hash: f9eb6d6c5ac7ce9d6ceef197f88429ca1d8c9ce514392d5441e669a6ab08bc54
Instruction Fuzzy Hash: E7318D71600604AEEB119F78CC80AFB77B9FF48720F108619F9A997191DA76AC91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00092D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00092E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00092E3B

Strings

0, xrefs: 00092DF9

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 0aa47f0d2d59daff0188abb8ba89cedc0511e7fc7f441b1a130051b50a7538b0
Instruction ID: 8a8aeccf7c1b1500f687bd8b74f11dedca92fed555bce8563d173cf5b97958ed
Opcode Fuzzy Hash: 0aa47f0d2d59daff0188abb8ba89cedc0511e7fc7f441b1a130051b50a7538b0
Instruction Fuzzy Hash: 9931D235A00309BBEF659F58C8C5BEEBBF9FF05350F14042AED85961A1E7709984EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00040A3B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00033C26,000F62F8,?,?,?), ref: 00040ACE

Part of subcall function 00037D2C: _memmove.LIBCMT ref: 00037D66

_wcscat.LIBCMT ref: 000750E1

Strings

@e, xrefs: 00040AE8
F, xrefs: 00040ADA

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: F$@e
API String ID: 257928180-1765875470
Opcode ID: b62f4ac5e4f8e0fecaedd646bd4f08cc2341dc05d1d7508cd0f3bb48521f8eb4
Instruction ID: 1a1c0f4e9ad2249a6b12de72e2651c7240036abe54f63d7bb140f579c66fd350
Opcode Fuzzy Hash: b62f4ac5e4f8e0fecaedd646bd4f08cc2341dc05d1d7508cd0f3bb48521f8eb4
Instruction Fuzzy Hash: 2021DDB1508299AFC703DBB0CC519E97FB8EF06310B0500E6F588DB153D6789B89CB55

Uniqueness

Uniqueness Score: -1.00%

Function 000B6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000B69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000B69DB

Strings

Combobox, xrefs: 000B699D

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1114df2e24806bfcfbb3b8495235bca651f76a98fb96dc4ac7c23454d08308cd
Instruction ID: 8d4a8ea8af32b91327027607c0a7875b0372c1b3fb43637a9217ece685a2c0e1
Opcode Fuzzy Hash: 1114df2e24806bfcfbb3b8495235bca651f76a98fb96dc4ac7c23454d08308cd
Instruction Fuzzy Hash: 3011C4717102096FEF519F14CC80EFB37AEEB993A4F110125F9589B291D67A9C5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 000B6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00031D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00031D73
Part of subcall function 00031D35: GetStockObject.GDI32(00000011), ref: 00031D87
Part of subcall function 00031D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00031D91

GetWindowRect.USER32(00000000,?), ref: 000B6EE0
GetSysColor.USER32(00000012), ref: 000B6EFA

Strings

static, xrefs: 000B6EBD

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: cafb6bff7878cd8ef5cc2bf8db23aca576c7f09669a8ce137c633f653e9833bc
Instruction ID: 2598736b974dc7136acf063af6509e5a973b20024253bfca4375b14892e321e0
Opcode Fuzzy Hash: cafb6bff7878cd8ef5cc2bf8db23aca576c7f09669a8ce137c633f653e9833bc
Instruction Fuzzy Hash: C121177261020AAFDB04DFA8DD45AFA7BA8EB08314F004629F955E3250D679E861DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000B6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 000B6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000B6C20

Strings

edit, xrefs: 000B6BF5

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5e5eb392602ca407a2da06e7177f01ac55819fda74b1ce51ab74e8a5cf02994a
Instruction ID: 7ea7db4055731e065a3d8113bfbaa4adc72fc639c0a05757cf04cb96840550ba
Opcode Fuzzy Hash: 5e5eb392602ca407a2da06e7177f01ac55819fda74b1ce51ab74e8a5cf02994a
Instruction Fuzzy Hash: 48118C71501208ABEB619E64DC41EFB3BA9EB05378F204724FA65D71E0C77ADC919B60

Uniqueness

Uniqueness Score: -1.00%

Function 00092E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00092F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00092F30

Strings

0, xrefs: 00092F07

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 20474361e0ced911447d7d27c984ae35308762063a7ae5705ca6062960277ca0
Instruction ID: 7b65f41d1fd44ccaa9b075f30767bae01cc074b55d6dfd7d4af094b28a33b44d
Opcode Fuzzy Hash: 20474361e0ced911447d7d27c984ae35308762063a7ae5705ca6062960277ca0
Instruction Fuzzy Hash: 5011BF31901218BBDF61EB58DC48BAE77F9EB05350F1901B5E954A72B0DBB0EE04EB91

Uniqueness

Uniqueness Score: -1.00%

Function 000A24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000A2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000A2549

Strings

<local>, xrefs: 000A2511

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 84c778a79698324a3ef00c558a6a9550e723c401bcf6ffe8d55ad9b7b15fd749
Instruction ID: beae4166214e43e57dceb32117a2cd39cde53552fd77d8f1593c3b10369e995f
Opcode Fuzzy Hash: 84c778a79698324a3ef00c558a6a9550e723c401bcf6ffe8d55ad9b7b15fd749
Instruction Fuzzy Hash: 5211E370900625BEDB249FA98C98EFBFFA8FB07751F10823AF50546040D6706990D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 000A80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000A830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,000A80C8,?,00000000,?,?), ref: 000A8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000A80CB
htons.WSOCK32(00000000,?,00000000), ref: 000A8108

Strings

255.255.255.255, xrefs: 000A80E3

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: d6b37570283802011ca51f3aac4488e10514c1b9fc75f9823521d66bd3f0c9d3
Instruction ID: 51f5b92eaa21212fcc2fd5483fa2a8e529ebd09dd2e52d5adfd0bc3da3fd31f8
Opcode Fuzzy Hash: d6b37570283802011ca51f3aac4488e10514c1b9fc75f9823521d66bd3f0c9d3
Instruction Fuzzy Hash: 5811A135604205ABDB20AFA4CC46FFDB778FF06320F10866AFA1197292DA72A915C795

Uniqueness

Uniqueness Score: -1.00%

Function 000892E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 0008B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0008B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00089355

Strings

ListBox, xrefs: 0008931F
ComboBox, xrefs: 000892F4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b69749d643c5cac827e6bd0cdd57038e5394569845d61365cd5610214839af51
Instruction ID: bdeda7b72c882a752ef276a35fccacf02f66d9e5fc21e29eb74cb732123703bc
Opcode Fuzzy Hash: b69749d643c5cac827e6bd0cdd57038e5394569845d61365cd5610214839af51
Instruction Fuzzy Hash: A601F171A01215ABCB15FBA1CC918FE77ADBF06320B180719F9B26B2D2DB3159089750

Uniqueness

Uniqueness Score: -1.00%

Function 000891DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 0008B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0008B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0008924D

Strings

ListBox, xrefs: 00089217
ComboBox, xrefs: 000891EC

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: de4b1f28772480d77eff353331af92643862b750ca5097bb1f0cd46f4f2a7537
Instruction ID: dd91a34d13248f4817073330fd93111975b1896b613ed9bfa26c291825042e53
Opcode Fuzzy Hash: de4b1f28772480d77eff353331af92643862b750ca5097bb1f0cd46f4f2a7537
Instruction Fuzzy Hash: C101A771A411057BCB15FBA1CD92DFF77ACAF05300F180129B95667292EA156F0C97B1

Uniqueness

Uniqueness Score: -1.00%

Function 00089264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00037F41: _memmove.LIBCMT ref: 00037F82

Part of subcall function 0008B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0008B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 000892D0

Strings

ListBox, xrefs: 0008929C
ComboBox, xrefs: 00089271

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2b33be3d971c520e0130f6817c522111ad3853a95e1c61bfca2d6909d69baf65
Instruction ID: e2cde8c18542d178ee5a65d57b5fe280f18ee95ba6feda755b5148a93cb8ba81
Opcode Fuzzy Hash: 2b33be3d971c520e0130f6817c522111ad3853a95e1c61bfca2d6909d69baf65
Instruction Fuzzy Hash: 2601A2B1A411097BCB15FBA1CD92EFF77ACAF11300F280125B95267293DA255E089772

Uniqueness

Uniqueness Score: -1.00%

Function 000951CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000951E8
_wcscmp.LIBCMT ref: 000951FA

Strings

#32770, xrefs: 000951F4

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: fef249eaf7550dd20bc18cb97565e4ad7a6286aaab793e1fe9d93824ae10b416
Instruction ID: 536ab448f361bfc3a472b44dab481382cbe4647673cfa1ceab74d44c056ad8c4
Opcode Fuzzy Hash: fef249eaf7550dd20bc18cb97565e4ad7a6286aaab793e1fe9d93824ae10b416
Instruction Fuzzy Hash: DBE02B32A0422D1AE72097999C09BA7F7ACEB45761F00015AFD14D3040D560990487D1

Uniqueness

Uniqueness Score: -1.00%

Function 000881BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000881CA

Part of subcall function 00053598: _doexit.LIBCMT ref: 000535A2

Strings

Error allocating memory., xrefs: 000881C3
AutoIt, xrefs: 000881BE

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: efbf4872664b3f9f96e9b26ae5c1c149986b269a3de27009829e06e0df9dc683
Instruction ID: f53aba1ab00179b5579266ed92e5b67558dc30dac5c6de225daa909195d96327
Opcode Fuzzy Hash: efbf4872664b3f9f96e9b26ae5c1c149986b269a3de27009829e06e0df9dc683
Instruction Fuzzy Hash: CCD05B323C535836D21533A56C0BFCA768C4B05F52F004425FF08995D38ED5559143D9

Uniqueness

Uniqueness Score: -1.00%

Function 0006B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0006B564: _memset.LIBCMT ref: 0006B571

Part of subcall function 00050B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0006B540,?,?,?,0003100A), ref: 00050B89

IsDebuggerPresent.KERNEL32(?,?,?,0003100A), ref: 0006B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0003100A), ref: 0006B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0006B54E

Memory Dump Source

Source File: 00000001.00000002.2123318637.0000000000031000.00000020.00000001.01000000.00000003.sdmp, Offset: 00030000, based on PE: true

Associated: 00000001.00000002.2123206651.0000000000030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123386271.00000000000E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123452613.00000000000EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2123472981.00000000000F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30000_Arba Outstanding Statement.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 8657cae3f214637b271308446ef21c355d40b78c30fddc9a72e2d9515eed138b
Instruction ID: bd24e3a944cfaa3feec685096165bb4528002584fb49bc6106368108343008cf
Opcode Fuzzy Hash: 8657cae3f214637b271308446ef21c355d40b78c30fddc9a72e2d9515eed138b
Instruction Fuzzy Hash: FAE092B0200B118FE361DF28D9043D67BE4AF00704F008A2DE846C7761E7B9D444CB61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arba Outstanding Statement.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Idonna

C:\Users\user\AppData\Local\Temp\aut8131.tmp

C:\Users\user\AppData\Local\Temp\aut8181.tmp

C:\Users\user\AppData\Local\Temp\reaffection

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Arba Outstanding Statement.exe

Function 00033B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00034AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00034FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 000993DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 000371EB Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Function 00033015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00033A58 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00033041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00033633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00033778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00D42620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 000339E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0003F8CF Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168
comCOMMON

Function 00D42410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Function 0003410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre