Edit tour

Windows Analysis Report
PDT_7367027738832_789257820__________________________.exe

Overview

General Information

Sample name:	PDT_7367027738832_789257820__________________________.exe
Analysis ID:	1430156
MD5:	656aeda4f4a3ad9555f6d88c74fc0705
SHA1:	3da5e7c273689cb837de918b39c2650484cd342e
SHA256:	a3f5e3e9e01fdd51293410aa65759c2ea0ba6fd96860b6b9e9e0cea139f4d939
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PDT_7367027738832_789257820__________________________.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe" MD5: 656AEDA4F4A3AD9555F6D88C74FC0705)

RegSvcs.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "obinosky411@worlorderbillions.top", "Password": "##z$P{dTygVX                  "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2931527386.000000000292A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33507:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33579:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33603:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33695:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ff:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33771:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33807:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33897:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2931527386.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2931527386.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PDT_7367027738832_789257820__________________________.exe PID: 7440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PDT_7367027738832_789257820__________________________.exe PID: 7440	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7456	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7456	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31707:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31779:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31803:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31895:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318ff:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31971:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a07:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a97:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33507:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33579:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33603:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33695:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ff:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33771:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33807:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33897:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33507:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33579:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33603:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33695:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336ff:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33771:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33807:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33897:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe", CommandLine: "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe, NewProcessName: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe, OriginalFileName: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe", ProcessId: 7440, ProcessName: PDT_7367027738832_789257820__________________________.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.244.151.84, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7456, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "obinosky411@worlorderbillions.top", "Password": "##z$P{dTygVX "}

Multi AV Scanner detection for domain / URL

Source: worlorderbillions.top	Virustotal: Detection: 11%	Perma Link
Source: mail.worlorderbillions.top	Virustotal: Detection: 13%	Perma Link
Source: http://worlorderbillions.top	Virustotal: Detection: 11%	Perma Link
Source: http://mail.worlorderbillions.top	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: PDT_7367027738832_789257820__________________________.exe	ReversingLabs: Detection: 34%
Source: PDT_7367027738832_789257820__________________________.exe	Virustotal: Detection: 28%			Perma Link

Machine Learning detection for sample

Source: PDT_7367027738832_789257820__________________________.exe

Joe Sandbox ML: detected

Source: PDT_7367027738832_789257820__________________________.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1675128600.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1672898745.0000000003810000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1675128600.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1672898745.0000000003810000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00774696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00774696
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077C93C FindFirstFileW,FindClose,	0_2_0077C93C
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0077C9C7
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0077F200
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0077F35D
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0077F65E
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00773A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00773A2B
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00773D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00773D4E
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0077BF27

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 185.244.151.84:587

Source: Joe Sandbox View	IP Address: 185.244.151.84 185.244.151.84
Source: Joe Sandbox View	IP Address: 185.244.151.84 185.244.151.84

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 185.244.151.84:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_007825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007825E2

Source: unknown

DNS traffic detected: queries for: mail.worlorderbillions.top

Source: RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2933163333.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2931383440.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000001.00000002.2933163333.0000000005C81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000001.00000002.2933163333.0000000005C7C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2933163333.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2931383440.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2933163333.0000000005C40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.worlorderbillions.top
Source: RegSvcs.exe, 00000001.00000002.2933163333.0000000005C7C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2933163333.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2931383440.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://worlorderbillions.top
Source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2933163333.0000000005C40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, cPKWk.cs

.Net Code: ALVOhGvF

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0078425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0078425A

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00784458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00784458

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

0_2_0078425A

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00770219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00770219

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0079CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0079CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00713B4C
Source: PDT_7367027738832_789257820__________________________.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000000.1662330367.00000000007C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c1ba35a3-8
Source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000000.1662330367.00000000007C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fdde1edc-f
Source: PDT_7367027738832_789257820__________________________.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_00b06ef5-f
Source: PDT_7367027738832_789257820__________________________.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1189c212-4

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00774021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00774021

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00768858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00768858

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0077545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0077545F

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0071E800	0_2_0071E800
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073DBB5	0_2_0073DBB5
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0071E060	0_2_0071E060
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0079804A	0_2_0079804A
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00724140	0_2_00724140
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00732405	0_2_00732405
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00746522	0_2_00746522
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0074267E	0_2_0074267E
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00790665	0_2_00790665
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00726843	0_2_00726843
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073283A	0_2_0073283A
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_007489DF	0_2_007489DF
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00728A0E	0_2_00728A0E
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00790AE2	0_2_00790AE2
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00746A94	0_2_00746A94
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00778B13	0_2_00778B13
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0076EB07	0_2_0076EB07
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073CD61	0_2_0073CD61
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00747006	0_2_00747006
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0072710E	0_2_0072710E
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00723190	0_2_00723190
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00711287	0_2_00711287
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_007333C7	0_2_007333C7
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073F419	0_2_0073F419
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_007316C4	0_2_007316C4
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00725680	0_2_00725680
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_007378D3	0_2_007378D3
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_007258C0	0_2_007258C0
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00731BB8	0_2_00731BB8
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00749D05	0_2_00749D05
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0071FE40	0_2_0071FE40
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073BFE6	0_2_0073BFE6
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00731FD0	0_2_00731FD0
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_009F3670	0_2_009F3670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D89370	1_2_00D89370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D84A98	1_2_00D84A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D89B30	1_2_00D89B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D83E80	1_2_00D83E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D8CE80	1_2_00D8CE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D841C8	1_2_00D841C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E7BCF8	1_2_05E7BCF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E7DC9D	1_2_05E7DC9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E73F40	1_2_05E73F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E756D0	1_2_05E756D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E70040	1_2_05E70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E78B90	1_2_05E78B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E72AF8	1_2_05E72AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E79AD0	1_2_05E79AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E74FF0	1_2_05E74FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E73238	1_2_05E73238

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: String function: 00730D27 appears 70 times
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: String function: 00717F41 appears 35 times
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: String function: 00738B40 appears 42 times

Source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1672898745.0000000003933000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PDT_7367027738832_789257820__________________________.exe
Source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1673063118.0000000003ADD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PDT_7367027738832_789257820__________________________.exe
Source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7cd24d27-165d-4f93-b261-279cc8948863.exe4 vs PDT_7367027738832_789257820__________________________.exe

Source: PDT_7367027738832_789257820__________________________.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0077A2D5 GetLastError,FormatMessageW,

0_2_0077A2D5

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00768713 AdjustTokenPrivileges,CloseHandle,		0_2_00768713
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00768CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00768CC3

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0077B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0077B59E

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0078F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0078F121

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0077C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0077C602

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00714FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00714FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

File created: C:\Users\user\AppData\Local\Temp\aut6466.tmp

Jump to behavior

Source: PDT_7367027738832_789257820__________________________.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PDT_7367027738832_789257820__________________________.exe	ReversingLabs: Detection: 34%
Source: PDT_7367027738832_789257820__________________________.exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: PDT_7367027738832_789257820__________________________.exe

Static file information: File size 1091584 > 1048576

Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PDT_7367027738832_789257820__________________________.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1675128600.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1672898745.0000000003810000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1675128600.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, PDT_7367027738832_789257820__________________________.exe, 00000000.00000003.1672898745.0000000003810000.00000004.00001000.00020000.00000000.sdmp

Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PDT_7367027738832_789257820__________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0078C304 LoadLibraryA,GetProcAddress,

0_2_0078C304

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0071C590 push eax; retn 0071h	0_2_0071C599
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00778719 push FFFFFF8Bh; iretd	0_2_0077871B
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073E94F push edi; ret	0_2_0073E951
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073EA68 push esi; ret	0_2_0073EA6A
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00738B85 push ecx; ret	0_2_00738B98
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073EC43 push esi; ret	0_2_0073EC45
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073ED2C push edi; ret	0_2_0073ED2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05E73AD7 push ebx; retf	1_2_05E73ADA

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00714A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00714A35
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_007955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007955FD

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_007333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_007333C7

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6998			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 721			Jump to behavior

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98481

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00774696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00774696
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077C93C FindFirstFileW,FindClose,	0_2_0077C93C
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0077C9C7
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0077F200
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0077F35D
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0077F65E
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00773A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00773A2B
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00773D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00773D4E
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0077BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0077BF27

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00714AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00714AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98763	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2933163333.0000000005C40000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

API call chain: ExitProcess graph end node

graph_0-97882

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_007841FD BlockInput,

0_2_007841FD

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00713B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00713B4C

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00745CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00745CCC

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0078C304 LoadLibraryA,GetProcAddress,

0_2_0078C304

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_009F3500 mov eax, dword ptr fs:[00000030h]	0_2_009F3500
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_009F3560 mov eax, dword ptr fs:[00000030h]	0_2_009F3560
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_009F1ED0 mov eax, dword ptr fs:[00000030h]	0_2_009F1ED0

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_007681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_007681F7

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073A364 SetUnhandledExceptionFilter,		0_2_0073A364
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_0073A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0073A395

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8FF008

Jump to behavior

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00768C93 LogonUserW,

0_2_00768C93

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00713B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00713B4C

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00714A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00714A35

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00774EF5 mouse_event,

0_2_00774EF5

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

0_2_007681F7

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00774C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00774C03

Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0073886B cpuid

0_2_0073886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_007450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_007450D7

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00752230 GetUserNameW,

0_2_00752230

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_0074418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0074418A

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe

Code function: 0_2_00714AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00714AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2931527386.000000000292A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2931527386.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PDT_7367027738832_789257820__________________________.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7456, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: WIN_81
Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: WIN_XP
Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: WIN_XPe
Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: WIN_VISTA
Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: WIN_7
Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: WIN_8
Source: PDT_7367027738832_789257820__________________________.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2931527386.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PDT_7367027738832_789257820__________________________.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7456, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PDT_7367027738832_789257820__________________________.exe.1080000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2931527386.000000000292A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2931527386.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PDT_7367027738832_789257820__________________________.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7456, type: MEMORYSTR

Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00786596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00786596
Source: C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe	Code function: 0_2_00786A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00786A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PDT_7367027738832_789257820__________________________.exe	34%	ReversingLabs	Win32.Trojan.Strab
PDT_7367027738832_789257820__________________________.exe	29%	Virustotal		Browse
PDT_7367027738832_789257820__________________________.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
worlorderbillions.top	12%	Virustotal		Browse
mail.worlorderbillions.top	13%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://worlorderbillions.top	12%	Virustotal		Browse
http://mail.worlorderbillions.top	13%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
worlorderbillions.top	185.244.151.84	true	false	12%, Virustotal, Browse	unknown
mail.worlorderbillions.top	unknown	unknown	true	13%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sectigo.com/CPS0	RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2933163333.0000000005C40000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.worlorderbillions.top	RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp	false	13%, Virustotal, Browse	unknown
https://account.dyn.com/	PDT_7367027738832_789257820__________________________.exe, 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://worlorderbillions.top	RegSvcs.exe, 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.151.84	worlorderbillions.top	Netherlands		60117	HSAE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430156
Start date and time:	2024-04-23 08:29:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PDT_7367027738832_789257820__________________________.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:30:18	API Interceptor	38x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.244.151.84	https://apiservices.krxd.net/click_tracker/track?kxconfid=whjxbtb0h&_knopii=1&kxcampaignid=P.C.C-Class.W206.L.MI&kxplacementid=module2findmycar&kxbrand=MB&clk=http://WMUHS.penseldraget.com/?email=projectassistant@gheenirrigation.com	Get hash	malicious	HTMLPhisher	Browse	wmuhs.penseldraget.com/?email=projectassistant@gheenirrigation.com&_knopii=1
	https://sites.google.com/view/man-energy-solutions/halaman-muka	Get hash	malicious	HTMLPhisher	Browse	man-energy-solution.duerbcek.com/
	https://sites.google.com/view/asiatic-lloyd-maritime-llp/halaman-muka	Get hash	malicious	HTMLPhisher	Browse	asiatic-lloyd-maritime.duerbcek.com/
	https://sites.google.com/view/dnvlimited/halaman-muka	Get hash	malicious	Unknown	Browse	dnv-limited.duerbcek.com/
	https://veolia-dot-yamm-track.appspot.com/Redirect?ukey=1rYd-S6h21KvcEPO5BLkBWp1KOKV2-Rm-t86fM2DfnMk-177924590&key=YAMMID-18720160&link=http%3A%2F%2Fthrh.tumyphie.com%2F	Get hash	malicious	Unknown	Browse	thrh.tumyphie.com/
	http://mollkiss.mekythkit.online	Get hash	malicious	Unknown	Browse	mollkiss.mekythkit.online/
	Friday_ February 5th_ 2021 64427 a.m._ 20210205064427.64791275BD060468@juidine.com.html	Get hash	malicious	HTMLPhisher	Browse	185.244.151.84/cgi-sys/suspendedpage.cgi
	Thursday, February 4th, 2021 103440 p.m., 20210204223440.464D4D4AD1BFDE50@juidine.com.html	Get hash	malicious	HTMLPhisher	Browse	185.244.151.84/cgi-sys/suspendedpage.cgi
	Adjunto-30.doc	Get hash	malicious	Unknown	Browse	alkamefood.com/y/P/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HSAE	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.1274.17126.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	WZM.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	z1RFQ20838_CMC_RITM50736681.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	https://doggygangers.com/YfMv2QsjpCQl845BWSYNfNOQitweyze_Z6lIlrRr43MRjX_HrM/downloadsdownloadfile/dwnl_standart.php	Get hash	malicious	LummaC, PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	194.36.191.196
	BOQ- AE20003 0084 20240408 .exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	a9wJzPSyH4.exe	Get hash	malicious	AgentTesla	Browse	185.198.59.26
	4938730).vbs	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	194.36.191.196
	PI-23-24-041 AEH-CIPL 6-202424-014 .exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	CFD.exe	Get hash	malicious	AgentTesla	Browse	185.198.59.26

Process:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
File Type:	data
Category:	dropped
Size (bytes):	135338
Entropy (8bit):	7.871118629471488
Encrypted:	false
SSDEEP:	3072:ipkcINbb1VFJVkkJUg5Ljhikp84+QHFE5nXCIm:+9ibxJN5Zikpr+aFE5nXC/
MD5:	EFB3F6DF1F295F481622D7C5CCB1A932
SHA1:	473BE1EA16F0E39EDEFFD1551E78D43B5C355B49
SHA-256:	F3B26F7DFD82154F3F813973AE6F44739997DB8395EEA32D93B490CE34F3ABCD
SHA-512:	F03FE97A58136159F0A908EF793BFF90042035F0EA8450FF21FABE9E2551B6E5B6A0C1629229574D7A969CABC9A9663A0B1D147C688C1DD2ABFCD2896D1FEF8E
Malicious:	false
Reputation:	low
Preview:	EA06......t....0..k.~..q0..* .D.sx.....8...;..D._.T~...G.9.e"0YL.I.......Yx.Tj.j..!3.^$.Z.b.7.Ea..v.\....]...0.%b.\|.N...5.N......V..&s..B.A.W..1..V.....Q....... ..P..y..fk.....'`.X.U.....0..@..D. ....#.\uJ....~...^....hkuy..'.....P...N.........z$.s,..-....a..3 0.....Ng....E3..........'...J..Q.......i-..&.....@A,..G.r.....`..A......ra..V...D.`.,Pk ......e.\.#.......t.7.E..n.S....}4..:....(rN.V5.....w^.E..5.d.....k.MN.5L..+........`.....)..#.j.....G}V..6.{.M.....w..@....~.g0.k.7...V(.{./.D.t's..^.@..&..\.X.V\|.-].....3^/.....nv..._.Qi....m..........._.......L.2....6..&.....P....`.B2.([......<.."......O..l..".i.C.gC.q.N.9.u.W..d2.....k..0....-r...>M:a....}.f...O/.)}.e6.C.....y5.....}r.rq.....R.O..:.6...k...\[...q.\|Z.k..R.....i.....Q.... s..s......8.Q.vv...6sQ....$...P..J4.!... .u........6..@..4..#..jW...0..5.J@.qG......^a=.Lk3......D.U.tv.X..k.vey.V..._.Th5.$:s8.I.q..];.....].3.P........Nf@d.B......ub5...j...`.x......1..1@.....!.}5ZM..r.-...(

C:\Users\user\AppData\Local\Temp\aut6503.tmp

Download File

Process:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
File Type:	data
Category:	dropped
Size (bytes):	9886
Entropy (8bit):	7.593008664383745
Encrypted:	false
SSDEEP:	192:m+cKsSwxOCyTkff82lMdISQUNa53yJuldkiXkXA+rh+8E+h+Zo:97sSwcHkHUOSQl3yJulOiqA+rh+C0o
MD5:	E7A18870DAC517F366A3B35945EA763D
SHA1:	E37E4AB421336A306C8BF3FE37C2AAC3F5791DA0
SHA-256:	A5FCC71230508F95FDB9F77DFB5CA8B616D1652E6C42B15D319F2EE006B2ECCB
SHA-512:	BEFA9FB462D1A2F50B07429DF6AA58C3FAA345324E7E41B6D446F47FB1EF2980053F59B00D13C7296B777978D31CE61B4A5A847E412F3F7440A611A01CFEB48C
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\electicism

Download File

Process:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.542100914255066
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+I76Md4vfF3if6gyT:wiTZ+2QoioGRk6ZklputwjpjBkCiw2R2
MD5:	71E8B5EE10AAB19739C4A526BC2620C6
SHA1:	CD1B7C9CB9219B95B81833CFA6F35BA65D7B3A6B
SHA-256:	EEBBB96329FC3131CAAAE40992740BAB13470256BBDAB06670DB75218EDEEE57
SHA-512:	2986E1302A07B508EE8CF37F69D758984A88DEB082A4FF0AF1E9D514F6925DF3A8EC1B5AEFF0B8658E0C9D9C713CABBDCF0D72405470B7D989E0BB7628F63EDB
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\phytographical

Download File

Process:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.3048884803521394
Encrypted:	false
SSDEEP:	6144:ImmywGQmmmmWOLMmmmhRgXQoGnbcP0DXj7wzehurtmtkzy7jyj30RKkyTs/Cxo4V:ImmywGQmmmmWOLMmmm7gXQoGnbcP0DTA
MD5:	F2B44F628F3C6B12A36358D27BDC4903
SHA1:	E017AFC451E195DA46C0E8A0FB35069860C4AB53
SHA-256:	6E595FE5D6A709AAFE767B31475F2E31BA95E201B8CD2B889B6108E2E87C37CC
SHA-512:	525583DA03C904195A9E2E026D5E2A1232B15F7A2FB026BA051B64ACC9C8AE16735272ADCAD9EA229EC0438EF3DBFE5E4D468FB131B5C67E331FB360B7094883
Malicious:	false
Reputation:	low
Preview:	...9;0Y0UAXW..80.0QAXW09x0Y0QAXW0980Y0QAXW0980Y0QAXW0980Y0QA.W096/.>Q.Q...9\|...)1$.IJ_>B0,x4QWV_-.3$x%EW.Y7....w]V\Uw=\K\|W0980Y0..XW\|8;0..p'XW0980Y0.AZV;830Y.RAX_0980Y0..[W0.80Y.RAXWp98.Y0QCXW4980Y0QA\W0980Y0QA\W0;80Y0QAZWp.80I0QQXW09(0Y QAXW09(0Y0QAXW0980..RA.W098.Z0.DXW0980Y0QAXW0980Y0Q.[W<980Y0QAXW0980Y0QAXW0980Y0QAXW0980Y0QAXW0980Y0QAXW098.Y0YAXW0980Y0QAPw09p0Y0QAXW0980wD49,W09l.Z0QaXW0.;0Y2QAXW0980Y0QAXW.98PwB"3;W09~5Y0Q.[W0?80Y.RAXW0980Y0QAXWp98pwB4-740940Y0Q.[W0;80Y.RAXW0980Y0QAXWp98rY0QAXW0980Y0QAXW..;0Y0QA.W09:0\0..ZW..90Z0QAYW0?80Y0QAXW0980Y0QAXW0980Y0QAXW0980Y0QAXW0980Y0QAXW-........3Z7...&.T.+..I..W.%.C$....U.....~EW..W.6....X...L.8\IP.....PRA_). .6Y.D....j.Mx{.6?.".F..^We.~....z...XDg`..D..;8].Y@)\4o.6VXJY.2.@XW09........YAsjt3^_lEHo....eS .....'0QA<W09J0Y00AXWw98060QA6W09F0Y0/AXWv980.0QAoW09.0Y0<AXW.980'0QA.?6...Y".W0980l..q.:...o....aA.Fk;....3.r.j\c.N0.Gztw.._.<\|./b26r..P1?<5[7UBTj>r...SE\R2><3U._.........h..A....J.=XW0980.0Q.XW0..0.0QA.W.9..Y0Q..W.9.0..A

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.924475110769334
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PDT_7367027738832_789257820__________________________.exe
File size:	1'091'584 bytes
MD5:	656aeda4f4a3ad9555f6d88c74fc0705
SHA1:	3da5e7c273689cb837de918b39c2650484cd342e
SHA256:	a3f5e3e9e01fdd51293410aa65759c2ea0ba6fd96860b6b9e9e0cea139f4d939
SHA512:	d9300bdd48c28c8f148595c6db9dcb20ee19f2f44c524f73f7af1037ca36ecaf239a124ec193143ef76611fd8dbb9f21ff2d456c626865d81ad5ed28dd6e40e3
SSDEEP:	24576:BAHnh+eWsN3skA4RV1Hom2KXMmHa5a/M0IQe5:Yh+ZkldoPK8Ya5a/M06
TLSH:	F7359C3263918325FFAB9E73DB5DB20D56BC6D250123852FD29C2F79A9F01B1122D263
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	1a5ada12a98c3689

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66269698 [Mon Apr 22 16:55:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F7C248769EDh
jmp 00007F7C248697A4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7C2486992Ah
cmp edi, eax
jc 00007F7C24869C8Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F7C24869929h
rep movsb
jmp 00007F7C24869C3Ch
cmp ecx, 00000080h
jc 00007F7C24869AF4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7C24869930h
bt dword ptr [004BF324h], 01h
jc 00007F7C24869E00h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F7C24869ACDh
test edi, 00000003h
jne 00007F7C24869ADEh
test esi, 00000003h
jne 00007F7C24869ABDh
bt edi, 02h
jnc 00007F7C2486992Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7C24869933h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7C24869985h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x401a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x109000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x401a8	0x40200	2f7019fca6c4ccb25f7514f6cdc8adc6	False	0.7242819505360624	data	7.205323090449387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x109000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.046891636105524666
RT_MENU	0xd8ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd9048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd95dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd9c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xda0f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xda6f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdad50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdb1b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdb310	0x2c94a	data			1.0003614418242954
RT_GROUP_ICON	0x107c5c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x107c70	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x107c84	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x107c98	0x14	data	English	Great Britain	1.25
RT_VERSION	0x107cac	0x10c	data	English	Great Britain	0.5895522388059702
RT_MANIFEST	0x107db8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:30:19.790730000 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:19.984821081 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:19.984921932 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:21.098953962 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:21.100081921 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:21.294198990 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:21.294487953 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:21.489701986 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:21.537491083 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:21.561920881 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:21.762624979 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:21.762651920 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:21.762664080 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:21.762680054 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:21.762744904 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:21.762911081 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:21.764276981 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:21.793900967 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:21.988174915 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:22.004837990 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:22.198937893 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:22.206438065 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:22.400878906 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:22.401338100 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:22.601835012 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:22.602121115 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:22.796298981 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:22.796678066 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:23.001673937 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:23.002171993 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:23.196013927 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:23.196806908 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:23.196868896 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:23.196894884 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:23.196918011 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:30:23.391283035 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:23.391304016 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:23.391314030 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:23.391381025 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:23.397314072 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:30:23.443773031 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:32:00.472084999 CEST	49730	587	192.168.2.4	185.244.151.84
Apr 23, 2024 08:32:00.666809082 CEST	587	49730	185.244.151.84	192.168.2.4
Apr 23, 2024 08:32:00.673512936 CEST	49730	587	192.168.2.4	185.244.151.84

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:30:19.303746939 CEST	63169	53	192.168.2.4	1.1.1.1
Apr 23, 2024 08:30:19.782093048 CEST	53	63169	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 08:30:19.303746939 CEST	192.168.2.4	1.1.1.1	0x8c33	Standard query (0)	mail.worlorderbillions.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 08:30:19.782093048 CEST	1.1.1.1	192.168.2.4	0x8c33	No error (0)	mail.worlorderbillions.top	worlorderbillions.top		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 08:30:19.782093048 CEST	1.1.1.1	192.168.2.4	0x8c33	No error (0)	worlorderbillions.top		185.244.151.84	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 23, 2024 08:30:21.098953962 CEST	587	49730	185.244.151.84	192.168.2.4	220-hosting2.ro.hostsailor.com ESMTP Exim 4.96.2 #2 Tue, 23 Apr 2024 08:30:20 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 23, 2024 08:30:21.100081921 CEST	49730	587	192.168.2.4	185.244.151.84	EHLO 141700
Apr 23, 2024 08:30:21.294198990 CEST	587	49730	185.244.151.84	192.168.2.4	250-hosting2.ro.hostsailor.com Hello 141700 [154.16.192.163] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Apr 23, 2024 08:30:21.294487953 CEST	49730	587	192.168.2.4	185.244.151.84	STARTTLS
Apr 23, 2024 08:30:21.489701986 CEST	587	49730	185.244.151.84	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	08:30:15
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"
Imagebase:	0x710000
File size:	1'091'584 bytes
MD5 hash:	656AEDA4F4A3AD9555F6D88C74FC0705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1677527485.0000000001080000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:30:16
Start date:	23/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PDT_7367027738832_789257820__________________________.exe"
Imagebase:	0x670000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2931527386.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2931527386.000000000292A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2930664399.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2931527386.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2931527386.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	175

Executed Functions

Function 00713B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00713B7A
IsDebuggerPresent.KERNEL32 ref: 00713B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,007D62F8,007D62E0,?,?), ref: 00713BFD

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

Part of subcall function 00720A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00713C26,007D62F8,?,?,?), ref: 00720ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00713C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007C93F0,00000010), ref: 0074D4BC
SetCurrentDirectoryW.KERNEL32(?,007D62F8,?,?,?), ref: 0074D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007C5D40,007D62F8,?,?,?), ref: 0074D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0074D581

Part of subcall function 00713A58: GetSysColorBrush.USER32(0000000F), ref: 00713A62
Part of subcall function 00713A58: LoadCursorW.USER32(00000000,00007F00), ref: 00713A71
Part of subcall function 00713A58: LoadIconW.USER32(00000063), ref: 00713A88
Part of subcall function 00713A58: LoadIconW.USER32(000000A4), ref: 00713A9A
Part of subcall function 00713A58: LoadIconW.USER32(000000A2), ref: 00713AAC
Part of subcall function 00713A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00713AD2
Part of subcall function 00713A58: RegisterClassExW.USER32(?), ref: 00713B28

Part of subcall function 007139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00713A15
Part of subcall function 007139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00713A36
Part of subcall function 007139E7: ShowWindow.USER32(00000000,?,?), ref: 00713A4A
Part of subcall function 007139E7: ShowWindow.USER32(00000000,?,?), ref: 00713A53

Part of subcall function 007143DB: _memset.LIBCMT ref: 00714401
Part of subcall function 007143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007144A6

Strings

%z, xrefs: 00713C56
runas, xrefs: 0074D575
This is a third-party compiled AutoIt script., xrefs: 0074D4B4

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%z
API String ID: 529118366-412178647
Opcode ID: 28f5b364ab1f4d93e3b5b2c4968fcf2e7d5393d2ffc8bbad736d36781781dcee
Instruction ID: a710e1dc1a0d195148d162b0a338e8b5cde69ada62a8c4dfe2d0b56e8ee05086
Opcode Fuzzy Hash: 28f5b364ab1f4d93e3b5b2c4968fcf2e7d5393d2ffc8bbad736d36781781dcee
Instruction Fuzzy Hash: 2851DB70905288EACF15AFB8DC0AEED7B75BF04700F04817AF451A21E2DB7C5A86CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00714FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00714EEE,?,?,00000000,00000000), ref: 00714FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00714EEE,?,?,00000000,00000000), ref: 00715010
LoadResource.KERNEL32(?,00000000,?,?,00714EEE,?,?,00000000,00000000,?,?,?,?,?,?,00714F8F), ref: 0074DD60
SizeofResource.KERNEL32(?,00000000,?,?,00714EEE,?,?,00000000,00000000,?,?,?,?,?,?,00714F8F), ref: 0074DD75
LockResource.KERNEL32(Nq,?,?,00714EEE,?,?,00000000,00000000,?,?,?,?,?,?,00714F8F,00000000), ref: 0074DD88

Strings

Nq, xrefs: 0074DD85
SCRIPT, xrefs: 00715006

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$Nq
API String ID: 3051347437-3307269046
Opcode ID: 68b58eb8811ba1b1c2cfc7fabbf682a1fa949a3458bf0d30a0240d03f0d6db23
Instruction ID: 51a158f572fc254ff81c675957d9c8a507b5a532ed0ab866967b5572dccff6d4
Opcode Fuzzy Hash: 68b58eb8811ba1b1c2cfc7fabbf682a1fa949a3458bf0d30a0240d03f0d6db23
Instruction Fuzzy Hash: E9117C75200700BFD7258B69DC58F6B7BBAFBC9B11F20816DF406C62A0DB75EC418A64

Uniqueness

Uniqueness Score: -1.00%

Function 00714AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00714B2B

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

GetCurrentProcess.KERNEL32(?,0079FAEC,00000000,00000000,?), ref: 00714BF8
IsWow64Process.KERNEL32(00000000), ref: 00714BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00714C45
FreeLibrary.KERNEL32(00000000), ref: 00714C50
GetSystemInfo.KERNEL32(00000000), ref: 00714C81
GetSystemInfo.KERNEL32(00000000), ref: 00714C8D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a3b78d08a62a791aba88b37d5e3c4106ece974c257437b871b8e55071d42db3c
Instruction ID: 5c9ddfc188f617455c9d4b2d2b34e52f5e5dffb4029fb3407ee04d8f62d1ca2d
Opcode Fuzzy Hash: a3b78d08a62a791aba88b37d5e3c4106ece974c257437b871b8e55071d42db3c
Instruction Fuzzy Hash: A891C57154E7C4DEC731CB6C94951EABFE5AF26300B484D9ED0CB93A81D228E988C769

Uniqueness

Uniqueness Score: -1.00%

Function 0071E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt}, xrefs: 0071EC1A
Dt}, xrefs: 0071EC21
Variable must be of type 'Object'., xrefs: 0075428C
Dt}, xrefs: 00753F1F
Dt}, xrefs: 00753F58

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID: Dt}$Dt}$Dt}$Dt}$Variable must be of type 'Object'.
API String ID: 0-529152164
Opcode ID: a931ecaa1b4af49a9e6e4446412be5df05c3fdbb7bac63e034e454b6b143f872
Instruction ID: 3b48b46662225f04c648d9c0d3ff834467c12c1ca442f34d5d3453c0ab836027
Opcode Fuzzy Hash: a931ecaa1b4af49a9e6e4446412be5df05c3fdbb7bac63e034e454b6b143f872
Instruction Fuzzy Hash: 25A26974A04205CBDB24CF58C884AEEB7B1FF48314F648069ED16AB391D779ADC6CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00774696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0074E7C1), ref: 007746A6
FindFirstFileW.KERNELBASE(?,?), ref: 007746B7
FindClose.KERNEL32(00000000), ref: 007746C7

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 30681d1f3f693afb82d7661606f68a1514d2b56c043c4b54495cbf0fb0c06309
Instruction ID: a34a8e4b070615b2f4d19e3c6bab51cf6023ac5c1ffff960ceff160dc0281894
Opcode Fuzzy Hash: 30681d1f3f693afb82d7661606f68a1514d2b56c043c4b54495cbf0fb0c06309
Instruction Fuzzy Hash: CDE0D8314105005B4E106738EC4D4EE775C9E06375F108716F839C10E0E7B859708599

Uniqueness

Uniqueness Score: -1.00%

Function 00720B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00720BBB
timeGetTime.WINMM ref: 00720E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00720FB3
TranslateMessage.USER32(?), ref: 00720FC7
DispatchMessageW.USER32(?), ref: 00720FD5
Sleep.KERNEL32(0000000A), ref: 00720FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0072105A
DestroyWindow.USER32 ref: 00721066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00721080
Sleep.KERNEL32(0000000A,?,?), ref: 007552AD
TranslateMessage.USER32(?), ref: 0075608A
DispatchMessageW.USER32(?), ref: 00756098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007560AC

Strings

pr}, xrefs: 0075542D
@TRAY_ID, xrefs: 00755BB9
@GUI_WINHANDLE, xrefs: 007553B9
@GUI_CTRLHANDLE, xrefs: 0075540E
pr}, xrefs: 00755BDE
@COM_EVENTOBJ, xrefs: 0075591A
@GUI_CTRLID, xrefs: 00755364
pr}, xrefs: 007553D8
pr}, xrefs: 00755383

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr}$pr}$pr}$pr}
API String ID: 4003667617-1723423589
Opcode ID: 38cf0dd39e951f745acdf1bb7609a4cd80ad9b5633a9e1094a279af9572f747a
Instruction ID: ff7e577af3c18232657800829579ddec38a6974df6f8ce82dc71e75cc45edd90
Opcode Fuzzy Hash: 38cf0dd39e951f745acdf1bb7609a4cd80ad9b5633a9e1094a279af9572f747a
Instruction Fuzzy Hash: D9B2C670608741DFD724DF24D898BAAB7E5FF84304F14891DE84A87291D7BDE889CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007793DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007791E9: __time64.LIBCMT ref: 007791F3

Part of subcall function 00715045: _fseek.LIBCMT ref: 0071505D

__wsplitpath.LIBCMT ref: 007794BE

Part of subcall function 0073432E: __wsplitpath_helper.LIBCMT ref: 0073436E

_wcscpy.LIBCMT ref: 007794D1
_wcscat.LIBCMT ref: 007794E4
__wsplitpath.LIBCMT ref: 00779509
_wcscat.LIBCMT ref: 0077951F
_wcscat.LIBCMT ref: 00779532

Part of subcall function 0077922F: _memmove.LIBCMT ref: 00779268
Part of subcall function 0077922F: _memmove.LIBCMT ref: 00779277

_wcscmp.LIBCMT ref: 00779479

Part of subcall function 007799BE: _wcscmp.LIBCMT ref: 00779AAE
Part of subcall function 007799BE: _wcscmp.LIBCMT ref: 00779AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007796DC
_wcsncpy.LIBCMT ref: 0077974F
DeleteFileW.KERNEL32(?,?), ref: 00779785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0077979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007797AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007797BE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 0cb70d25cad803a2f332094eb74badc065ee47e4d30b9e1a7b43a223ee11b674
Instruction ID: 118eb63a97bf888d3e61769aa9939968dd45a5024a21ab3a7626c3b7309e17a3
Opcode Fuzzy Hash: 0cb70d25cad803a2f332094eb74badc065ee47e4d30b9e1a7b43a223ee11b674
Instruction Fuzzy Hash: 30C14DB1E01219EADF15DFA4CC85ADEB7BDAF49340F0080AAF609E7151DB349A848F65

Uniqueness

Uniqueness Score: -1.00%

Function 00713015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00713074
RegisterClassExW.USER32(00000030), ref: 0071309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007130AF
InitCommonControlsEx.COMCTL32(?), ref: 007130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007130DC
LoadIconW.USER32(000000A9), ref: 007130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00713101

Strings

0, xrefs: 00713056
AutoIt v3 GUI, xrefs: 00713090
TaskbarCreated, xrefs: 007130A4
+, xrefs: 0071305D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c94932600989295eb09c8d3615452280f93d682f79b131295803a473036c191a
Instruction ID: ec40b1aa08e58f98d16710e4367444849db023e4fc5a4950a3bafb547f0c2c78
Opcode Fuzzy Hash: c94932600989295eb09c8d3615452280f93d682f79b131295803a473036c191a
Instruction Fuzzy Hash: 93314BB1901349AFDB10DFA4EC88AD9BFF4FB09314F14816EE541E62A1D7BA4541CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00713041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00713074
RegisterClassExW.USER32(00000030), ref: 0071309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007130AF
InitCommonControlsEx.COMCTL32(?), ref: 007130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007130DC
LoadIconW.USER32(000000A9), ref: 007130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00713101

Strings

0, xrefs: 00713056
AutoIt v3 GUI, xrefs: 00713090
TaskbarCreated, xrefs: 007130A4
+, xrefs: 0071305D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a4efad2d3416bdfd136ff16b70b17785a23416021b8cf76ca82d81596937e779
Instruction ID: 1efa672dd8237bb9db83e382fc12688564e7fb71eb3815d8664fa85a24d70e29
Opcode Fuzzy Hash: a4efad2d3416bdfd136ff16b70b17785a23416021b8cf76ca82d81596937e779
Instruction Fuzzy Hash: A321B4B1901218AFDB00DFA8EC49BDDBBF8FB08710F10812BF510E62A0D7B955559F99

Uniqueness

Uniqueness Score: -1.00%

Function 007171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00714864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007D62F8,?,007137C0,?), ref: 00714882

Part of subcall function 0073074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007172C5), ref: 00730771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00717308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0074ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0074ED32
RegCloseKey.ADVAPI32(?), ref: 0074ED70
_wcscat.LIBCMT ref: 0074EDC9

Strings

Include, xrefs: 0074ECE8, 0074ED29
\, xrefs: 0074EDEC
\Include\, xrefs: 007172C5
Software\AutoIt v3\AutoIt, xrefs: 007172FE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8f70819d867a9eb7a6e4769bde212e0821289b21f9ad6312beac0597c5d1049f
Instruction ID: 57ec646139be867fdd8fd3bdefe479ddd176f9524f9f28e525af0c05948446ea
Opcode Fuzzy Hash: 8f70819d867a9eb7a6e4769bde212e0821289b21f9ad6312beac0597c5d1049f
Instruction Fuzzy Hash: F2716D71509341DEC718DF29EC8589BBBF8FF98310F80852EF445831A1EB38A989CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00713633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 007136D2
KillTimer.USER32(?,00000001), ref: 007136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0071371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0071372A
CreatePopupMenu.USER32 ref: 0071373E
PostQuitMessage.USER32(00000000), ref: 0071375F

Strings

TaskbarCreated, xrefs: 00713725
%z, xrefs: 0074D2D1, 0074D31F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%z
API String ID: 129472671-4176258324
Opcode ID: 53d71f8f431231e7dc48e1a1e0d906eb8a0c6f3be13bdc624ab2cb042c90e51d
Instruction ID: 1065afa1e3ed011872719ca3182e6568d8c7d525ac49d24666365b18b4d38321
Opcode Fuzzy Hash: 53d71f8f431231e7dc48e1a1e0d906eb8a0c6f3be13bdc624ab2cb042c90e51d
Instruction Fuzzy Hash: D241E4B1204145ABEB249F6CEC49BF93775FB04300F14412BF902D62E1DA6CAE91A665

Uniqueness

Uniqueness Score: -1.00%

Function 00713A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00713A62
LoadCursorW.USER32(00000000,00007F00), ref: 00713A71
LoadIconW.USER32(00000063), ref: 00713A88
LoadIconW.USER32(000000A4), ref: 00713A9A
LoadIconW.USER32(000000A2), ref: 00713AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00713AD2
RegisterClassExW.USER32(?), ref: 00713B28

Part of subcall function 00713041: GetSysColorBrush.USER32(0000000F), ref: 00713074
Part of subcall function 00713041: RegisterClassExW.USER32(00000030), ref: 0071309E
Part of subcall function 00713041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007130AF
Part of subcall function 00713041: InitCommonControlsEx.COMCTL32(?), ref: 007130CC
Part of subcall function 00713041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007130DC
Part of subcall function 00713041: LoadIconW.USER32(000000A9), ref: 007130F2
Part of subcall function 00713041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00713101

Strings

AutoIt v3, xrefs: 00713B17
0, xrefs: 00713B06
#, xrefs: 00713B0D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 96591e471bfc34d0f88f8c6a673ca906a995b53f245d86031f76d4cd7a341752
Instruction ID: 00b82f93c0a27bb2bb14e13a23c4829007a9b13bcef2529ec87c08a3042cab8e
Opcode Fuzzy Hash: 96591e471bfc34d0f88f8c6a673ca906a995b53f245d86031f76d4cd7a341752
Instruction Fuzzy Hash: A321FB71902304AFEB109FA8EC49B9D7BB5FB08711F10812BF544A62A0D7BE66549F98

Uniqueness

Uniqueness Score: -1.00%

Function 00713778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007137C0
b}, xrefs: 0074D44E
/AutoIt3ExecuteLine, xrefs: 007138B9
/AutoIt3OutputDebug, xrefs: 007138A4
/AutoIt3ExecuteScript, xrefs: 007138CE
/ErrorStdOut, xrefs: 0071388F
CMDLINERAW, xrefs: 0071380D
CMDLINE, xrefs: 00713834

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b}
API String ID: 1825951767-1680737534
Opcode ID: 5056e1722b52051f3dfd4b29e885c1ce58ccfae84265283677464191675ce099
Instruction ID: b9b605bd18650e46e249262a04022a368a6f2cea3d42a417d4f1673bb41d69db
Opcode Fuzzy Hash: 5056e1722b52051f3dfd4b29e885c1ce58ccfae84265283677464191675ce099
Instruction Fuzzy Hash: 6BA14D7291021DDADF14EBA8CC99EEEB779BF14300F04452AE416B71D1DB7C6A89CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0071F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007303D3
Part of subcall function 007303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 007303DB
Part of subcall function 007303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007303E6
Part of subcall function 007303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007303F1
Part of subcall function 007303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 007303F9
Part of subcall function 007303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00730401

Part of subcall function 00726259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0071FA90), ref: 007262B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0071FB2D
OleInitialize.OLE32(00000000), ref: 0071FBAA
CloseHandle.KERNEL32(00000000), ref: 007549F2

Strings

<g}, xrefs: 0071FA90
%z, xrefs: 0071F8F6, 0071F908, 0071FACE, 0071FBB1
c}, xrefs: 0071F94B
\d}, xrefs: 0071F957

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g}$\d}$%z$c}
API String ID: 1986988660-1372319532
Opcode ID: b784f1d6c9fedd0f9ca36da639671c78bae184cb957de6b15f7f27c9d854c078
Instruction ID: 3eac7f01bb1e0ac1894fa1561ee59c5419ddccd2661382f5bb72d74c56edca3c
Opcode Fuzzy Hash: b784f1d6c9fedd0f9ca36da639671c78bae184cb957de6b15f7f27c9d854c078
Instruction Fuzzy Hash: 5A81A5B0902284CEC784EF79EA586557BF5EB88718710C23BD019C73A2EB3D8645CF68

Uniqueness

Uniqueness Score: -1.00%

Function 009F2650 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 009F2721
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009F2947

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction ID: ea2d8b3cc8aecc4a74d26d5b713f82b3625a4aa5523a8e14382f662b30f7a899
Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction Fuzzy Hash: 32A10674E0020DEBDB14DFA4C994BFEBBB5BF48304F208559E615BB280D779AA81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 007139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00713A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00713A36
ShowWindow.USER32(00000000,?,?), ref: 00713A4A
ShowWindow.USER32(00000000,?,?), ref: 00713A53

Strings

edit, xrefs: 00713A30
AutoIt v3, xrefs: 00713A0D, 00713A12, 00713A13

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 95833b247dfb5eb88764604a0f514278fbceec3450184a073d7f56bb759515d8
Instruction ID: 98d2ccd33d4b661541b29cb9dc60d2dc1a16e34e0d02bf55feaa0c72773d93c6
Opcode Fuzzy Hash: 95833b247dfb5eb88764604a0f514278fbceec3450184a073d7f56bb759515d8
Instruction Fuzzy Hash: 14F0DA716422907EEE3157676C49E672F7DE7C6F60B00812BF904E2170C6AE6851DAB8

Uniqueness

Uniqueness Score: -1.00%

Function 009F2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F2300: Sleep.KERNELBASE(000001F4), ref: 009F2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009F2546

Strings

XW0980Y0QA, xrefs: 009F25A9, 009F25AC

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CreateFileSleep
String ID: XW0980Y0QA
API String ID: 2694422964-2656154724
Opcode ID: f550b63597ca92b39333c2c6ef888a3fb952b8b6a9a9be0862232264f395cafe
Instruction ID: ac818028a7691e5648ebff0b2f6b68a0b97d11fa0d78690af51f987f83bce2ea
Opcode Fuzzy Hash: f550b63597ca92b39333c2c6ef888a3fb952b8b6a9a9be0862232264f395cafe
Instruction Fuzzy Hash: 7D51A130D1420CEBEF11DBA4C855BEEBB79EF58700F104599E209BB2C0D6B91B45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0071410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0074D5EC

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

_memset.LIBCMT ref: 0071418D
_wcscpy.LIBCMT ref: 007141E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007141F1

Strings

Line: , xrefs: 0074D615

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c56da3f535e5d5898975fec9e72cf7b4e145006fa4a48a6d213303cb7288dd3c
Instruction ID: 84d115a874aabcf0eddda5920c36f4197374df8c49598da0f05bd3ccdf23c940
Opcode Fuzzy Hash: c56da3f535e5d5898975fec9e72cf7b4e145006fa4a48a6d213303cb7288dd3c
Instruction Fuzzy Hash: CB31A471009308AAD725EB68DC4AFDB77F8BF44310F10851EF195920E1EB7CAA88C796

Uniqueness

Uniqueness Score: -1.00%

Function 0073564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 007356AB
_memcpy_s.LIBCMT ref: 0073571D
__read_nolock.LIBCMT ref: 0073577B
__filbuf.LIBCMT ref: 0073579E
_memset.LIBCMT ref: 007357E2

Part of subcall function 00738D68: __getptd_noexit.LIBCMT ref: 00738D68

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 027e58a2b979e6ae166ef17770a823680b4833ad883ec3ea58ed3a68e85dd374
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: D551B331A00B05DFFB249FB9C88566EB7B5AF40720F648729F835972D2D7789D508B50

Uniqueness

Uniqueness Score: -1.00%

Function 007169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00714F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00714F6F

_free.LIBCMT ref: 0074E68C
_free.LIBCMT ref: 0074E6D3

Part of subcall function 00716BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00716D0D

Strings

Bad directive syntax error, xrefs: 0074E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0074E462

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 745c9b50e63e6ec5df597d2333ea51173fcdb9d14604782338f712091e387412
Instruction ID: 6dd76ea4da5c43c86bb8099af08dd18642567c0ff8c79ff2a40c0a6fa90f83b8
Opcode Fuzzy Hash: 745c9b50e63e6ec5df597d2333ea51173fcdb9d14604782338f712091e387412
Instruction Fuzzy Hash: BA918071910219EFCF08EFA8CC959EDB7B8FF14324F144469F815AB291EB38A955CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007135A1,SwapMouseButtons,00000004,?), ref: 007135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007135A1,SwapMouseButtons,00000004,?,?,?,?,00712754), ref: 007135F5
RegCloseKey.KERNELBASE(00000000,?,?,007135A1,SwapMouseButtons,00000004,?,?,?,?,00712754), ref: 00713617

Strings

Control Panel\Mouse, xrefs: 007135D2

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ba155c859101af905f1bb0a011c8c84b889223af4ff04956d7992a485a0d7639
Instruction ID: 67008697009031610b9e2f83ecbb461297fea23ac2afde32a1e632380f22aacf
Opcode Fuzzy Hash: ba155c859101af905f1bb0a011c8c84b889223af4ff04956d7992a485a0d7639
Instruction Fuzzy Hash: F61145B1610208BFDB20CF68DC80EEEBBBCEF44740F00846AE805D7250E2759E959BA4

Uniqueness

Uniqueness Score: -1.00%

Function 009F1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 009F1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 009F1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 009F1B73

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: e55e8ae45a7d58f3a74b6f78ce9590e1c0efbd3ef62e5b381b59e9f563add80f
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 4E621030A14258DBEB24CFA4C841BEEB375EF58300F1095A9D20DEB394E7799E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 007797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00715045: _fseek.LIBCMT ref: 0071505D

Part of subcall function 007799BE: _wcscmp.LIBCMT ref: 00779AAE
Part of subcall function 007799BE: _wcscmp.LIBCMT ref: 00779AC1

_free.LIBCMT ref: 0077992C
_free.LIBCMT ref: 00779933
_free.LIBCMT ref: 0077999E

Part of subcall function 00732F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00739C64), ref: 00732FA9
Part of subcall function 00732F95: GetLastError.KERNEL32(00000000,?,00739C64), ref: 00732FBB

_free.LIBCMT ref: 007799A6

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 3f6f066a6f8a1fa6632e80ed2bab1351ed37a74ad0f2831a4c65856b283f9a05
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 745150B1904618EFDF249F64CC45AAEBB79EF48310F1044AEB60DA7281DB755E80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0073493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007349D0
__flush.LIBCMT ref: 007349F0
__write.LIBCMT ref: 00734A23
__flsbuf.LIBCMT ref: 00734A51

Part of subcall function 00738D68: __getptd_noexit.LIBCMT ref: 00738D68

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: d1acdd56195f50a52c1c051f29e54408ca60dd3ff9ad8ede6d0e2b71b58e163d
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: BA41A571640705ABFB2C8EA9C884A6F7BA9EF84360F24C16DE855C7652D778BD408B44

Uniqueness

Uniqueness Score: -1.00%

Function 00714DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00714E1A

Strings

EA06, xrefs: 0074DCF5
AU3!P/z, xrefs: 00714E14

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/z$EA06
API String ID: 4104443479-4042330639
Opcode ID: 543440db10164ef8f0188fd28d728ce5b9bdff8af5d7fa9db03106066745b90a
Instruction ID: 5840a2dac54e42dc8becf199c56be6e6dcd67737853aeff6d906a730e0abe634
Opcode Fuzzy Hash: 543440db10164ef8f0188fd28d728ce5b9bdff8af5d7fa9db03106066745b90a
Instruction Fuzzy Hash: C3418D71A04154DBDF255B6C8896BFE7FA6AB45300F684065E882AB2C2C63D8DC887E1

Uniqueness

Uniqueness Score: -1.00%

Function 007173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074EE62
GetOpenFileNameW.COMDLG32(?), ref: 0074EEAC

Part of subcall function 007148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007148A1,?,?,007137C0,?), ref: 007148CE

Part of subcall function 007309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007309F4

Strings

X, xrefs: 0074EE7A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 7ff2619218b1740c42d8a47121965d5a3524f5754cfaa895cfcd08142718fb5e
Instruction ID: a2bd39bbb44d2aa48e22f93c10ca019d704ef09b9d921d4620ef90ce53c4acf7
Opcode Fuzzy Hash: 7ff2619218b1740c42d8a47121965d5a3524f5754cfaa895cfcd08142718fb5e
Instruction Fuzzy Hash: A221A471A1025CDBDB55DF98C849BEE7BF8AF49710F00805AE508E7281DBBC5989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0077901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00779036
__fread_nolock.LIBCMT ref: 0077904B

Strings

EA06, xrefs: 0077907D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 3af78ee70b20a7d829ea738bc5c41e4a1983ac8b28adc74026eb53848d058c48
Instruction ID: 6e447b068d1d32eab01cb4fd23248377f884978e3e3fd671342ea9b2d8d84390
Opcode Fuzzy Hash: 3af78ee70b20a7d829ea738bc5c41e4a1983ac8b28adc74026eb53848d058c48
Instruction Fuzzy Hash: B201B971914258BEDB28C6A8C85AFEEBBF8DB15301F00419EF556D2181E579A704C760

Uniqueness

Uniqueness Score: -1.00%

Function 00779B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00779B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00779B99

Strings

aut, xrefs: 00779B93

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e4767099f1a5ca9adc1af37e6f0a24811542baa2aaf88f1f7aa3705124cf6458
Instruction ID: 058adde6a4c0eca7e4a8ef497ca98d68d640b913086ac00ef2e6040d8c0f76f7
Opcode Fuzzy Hash: e4767099f1a5ca9adc1af37e6f0a24811542baa2aaf88f1f7aa3705124cf6458
Instruction Fuzzy Hash: B7D05E7954030EBBDB10AB94DC0EF9A772CE704705F0082A2FE54D10A1DEB896998B99

Uniqueness

Uniqueness Score: -1.00%

Function 0078CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b28746b74fb2f0da86e39916b35db34d71c710cfaa23e6d73453de21b5628ba
Instruction ID: ceee294dac3a68cb985211f0e94e29332b85a72f71e40e71546f981f6968c00d
Opcode Fuzzy Hash: 9b28746b74fb2f0da86e39916b35db34d71c710cfaa23e6d73453de21b5628ba
Instruction Fuzzy Hash: 16F11771508305DFC724EF28C494A6ABBE5BF88314F14892EF8999B291D735ED46CF82

Uniqueness

Uniqueness Score: -1.00%

Function 007143DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00714401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 007144A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 007144C3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 0195596d92e8590c66ba4ce871c0657b69cd97d9e2b2262288d6dc08ff415221
Instruction ID: c0eb0b92f7abdeeda7a397d015ad635b22930e07137a121a3e5e46a99d2b739c
Opcode Fuzzy Hash: 0195596d92e8590c66ba4ce871c0657b69cd97d9e2b2262288d6dc08ff415221
Instruction Fuzzy Hash: 0F318EB05053418FD720DF68D884A9BBBF8BB48704F00492EE99AC3291D779A984CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0073594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00735963

Part of subcall function 0073A3AB: __NMSG_WRITE.LIBCMT ref: 0073A3D2
Part of subcall function 0073A3AB: __NMSG_WRITE.LIBCMT ref: 0073A3DC

__NMSG_WRITE.LIBCMT ref: 0073596A

Part of subcall function 0073A408: GetModuleFileNameW.KERNEL32(00000000,007D43BA,00000104,?,00000001,00000000), ref: 0073A49A
Part of subcall function 0073A408: ___crtMessageBoxW.LIBCMT ref: 0073A548

Part of subcall function 007332DF: ___crtCorExitProcess.LIBCMT ref: 007332E5
Part of subcall function 007332DF: ExitProcess.KERNEL32 ref: 007332EE

Part of subcall function 00738D68: __getptd_noexit.LIBCMT ref: 00738D68

RtlAllocateHeap.NTDLL(011D0000,00000000,00000001,00000000,?,?,?,00731013,?), ref: 0073598F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 0e38e27e5d94b79bc4c5f225187ef23ba62025458a86828e476dc17d86325295
Instruction ID: 9fc051acede82c00817dd61e16adebc2360be764f9a8a6517c37efbdbab41111
Opcode Fuzzy Hash: 0e38e27e5d94b79bc4c5f225187ef23ba62025458a86828e476dc17d86325295
Instruction Fuzzy Hash: F401F132301B15EFF6212B34EC4AB6E73989F42730F50012AF840AA2C3DE7CBD018665

Uniqueness

Uniqueness Score: -1.00%

Function 00779B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007797D2,?,?,?,?,?,00000004), ref: 00779B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00779B5B
CloseHandle.KERNEL32(00000000,?,007797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00779B62

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: b1ff77b148ecb88b37ae13e8357d6ddd4076fe6670c82613f94574b94574e4c1
Instruction ID: adbc814391f375160b6ffb78521a41942be1224c7bd6d03bcbb0f37d31fa321f
Opcode Fuzzy Hash: b1ff77b148ecb88b37ae13e8357d6ddd4076fe6670c82613f94574b94574e4c1
Instruction Fuzzy Hash: D9E08632181218F7DB211B64EC0AFCA7F18EB05765F10C121FB14A90E087B5251297DC

Uniqueness

Uniqueness Score: -1.00%

Function 00778F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00778FA5

Part of subcall function 00732F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00739C64), ref: 00732FA9
Part of subcall function 00732F95: GetLastError.KERNEL32(00000000,?,00739C64), ref: 00732FBB

_free.LIBCMT ref: 00778FB6
_free.LIBCMT ref: 00778FC8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: b2edf946cc6bfbfe960f172fa7d39f9d160cbb3e2efa7ff17ef7a2ce299a39dd
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 06E012B16097028ADE64A578ED48AA357EE5F483A0F28081DF40DDB143DE2CE8428125

Uniqueness

Uniqueness Score: -1.00%

Function 0071AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0075002B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: f140be4da944a2dac1a1d652e71e70734cbfb1a0893730ec899f99f15fbcecfb
Instruction ID: 26f13618656365e233ca2342ea711ce0b95cdb27a133fe8f233a9028612d64e7
Opcode Fuzzy Hash: f140be4da944a2dac1a1d652e71e70734cbfb1a0893730ec899f99f15fbcecfb
Instruction Fuzzy Hash: 91223A70609341DFD728DF18C494BAAB7F1BF45300F14895DE88A8B2A2D779ED85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0071492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00714992

Part of subcall function 007335AC: __lock.LIBCMT ref: 007335B2
Part of subcall function 007335AC: DecodePointer.KERNEL32(00000001,?,007149A7,007681BC), ref: 007335BE
Part of subcall function 007335AC: EncodePointer.KERNEL32(?,?,007149A7,007681BC), ref: 007335C9

Part of subcall function 00714A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00714A73
Part of subcall function 00714A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00714A88

Part of subcall function 00713B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00713B7A
Part of subcall function 00713B4C: IsDebuggerPresent.KERNEL32 ref: 00713B8C
Part of subcall function 00713B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,007D62F8,007D62E0,?,?), ref: 00713BFD
Part of subcall function 00713B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00713C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007149D2

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 4dfb2f25d2a6500838a30fc5961e8dcf668e9a3d75642c162bcb4c497cc4beea
Instruction ID: a197dacfc807f1183ba61e669c03eb474259a3d2a7689ce4dd62adb9653559c5
Opcode Fuzzy Hash: 4dfb2f25d2a6500838a30fc5961e8dcf668e9a3d75642c162bcb4c497cc4beea
Instruction Fuzzy Hash: 90118C719093119BC700EF28DC0994ABFF8FF98710F00851FF485972A1DB78A589CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00715DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00715981,?,?,?,?), ref: 00715E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00715981,?,?,?,?), ref: 0074E19C

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b50e20a17203bb49d0f3d6b56956da40a6a1103ab6437bfb9979d8a1c8d73b3
Instruction ID: f121701dd516bdf2b29495a7ced6cb83525d01a38e947281b6d0ceb7b6a7c903
Opcode Fuzzy Hash: 5b50e20a17203bb49d0f3d6b56956da40a6a1103ab6437bfb9979d8a1c8d73b3
Instruction Fuzzy Hash: 60015670684708FEF7680E18CC8AFA6369CAB05768F108319FAE55E1D0C6B85D898B54

Uniqueness

Uniqueness Score: -1.00%

Function 00730FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0073594C: __FF_MSGBANNER.LIBCMT ref: 00735963
Part of subcall function 0073594C: __NMSG_WRITE.LIBCMT ref: 0073596A
Part of subcall function 0073594C: RtlAllocateHeap.NTDLL(011D0000,00000000,00000001,00000000,?,?,?,00731013,?), ref: 0073598F

std::exception::exception.LIBCMT ref: 0073102C
__CxxThrowException@8.LIBCMT ref: 00731041

Part of subcall function 007387DB: RaiseException.KERNEL32(?,?,?,007CBAF8,00000000,?,?,?,?,00731046,?,007CBAF8,?,00000001), ref: 00738830

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 839d619a2edd573546bd7010c1b96973ce1071aae153c16f2d1aff47dd1c2d02
Instruction ID: 5ecc51d4eb0b2c354ad5d5a9ea0d0539ddea30dd478106b3df10e0371fbed932
Opcode Fuzzy Hash: 839d619a2edd573546bd7010c1b96973ce1071aae153c16f2d1aff47dd1c2d02
Instruction Fuzzy Hash: 13F02D3560031DE6E724BA98DC0AADF77AC9F01350F600125F80491543DF789A8182D1

Uniqueness

Uniqueness Score: -1.00%

Function 0073582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0073585C
__lock_file.LIBCMT ref: 0073587D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 9b42fba78e0fba859971e4b96143de8b07e878ff30fc515e61644df8ec07e432
Instruction ID: 17e4537f3b9be3f7052793ea23ce49cb3bbb69b3d64c637e568d3736258b95a1
Opcode Fuzzy Hash: 9b42fba78e0fba859971e4b96143de8b07e878ff30fc515e61644df8ec07e432
Instruction Fuzzy Hash: 4D01A771C00719EBEF22AF698C0A9DF7B61AF40360F148215F8145B1A3DB3D8A51DB91

Uniqueness

Uniqueness Score: -1.00%

Function 007355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00738D68: __getptd_noexit.LIBCMT ref: 00738D68

__lock_file.LIBCMT ref: 0073561B

Part of subcall function 00736E4E: __lock.LIBCMT ref: 00736E71

__fclose_nolock.LIBCMT ref: 00735626

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e6617131a974fd1f39ae9269935bb78c1e5cee93956dc0ed2d93505839741314
Instruction ID: e29552a4254b674d7831262297d5f536ac5248543e05f0281e67b5bde9227de9
Opcode Fuzzy Hash: e6617131a974fd1f39ae9269935bb78c1e5cee93956dc0ed2d93505839741314
Instruction Fuzzy Hash: 25F024B1900B11DAF760AF34880B76EB7A12F00B30F548209B810AB0C3CF7C8A018B92

Uniqueness

Uniqueness Score: -1.00%

Function 009F12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 009F1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 009F1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 009F1B73

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 56a7648bd3bce10dd383d8cf6ac28ffdcce187c07c397cc3b350172f46252412
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 2B12EE24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00722123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9197dacc89277a8bc7123a6e4d66504cf92be22350c6f8ee3f5734c203d256ca
Instruction ID: 2390739cc335e61fb8997123551741a4bb831657d42716c7827202bf0081e4bd
Opcode Fuzzy Hash: 9197dacc89277a8bc7123a6e4d66504cf92be22350c6f8ee3f5734c203d256ca
Instruction Fuzzy Hash: AE519134700614EFCF18EB68C999EAE77A5AF84310F148168F946AB3C2DB38ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00715C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00715CF6

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9c48e6428264546b152789f3b229d7e28545e88d4f775441e06bac0dba5d234b
Instruction ID: fb80037d3d7a3ce5fc3f1b9abc7681fb2bb3b21efce6144ea1d24664e8abd7cc
Opcode Fuzzy Hash: 9c48e6428264546b152789f3b229d7e28545e88d4f775441e06bac0dba5d234b
Instruction Fuzzy Hash: 70313C71A00B0AEFCB18DF2DD48469DB7B5FF88310F148629D81993750D775A9A0DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 007500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007500E1

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 34a00fb692fc4aab284c264018ff80a83a1e774d1e9e5d922186a5cd4bb5dd13
Instruction ID: 945bbcb482ca37cba14042d8831284b490fdd52e9b529c8f62da6cfbda1c6527
Opcode Fuzzy Hash: 34a00fb692fc4aab284c264018ff80a83a1e774d1e9e5d922186a5cd4bb5dd13
Instruction Fuzzy Hash: 91412E74604751DFDB14DF18C484B5ABBE0BF45314F19885CE8854B3A2C379EC89CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007179AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007179F9

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction ID: 5b1c9e8f19d10afd908392563e0d3bb8a3d3cea9671790f88d0ecc600e022052
Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction Fuzzy Hash: 2611D332209205AFD718DF2CC885CAEB7A9EF45324724851AF915DB2E1DB36EC95C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00714F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00714D13: FreeLibrary.KERNEL32(00000000,?), ref: 00714D4D

Part of subcall function 0073548B: __wfsopen.LIBCMT ref: 00735496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00714F6F

Part of subcall function 00714CC8: FreeLibrary.KERNEL32(00000000), ref: 00714D02

Part of subcall function 00714DD0: _memmove.LIBCMT ref: 00714E1A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 3978f7fbb3029ed37b9bdcbd6cfde403d8e662bc974a70a790116bc2fae252f9
Instruction ID: c1eb1dda257de31a539fa97f54cacca3c1f619af3d4fff9d75a52255e45d5ef0
Opcode Fuzzy Hash: 3978f7fbb3029ed37b9bdcbd6cfde403d8e662bc974a70a790116bc2fae252f9
Instruction Fuzzy Hash: CB11EB32700605EACF24AF78DC0ABEE77A89F44B10F208429F541962C1DB7D9A459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 007501BB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8731b3063c8353c9fcd4ce2198cc804f33437c32b5970a4d16ff07a7c01d1cbb
Instruction ID: 1688dcecb0f5f2b5e1e9da37f82c9ec95dc41ca0b65a5d9ab1b4999a3d194ec8
Opcode Fuzzy Hash: 8731b3063c8353c9fcd4ce2198cc804f33437c32b5970a4d16ff07a7c01d1cbb
Instruction Fuzzy Hash: F8212774608341DFDB14DF68C449B5ABBE0BF84314F04896CE98997762D739E889CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00715D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00715807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00715D76

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 18e7d880abe89e0c372adf085db267baac7443ebdd977eaff9b6cd0c039fd1a6
Instruction ID: c4c4c3ab15ee3442d02c7894ba80da24ed904e6a90f5eddecba1b15e20787107
Opcode Fuzzy Hash: 18e7d880abe89e0c372adf085db267baac7443ebdd977eaff9b6cd0c039fd1a6
Instruction Fuzzy Hash: AE113A71200B05DFD3348F19E488BA2B7F5EF85750F10C92EE4EA86A90D778E985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00734A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00734AD6

Part of subcall function 00738D68: __getptd_noexit.LIBCMT ref: 00738D68

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 24aa173f1ba00294793fd7250db238d69648673c74ebc536834f74547e6fd2a2
Instruction ID: e865f7bc8f78c03c2f3e36f12f8a4fe3c59fddef83561fcfad77bfdeaf59b6b4
Opcode Fuzzy Hash: 24aa173f1ba00294793fd7250db238d69648673c74ebc536834f74547e6fd2a2
Instruction Fuzzy Hash: 86F0AF71940309EBFFA5AF748C0A79E77A1AF00325F088518B424AA1D3CB7C9E50DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00714FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00714FDE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ca6e06013701ec88f613827d71b39371e7709bc1b472342c4f928691217150f1
Instruction ID: 32e71bb21eb5405a36428703d059d665bfee1c7bf9f334f685efff24b54d32f9
Opcode Fuzzy Hash: ca6e06013701ec88f613827d71b39371e7709bc1b472342c4f928691217150f1
Instruction Fuzzy Hash: 81F03971105712CFCB349F68E494892BBEABF043293288A3EE1D682750C739A896DF40

Uniqueness

Uniqueness Score: -1.00%

Function 007309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007309F4

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 2916f1eeeb58c33f9fb1f8d456545d929d7d3efeaa68a1feb2a0f3de7a4996a3
Instruction ID: 120efebe9fec100515e3b62943d1ce11cb162773f98b93307ca05091e506be4b
Opcode Fuzzy Hash: 2916f1eeeb58c33f9fb1f8d456545d929d7d3efeaa68a1feb2a0f3de7a4996a3
Instruction Fuzzy Hash: 3AE08676A0422897C720E6989C09FFA77ADDF89690F0441B6FC4CD7244D9649C818690

Uniqueness

Uniqueness Score: -1.00%

Function 00779129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0077914B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 60fff7ce401489350a2a2349cc615468564296bd710d7b1497a5f0e7430830bc
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 67E09AB0204B049FEB388A28D815BE373E0AB06315F00081CF2AA83342EB66B8418B59

Uniqueness

Uniqueness Score: -1.00%

Function 00715DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0074E16B,?,?,00000000), ref: 00715DBF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a7bdfd7372abf88f976528276f4565a5e88cdd9c43778b8dc9eeba454d6bb0b7
Instruction ID: 478e6a25d5583aa1954d821e092800e0aa6b8d44aca48f2596c045dd6f8af080
Opcode Fuzzy Hash: a7bdfd7372abf88f976528276f4565a5e88cdd9c43778b8dc9eeba454d6bb0b7
Instruction Fuzzy Hash: 77D0C77464020CBFE710DB80DC46FA9777CD705710F100195FD0496290D6B27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 0073548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00735496

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 0522bf87071d5eef9d1d1a4665696a8ba970ff8a2a58780e98e60710d68eb050
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: AFB0927684020CB7EE012E82EC02A593B199B40678F808020FB0C18162A677A6A09689

Uniqueness

Uniqueness Score: -1.00%

Function 0077D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0077D46A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: a5a978b6bf738a834cb6ddf1b5b50daef2e0a494979d178d3be99438fa96df8e
Instruction ID: 4e0972e8bbed397d4817d26fd06cdb4612761cb23bb2f17b88e3c1d93d13e73f
Opcode Fuzzy Hash: a5a978b6bf738a834cb6ddf1b5b50daef2e0a494979d178d3be99438fa96df8e
Instruction Fuzzy Hash: 1B714530204341CFCB14EF28C495AAAB7F5AF88354F04856DF99A972D2DB38ED45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00730E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00730EF7

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6b21c31bf2388ae315c1192f33e441ee9f43eaaad091bc98797c2f9e0440de37
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1A31D275A4010ADFE718EF58C4A0969F7A6FF59300F688AA5E409CB652D739EDC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 009F2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 009F2311

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f998c3016a4e63b8dbd1033054c637ef1b86b2a95834c0391933eff3b83bf46f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: CBE0E67494110EDFDB00EFB4D5496AE7FB4EF04701F100561FD01D2280D6709D508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0079CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0079CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0079CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0079CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0079CF00
SendMessageW.USER32 ref: 0079CF29
_wcsncpy.LIBCMT ref: 0079CFA1
GetKeyState.USER32(00000011), ref: 0079CFC2
GetKeyState.USER32(00000009), ref: 0079CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0079CFE5
GetKeyState.USER32(00000010), ref: 0079CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0079D018
SendMessageW.USER32 ref: 0079D03F
SendMessageW.USER32(?,00001030,?,0079B602), ref: 0079D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0079D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0079D16E
SetCapture.USER32(?), ref: 0079D177
ClientToScreen.USER32(?,?), ref: 0079D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0079D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0079D203
ReleaseCapture.USER32 ref: 0079D20E
GetCursorPos.USER32(?), ref: 0079D248
ScreenToClient.USER32(?,?), ref: 0079D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0079D2B1
SendMessageW.USER32 ref: 0079D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0079D31C
SendMessageW.USER32 ref: 0079D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0079D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0079D37B
GetCursorPos.USER32(?), ref: 0079D39B
ScreenToClient.USER32(?,?), ref: 0079D3A8
GetParent.USER32(?), ref: 0079D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0079D431
SendMessageW.USER32 ref: 0079D462
ClientToScreen.USER32(?,?), ref: 0079D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0079D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0079D51A
SendMessageW.USER32 ref: 0079D53D
ClientToScreen.USER32(?,?), ref: 0079D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0079D5C3

Part of subcall function 007125DB: GetWindowLongW.USER32(?,000000EB), ref: 007125EC

GetWindowLongW.USER32(?,000000F0), ref: 0079D65F

Strings

pr}, xrefs: 0079D1BD
@GUI_DRAGID, xrefs: 0079D1AA
F, xrefs: 0079D543

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr}
API String ID: 3977979337-1713234969
Opcode ID: 74cd96098435f8a95f05d55273be952f006eb21d77f0224b97b982ebaad19f35
Instruction ID: 4d17f867977fbc06b85095a74b53403e4e23e5fad1115418690b78d15352effa
Opcode Fuzzy Hash: 74cd96098435f8a95f05d55273be952f006eb21d77f0224b97b982ebaad19f35
Instruction Fuzzy Hash: 8F42AC30204340EFDF21CF28D858AAABBE6FF49314F14451EF6968B2A1C7399851DB96

Uniqueness

Uniqueness Score: -1.00%

Function 0079804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0079873F

Strings

%d/%02d/%02d, xrefs: 00798478

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 345081d8daba69559e75c7cdb4d1f1876e59727bb92bae80681a1424b9134d35
Instruction ID: 8e0c7bee5fc87dc1db008c6365e001a8bd7ca06ddf96ee854f2af5e6982b07de
Opcode Fuzzy Hash: 345081d8daba69559e75c7cdb4d1f1876e59727bb92bae80681a1424b9134d35
Instruction Fuzzy Hash: 9612D171500208ABEF658F74EC49FAE7BB9EF46710F24412AF915EA2E1DF788941CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0072710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007275C2
_memset.LIBCMT ref: 007276B1
_memmove.LIBCMT ref: 00727C4B
_memmove.LIBCMT ref: 00727E4F

Strings

Oar, xrefs: 0076287E
[:<:]], xrefs: 007275F1
DEFINE, xrefs: 007625AF
Q\E, xrefs: 007281C1
\b(?=\w), xrefs: 00763C34
\b(?<=\w), xrefs: 00763C41
0w|, xrefs: 00761F5B
[:>:]], xrefs: 0072760A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w|$DEFINE$Oar$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-542029135
Opcode ID: f9e3385d85c05969ff76e74873ea894afb42bfb940125b36e3aa03fdb24916ab
Instruction ID: acc240cfc579df97ab1296b1cdf9329192d4121ee9d1be1a324141fbdc392cfe
Opcode Fuzzy Hash: f9e3385d85c05969ff76e74873ea894afb42bfb940125b36e3aa03fdb24916ab
Instruction Fuzzy Hash: 5E93A371A04215DFDB28CF58D981BADB7B1FF48310F24816AED46AB281E7789E81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00714A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00714A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0074DA8E
IsIconic.USER32(?), ref: 0074DA97
ShowWindow.USER32(?,00000009), ref: 0074DAA4
SetForegroundWindow.USER32(?), ref: 0074DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0074DAC4
GetCurrentThreadId.KERNEL32 ref: 0074DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0074DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0074DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0074DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0074DAF8
SetForegroundWindow.USER32(?), ref: 0074DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074DB10
keybd_event.USER32(00000012,00000000), ref: 0074DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074DB25
keybd_event.USER32(00000012,00000000), ref: 0074DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074DB33
keybd_event.USER32(00000012,00000000), ref: 0074DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074DB42
keybd_event.USER32(00000012,00000000), ref: 0074DB47
SetForegroundWindow.USER32(?), ref: 0074DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0074DB71

Strings

Shell_TrayWnd, xrefs: 0074DA89

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3d881111a58f04a2ac1146e182525d199e6c0672f936dcfe2e61d9838dbaaa5a
Instruction ID: 7cd25b3a8da504632019e0e1194c64859e56a7ed14e31c400823d61e31dfe22a
Opcode Fuzzy Hash: 3d881111a58f04a2ac1146e182525d199e6c0672f936dcfe2e61d9838dbaaa5a
Instruction Fuzzy Hash: 19316571A40318BBEB316FA19C49F7F3E6CEB44B50F118026FA04EA1D0C6B85D11EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00768858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00768CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00768D0D
Part of subcall function 00768CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00768D3A
Part of subcall function 00768CC3: GetLastError.KERNEL32 ref: 00768D47

_memset.LIBCMT ref: 0076889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007688ED
CloseHandle.KERNEL32(?), ref: 007688FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00768915
GetProcessWindowStation.USER32 ref: 0076892E
SetProcessWindowStation.USER32(00000000), ref: 00768938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00768952

Part of subcall function 00768713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00768851), ref: 00768728
Part of subcall function 00768713: CloseHandle.KERNEL32(?,?,00768851), ref: 0076873A

Strings

winsta0, xrefs: 00768910
, xrefs: 007688AA
default, xrefs: 0076894D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 63c9417c1173cbfc5d23725a57f22f3a6a30126ae7a2b17baccdb7775bd8107b
Instruction ID: fa1d98b2139ebddb514be362a1f6c0069846cfb7dab9135608e42a1fc55286f1
Opcode Fuzzy Hash: 63c9417c1173cbfc5d23725a57f22f3a6a30126ae7a2b17baccdb7775bd8107b
Instruction Fuzzy Hash: 2E818EB1900209AFDF51DFE4DC49AEE7B78EF04304F08826AFD11A2261DB398E15DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0078425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0079F910), ref: 00784284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00784292
GetClipboardData.USER32(0000000D), ref: 0078429A
CloseClipboard.USER32 ref: 007842A6
GlobalLock.KERNEL32(00000000), ref: 007842C2
CloseClipboard.USER32 ref: 007842CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 007842E1
IsClipboardFormatAvailable.USER32(00000001), ref: 007842EE
GetClipboardData.USER32(00000001), ref: 007842F6
GlobalLock.KERNEL32(00000000), ref: 00784303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00784337
CloseClipboard.USER32 ref: 00784447

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 4c4584c2a7d9df47daf2e29423635ee2d1a974ed9fb75268f5c72a60a66f7386
Instruction ID: 65048fa16b46d2a3b712f449f2a9ac3d4121b7552be063d8d037dbbcbe8206a1
Opcode Fuzzy Hash: 4c4584c2a7d9df47daf2e29423635ee2d1a974ed9fb75268f5c72a60a66f7386
Instruction Fuzzy Hash: 4251C371244302ABD310FF64EC8AF6E77A8BF84B10F10852AF556D21E1DB78D905CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0077C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0077C9F8
FindClose.KERNEL32(00000000), ref: 0077CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0077CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0077CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0077CAAF
__swprintf.LIBCMT ref: 0077CAFB
__swprintf.LIBCMT ref: 0077CB3E

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

__swprintf.LIBCMT ref: 0077CB92

Part of subcall function 007338D8: __woutput_l.LIBCMT ref: 00733931

__swprintf.LIBCMT ref: 0077CBE0

Part of subcall function 007338D8: __flsbuf.LIBCMT ref: 00733953
Part of subcall function 007338D8: __flsbuf.LIBCMT ref: 0073396B

__swprintf.LIBCMT ref: 0077CC2F
__swprintf.LIBCMT ref: 0077CC7E
__swprintf.LIBCMT ref: 0077CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0077CAF5
%4d, xrefs: 0077CB38
%02d, xrefs: 0077CB86, 0077CB90, 0077CBDE, 0077CC2D, 0077CC7C, 0077CCCB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 66ca414487428551c9e9aba490ea1a194b88e1d71fd1c8d970adf2dff40dd2b8
Instruction ID: 6283b5a6645d92f66ce626844ec7bc3da904966e93de49352d0d3534af9636f9
Opcode Fuzzy Hash: 66ca414487428551c9e9aba490ea1a194b88e1d71fd1c8d970adf2dff40dd2b8
Instruction Fuzzy Hash: F3A13FB2508304EBC714EB64C89ADEFB7ECAF98701F40491DF586D3191EA38DA49C762

Uniqueness

Uniqueness Score: -1.00%

Function 0077F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0077F221
_wcscmp.LIBCMT ref: 0077F236
_wcscmp.LIBCMT ref: 0077F24D
GetFileAttributesW.KERNEL32(?), ref: 0077F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0077F279
FindNextFileW.KERNEL32(00000000,?), ref: 0077F291
FindClose.KERNEL32(00000000), ref: 0077F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0077F2B8
_wcscmp.LIBCMT ref: 0077F2DF
_wcscmp.LIBCMT ref: 0077F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0077F308
SetCurrentDirectoryW.KERNEL32(007CA5A0), ref: 0077F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0077F330
FindClose.KERNEL32(00000000), ref: 0077F33D
FindClose.KERNEL32(00000000), ref: 0077F34F

Strings

*.*, xrefs: 0077F2B3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 4d37d2ae28ef6596c4fc6555afbbe9f51b5bd5eef91da0e03bd80f2fd046c6e5
Instruction ID: 5d4cde485b74e7ebf69ecda33289a96249f6d3596ec686d155ef6560c1eadbbb
Opcode Fuzzy Hash: 4d37d2ae28ef6596c4fc6555afbbe9f51b5bd5eef91da0e03bd80f2fd046c6e5
Instruction Fuzzy Hash: DD31A7765002196BDF10DBB4EC49FEE77ACAF083A1F14817AE818D3091DB3CDA45CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00790AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00790BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0079F910,00000000,?,00000000,?,?), ref: 00790C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00790C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00790D1D
RegCloseKey.ADVAPI32(?), ref: 0079103D
RegCloseKey.ADVAPI32(00000000), ref: 0079104A

Strings

REG_DWORD, xrefs: 00790F0E
REG_EXPAND_SZ, xrefs: 00790CBA
REG_SZ, xrefs: 00790D5B
REG_QWORD, xrefs: 00790F8B
REG_MULTI_SZ, xrefs: 00790E05
REG_BINARY, xrefs: 00790FD8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: b46f1141111112ed820a69bbe15d76dd39996b480914fc48eb619bac24d79a27
Instruction ID: 12e25b260e4d5acde0f3d5862ad345f8023cd167d6d5a836713fb24ed06c7e13
Opcode Fuzzy Hash: b46f1141111112ed820a69bbe15d76dd39996b480914fc48eb619bac24d79a27
Instruction Fuzzy Hash: E3026B75200611DFCB14EF18D895E6AB7E5FF88710F04885DF99A9B2A2CB39ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0077F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0077F37E
_wcscmp.LIBCMT ref: 0077F393
_wcscmp.LIBCMT ref: 0077F3AA

Part of subcall function 007745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007745DC

FindNextFileW.KERNEL32(00000000,?), ref: 0077F3D9
FindClose.KERNEL32(00000000), ref: 0077F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0077F400
_wcscmp.LIBCMT ref: 0077F427
_wcscmp.LIBCMT ref: 0077F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0077F450
SetCurrentDirectoryW.KERNEL32(007CA5A0), ref: 0077F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0077F478
FindClose.KERNEL32(00000000), ref: 0077F485
FindClose.KERNEL32(00000000), ref: 0077F497

Strings

*.*, xrefs: 0077F3FB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 3b090bbaa4d75fa78806fbf57cb22b029b34e7e9f683809749bce0ac4c919aea
Instruction ID: 8c9d88266d718b249ba6bbd76be928b185414f0416070d5dd8451015b4cac106
Opcode Fuzzy Hash: 3b090bbaa4d75fa78806fbf57cb22b029b34e7e9f683809749bce0ac4c919aea
Instruction Fuzzy Hash: 8131D571501259ABDF209B74EC89EEE77AC9F093A4F14817AE818E30A0D73CDE55CA64

Uniqueness

Uniqueness Score: -1.00%

Function 007681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0076874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00768766
Part of subcall function 0076874A: GetLastError.KERNEL32(?,0076822A,?,?,?), ref: 00768770
Part of subcall function 0076874A: GetProcessHeap.KERNEL32(00000008,?,?,0076822A,?,?,?), ref: 0076877F
Part of subcall function 0076874A: HeapAlloc.KERNEL32(00000000,?,0076822A,?,?,?), ref: 00768786
Part of subcall function 0076874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076879D

Part of subcall function 007687E7: GetProcessHeap.KERNEL32(00000008,00768240,00000000,00000000,?,00768240,?), ref: 007687F3
Part of subcall function 007687E7: HeapAlloc.KERNEL32(00000000,?,00768240,?), ref: 007687FA
Part of subcall function 007687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00768240,?), ref: 0076880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0076825B
_memset.LIBCMT ref: 00768270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0076828F
GetLengthSid.ADVAPI32(?), ref: 007682A0
GetAce.ADVAPI32(?,00000000,?), ref: 007682DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007682F9
GetLengthSid.ADVAPI32(?), ref: 00768316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00768325
HeapAlloc.KERNEL32(00000000), ref: 0076832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0076834D
CopySid.ADVAPI32(00000000), ref: 00768354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00768385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007683AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007683BF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 3e25f1b78877105fd39960c1bf2a922805526f2047bb3ef0684d253383a5e5b4
Instruction ID: f3251061cd046df963ecee7b60fad84d17e334ade6c83233cce7361c92480662
Opcode Fuzzy Hash: 3e25f1b78877105fd39960c1bf2a922805526f2047bb3ef0684d253383a5e5b4
Instruction Fuzzy Hash: 91613C71900209EFDF109F95DC45AAEBBB9FF04700F14826AE816E6291DB399A15CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00726843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

Oar, xrefs: 00761888, 0076192F, 007619DD
NO_AUTO_POSSESS), xrefs: 00761567
UTF16), xrefs: 00761508
LIMIT_RECURSION=, xrefs: 00761635
BSR_ANYCRLF), xrefs: 00761757
ANYCRLF), xrefs: 00761734
CR), xrefs: 007616C0
LIMIT_MATCH=, xrefs: 007615A9
NO_START_OPT), xrefs: 00761588
PJ{, xrefs: 007268B3
BSR_UNICODE), xrefs: 00761771
ANY), xrefs: 00761717
CRLF), xrefs: 007616FA
UTF), xrefs: 00761533
UCP), xrefs: 00761546
LF), xrefs: 007616DD

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oar$PJ{$UCP)$UTF)$UTF16)
API String ID: 0-2957015068
Opcode ID: 502e8e87bd64daecc9c6cc0b5f8cd3a8e81fad6f1176fd69d8230ebf37e072e8
Instruction ID: 4f13de863f8d3fd129e6b006bd2be2e9f45b7e565c035ee7a269d9c3ed35e0a4
Opcode Fuzzy Hash: 502e8e87bd64daecc9c6cc0b5f8cd3a8e81fad6f1176fd69d8230ebf37e072e8
Instruction Fuzzy Hash: 20728475E00229DBDF24CF58D8847AEB7B5FF48310F54816AE846EB291DB789D81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00790665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00790038,?,?), ref: 007910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00790737

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007907D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0079086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00790AAD
RegCloseKey.ADVAPI32(00000000), ref: 00790ABA

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 8a1d13b151aee4a0e60a2517e7db20ea8f9426096a060fd40238ba6d2bf4c243
Instruction ID: f1ae2a977859090a263cc64f658ce6b389915cb4c7a13d2842e497412e0106cc
Opcode Fuzzy Hash: 8a1d13b151aee4a0e60a2517e7db20ea8f9426096a060fd40238ba6d2bf4c243
Instruction Fuzzy Hash: 9BE15D31204210EFCB14DF28D895E6ABBE9EF89714F04C56DF45ADB2A2DA34ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00770219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00770241
GetAsyncKeyState.USER32(000000A0), ref: 007702C2
GetKeyState.USER32(000000A0), ref: 007702DD
GetAsyncKeyState.USER32(000000A1), ref: 007702F7
GetKeyState.USER32(000000A1), ref: 0077030C
GetAsyncKeyState.USER32(00000011), ref: 00770324
GetKeyState.USER32(00000011), ref: 00770336
GetAsyncKeyState.USER32(00000012), ref: 0077034E
GetKeyState.USER32(00000012), ref: 00770360
GetAsyncKeyState.USER32(0000005B), ref: 00770378
GetKeyState.USER32(0000005B), ref: 0077038A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f955be161b5462aea4c9b4df3c296d3f301798043153a269896f9678d3c1e0b2
Instruction ID: 92404b85d38171f1c962eb453eab16737b0d6c9ca69fcbf299849687c2df19d3
Opcode Fuzzy Hash: f955be161b5462aea4c9b4df3c296d3f301798043153a269896f9678d3c1e0b2
Instruction Fuzzy Hash: 084188645047C9EEFF319A6488087B5BEA07F12384F08C09ED5CE966C3EB9C59D487E2

Uniqueness

Uniqueness Score: -1.00%

Function 00784458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0078447F
EmptyClipboard.USER32 ref: 00784485
GlobalAlloc.KERNEL32(00000002,?), ref: 0078449A
CloseClipboard.USER32 ref: 00784539

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ba95a52f54b24f1550fed3513d3c0494e5772344b952bf2d0d1148d24ec79773
Instruction ID: 4c0cdfb1eb930f39f51388df6385fc3cbd7f3bfba6d18d0b138d707f3b9a5a49
Opcode Fuzzy Hash: ba95a52f54b24f1550fed3513d3c0494e5772344b952bf2d0d1148d24ec79773
Instruction Fuzzy Hash: 77216D352412119FDB10AF64EC09B6D77A8EF44721F10C02AF94ADB2A1DB78AD12CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00773A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007148A1,?,?,007137C0,?), ref: 007148CE

Part of subcall function 00774CD3: GetFileAttributesW.KERNEL32(?,00773947), ref: 00774CD4

FindFirstFileW.KERNEL32(?,?), ref: 00773ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00773B87
MoveFileW.KERNEL32(?,?), ref: 00773B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00773BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00773BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00773BF5

Strings

\*.*, xrefs: 00773A8A, 00773A93, 00773AA8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 2efa237289d276adead2f2e8688b9f009dafd408609d80105e7e6de326fd386e
Instruction ID: 3f0d3fee498e8a288e7c85ecd1b0ab94824a39b93abba9cc96edabcc71957721
Opcode Fuzzy Hash: 2efa237289d276adead2f2e8688b9f009dafd408609d80105e7e6de326fd386e
Instruction Fuzzy Hash: AD51913180124DDACF09EBA4CD969EDB779AF14340F6481A9E446770E1EF386F49DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00724140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00724520
Oar, xrefs: 00724984, 00758173
VUUU, xrefs: 007244DB
VUUU, xrefs: 00757B0C
VUUU, xrefs: 007244ED
ERCP, xrefs: 0072421F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID: ERCP$Oar$VUUU$VUUU$VUUU$VUUU
API String ID: 0-4160362945
Opcode ID: ec978dfa590a2dd1908c5d275e2c845fcee29bf6b6f69600806a2d51abd44fc9
Instruction ID: 6c2df39decd1460b5146e1c15e0fb22ed28eeda6fefdccc75f29c7af7b9c4121
Opcode Fuzzy Hash: ec978dfa590a2dd1908c5d275e2c845fcee29bf6b6f69600806a2d51abd44fc9
Instruction Fuzzy Hash: 7BA28F70E0422ACBDF28CF58E9807EDB7B1FB54315F1481A9D85AA7280E7789E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0077F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0077F6AB
Sleep.KERNEL32(0000000A), ref: 0077F6DB
_wcscmp.LIBCMT ref: 0077F6EF
_wcscmp.LIBCMT ref: 0077F70A
FindNextFileW.KERNEL32(?,?), ref: 0077F7A8
FindClose.KERNEL32(00000000), ref: 0077F7BE

Strings

*.*, xrefs: 0077F690

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 475fa0b186486538b312666bad1acc75186041a05830a4453765010cad5e57d9
Instruction ID: 7b4c1d3da0ae108d5dcc1e04f3e209b750f2528085aa9227cb5aed89048c6028
Opcode Fuzzy Hash: 475fa0b186486538b312666bad1acc75186041a05830a4453765010cad5e57d9
Instruction Fuzzy Hash: A341A27190020AEFCF15DF64CD89AEEBBB4FF05350F54856AE819A3190DB389E84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00725A05
_memmove.LIBCMT ref: 00725A55
_memmove.LIBCMT ref: 00725ABB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2af60a76a59338dd089f8d60d97ec586be292e3110af8338bdeca21d7513df07
Instruction ID: 4704ec16d10b088d434e5c05cc453bde9c75ee50f9abe06093e0d6034cd475ba
Opcode Fuzzy Hash: 2af60a76a59338dd089f8d60d97ec586be292e3110af8338bdeca21d7513df07
Instruction Fuzzy Hash: BB129C70A00619EFDF14DFA4D985AEEB7F5FF48300F108569E806A7291EB39AD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00725680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00730FF6: std::exception::exception.LIBCMT ref: 0073102C
Part of subcall function 00730FF6: __CxxThrowException@8.LIBCMT ref: 00731041

_memmove.LIBCMT ref: 0076062F
_memmove.LIBCMT ref: 00760744
_memmove.LIBCMT ref: 007607EB

Strings

yZr, xrefs: 00760881, 007607FF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZr
API String ID: 1300846289-1514024707
Opcode ID: 1d749c2eec999e31240ef1945ff1f8f9ac8836f94b47adffccb0ce68b1377eb8
Instruction ID: 84d3ea9b0fd4489e55d48619b946666af68d2ae79ac14fc3e19ba3fac959f03a
Opcode Fuzzy Hash: 1d749c2eec999e31240ef1945ff1f8f9ac8836f94b47adffccb0ce68b1377eb8
Instruction Fuzzy Hash: B90280B0A00219DFDF04DF68D995AAEBBB5FF44300F148069E806DB295EB39DE51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0077545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00768CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00768D0D
Part of subcall function 00768CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00768D3A
Part of subcall function 00768CC3: GetLastError.KERNEL32 ref: 00768D47

ExitWindowsEx.USER32(?,00000000), ref: 0077549B

Strings

SeShutdownPrivilege, xrefs: 0077546B
@, xrefs: 0077548E
, xrefs: 00775489

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7803d47a3f94def2978ac198db6741a16f1925fab4f700fb0cbd5abf925a3039
Instruction ID: 732a5f391502fa2bee018c43dadbeb757d69a208c17b7cda02270de7a63ca753
Opcode Fuzzy Hash: 7803d47a3f94def2978ac198db6741a16f1925fab4f700fb0cbd5abf925a3039
Instruction Fuzzy Hash: 36014731A54B456AEF685378DC4ABBA7358EB003C3F248135FD0FD20C2DADC1C8081A0

Uniqueness

Uniqueness Score: -1.00%

Function 00723190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oar, xrefs: 00723482

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oar
API String ID: 674341424-1181374745
Opcode ID: 8cddb229c06063dfd5bc27a3fb9ed1ff58bda46d53bdf86352ea9e87a98b889d
Instruction ID: c883394248775f2504d9730772335c2dbfdf5b08904043f34044eb11eab87034
Opcode Fuzzy Hash: 8cddb229c06063dfd5bc27a3fb9ed1ff58bda46d53bdf86352ea9e87a98b889d
Instruction Fuzzy Hash: F022BB71608311DFC724DF28D895BABB7E4BF84310F00491DF99A97291DB78EA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00786596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007865EF
WSAGetLastError.WSOCK32(00000000), ref: 007865FE
bind.WSOCK32(00000000,?,00000010), ref: 0078661A
listen.WSOCK32(00000000,00000005), ref: 00786629
WSAGetLastError.WSOCK32(00000000), ref: 00786643
closesocket.WSOCK32(00000000,00000000), ref: 00786657

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: c9a3a2bec9eccb51a02e2bc376655e91846e7cd396d54259dce290dae59f41b6
Instruction ID: 7acfc6d008f0846953af5a70f326894441a59b7c1682affbfb7146a29b6b42ad
Opcode Fuzzy Hash: c9a3a2bec9eccb51a02e2bc376655e91846e7cd396d54259dce290dae59f41b6
Instruction Fuzzy Hash: DE219E30640200EFCB10AF68C849AAEB7F9EF44320F14815AE956E73D1DB78AD42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00711287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

DefDlgProcW.USER32(?,?,?,?,?), ref: 007119FA
GetSysColor.USER32(0000000F), ref: 00711A4E
SetBkColor.GDI32(?,00000000), ref: 00711A61

Part of subcall function 00711290: DefDlgProcW.USER32(?,00000020,?), ref: 007112D8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 34ceb7edbd54329f0285ee45504062dfff232432846461e10d6376f42016f0f3
Instruction ID: a1f0cb16b675fd279206dfebf2ec5ad368c2d91b554c44801e373a2c375a459a
Opcode Fuzzy Hash: 34ceb7edbd54329f0285ee45504062dfff232432846461e10d6376f42016f0f3
Instruction Fuzzy Hash: 73A116A1106584FADB28AB3C5C89DFF2A9DDF45341B94811AF602DE1D2CB2CDD81D2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00786A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007880CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00786AB1
WSAGetLastError.WSOCK32(00000000), ref: 00786ADA
bind.WSOCK32(00000000,?,00000010), ref: 00786B13
WSAGetLastError.WSOCK32(00000000), ref: 00786B20
closesocket.WSOCK32(00000000,00000000), ref: 00786B34

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: ecbaf9a5f7b3ee4b4de53ebc6f4bbdd0f5e2c7cdf1381ac17300aa3e63e6bb1c
Instruction ID: 5e75a46f8ae1264688b60ae3fb59bb994f5fdd1cd3fe0808d86f7af2d7ccb8ef
Opcode Fuzzy Hash: ecbaf9a5f7b3ee4b4de53ebc6f4bbdd0f5e2c7cdf1381ac17300aa3e63e6bb1c
Instruction Fuzzy Hash: BA41E675740210EFEB10BF68DC9AFAE77A99F44B10F44C059FA46AB3C2CA789D418791

Uniqueness

Uniqueness Score: -1.00%

Function 007955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0079564C
IsWindowEnabled.USER32 ref: 0079565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00795667
IsIconic.USER32 ref: 00795675
IsZoomed.USER32 ref: 00795683

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b7cdd6d2dfb0516efda3ba683bfa8f8f167524420a2d9a6e164d4ed69b531895
Instruction ID: 0174184e0053202b7b6354877a683f2ef49bb6fee201d950d2ba0fa140a96d22
Opcode Fuzzy Hash: b7cdd6d2dfb0516efda3ba683bfa8f8f167524420a2d9a6e164d4ed69b531895
Instruction Fuzzy Hash: 0E11C831300A209FDB121F26EC58A6F7799EF44B21B858029F946D7241CB7CDD42C795

Uniqueness

Uniqueness Score: -1.00%

Function 0077C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0077C69D
CoCreateInstance.OLE32(007A2D6C,00000000,00000001,007A2BDC,?), ref: 0077C6B5

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

CoUninitialize.OLE32 ref: 0077C922

Strings

.lnk, xrefs: 0077C631, 0077C659, 0077C663

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 11c7268f476782d35bfd93ee65fd41dda5b1b717e7d41cf0e3225012039fd350
Instruction ID: 2776ae6fe76c6f748bedb68a25d473277e56da98d3bfafa7b78c4dab60459086
Opcode Fuzzy Hash: 11c7268f476782d35bfd93ee65fd41dda5b1b717e7d41cf0e3225012039fd350
Instruction Fuzzy Hash: 17A12C71108205EFD704EF58C895EABB7ECEF88314F00891CF256971A2DB74EA4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 0078C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00751D88,?), ref: 0078C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0078C324

Strings

GetSystemWow64DirectoryW, xrefs: 0078C31E
kernel32.dll, xrefs: 0078C30D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 322d3479ba5667232207b7b2eebf6b5448482b19cadd6be044e2ae4af96a7bea
Instruction ID: f852737bde19040e5ff760256988bd48eb5c9f9cb67b83685badc84d2a02905c
Opcode Fuzzy Hash: 322d3479ba5667232207b7b2eebf6b5448482b19cadd6be044e2ae4af96a7bea
Instruction Fuzzy Hash: E5E0ECB4680713CFDB215F35E804A4676D4EB09755B90C43AE896D2660E7BCD882CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0078F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0078F151
Process32FirstW.KERNEL32(00000000,?), ref: 0078F15F

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Process32NextW.KERNEL32(00000000,?), ref: 0078F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0078F22E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 9dad6ede6a061163b85842ce1b98d275ca2b12f4f2254fa7baaf07eb60fc16e8
Instruction ID: 50fc99be303fbca0102474b803e1a093e34ed6e26c5c777d196254edf3869ef5
Opcode Fuzzy Hash: 9dad6ede6a061163b85842ce1b98d275ca2b12f4f2254fa7baaf07eb60fc16e8
Instruction Fuzzy Hash: EC517C71504300DBD314EF24DC8AEABBBE8FF94710F10492DF59597291EB78A949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0076EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0076EB19

Strings

|, xrefs: 0076EB49
(, xrefs: 0076EB5F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7f6638e7c1bc0fd5a74ad875fbde48c54787490b0994f4bf2091ea9426a70f6b
Instruction ID: 8a49e8e713b3f3e6a54c01fd1bfa65dcc8e4af5ee0b6bccadf9b14674d36ae0f
Opcode Fuzzy Hash: 7f6638e7c1bc0fd5a74ad875fbde48c54787490b0994f4bf2091ea9426a70f6b
Instruction Fuzzy Hash: 96323679A00605DFDB28CF19D481A6AB7F1FF48310B15C46EE89ADB3A2E774E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 007826D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0078270C

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 5e3c57ae1337d2ffb0dfffbe5e9d4b078a595ea8e8fe83f35e810dd26480a0c2
Instruction ID: 0874eecc903d365beef774bc1e4b8168e06614e2c955402d121377419940c99e
Opcode Fuzzy Hash: 5e3c57ae1337d2ffb0dfffbe5e9d4b078a595ea8e8fe83f35e810dd26480a0c2
Instruction Fuzzy Hash: 7241F771640209FFEB20FE95CC85EBBB7FCEB40726F10406EF601A6542EA799E429754

Uniqueness

Uniqueness Score: -1.00%

Function 0077B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0077B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0077B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0077B655

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 96ccd27a98e8be18f8b3e2939eaa013f030302595645459aaf4d6195259185e0
Instruction ID: a4b5e9f092c7a18a055ea47c03b0bde8809289876b67af8c022bc2db8e473ed4
Opcode Fuzzy Hash: 96ccd27a98e8be18f8b3e2939eaa013f030302595645459aaf4d6195259185e0
Instruction Fuzzy Hash: 35215C35A00118EFCB00EFA5D884AEDBBB8FF48310F14C0AAE945EB351DB35A956CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00768CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00730FF6: std::exception::exception.LIBCMT ref: 0073102C
Part of subcall function 00730FF6: __CxxThrowException@8.LIBCMT ref: 00731041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00768D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00768D3A
GetLastError.KERNEL32 ref: 00768D47

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: e832fd124512373218bc7888b90ead067831784fe05cf5875394b61d45947609
Instruction ID: a85592864adaf028377ae90447406bbbcb157c2ff7ec8d517a9364f195a1cb2e
Opcode Fuzzy Hash: e832fd124512373218bc7888b90ead067831784fe05cf5875394b61d45947609
Instruction Fuzzy Hash: F71191B1514209AFE728EF58DC85D6BB7BCFB44710B20862EF85693241EB74AC418A64

Uniqueness

Uniqueness Score: -1.00%

Function 00774021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0077404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00774088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00774091

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 98cfe32597252b466bfd49258c851d99c9bc9bca83af253d468867bee373fdea
Instruction ID: df7fbb7bbd3e760d197d2ef8858fc13660a0860e49bec32af81368bcf7e0e18b
Opcode Fuzzy Hash: 98cfe32597252b466bfd49258c851d99c9bc9bca83af253d468867bee373fdea
Instruction Fuzzy Hash: 561133B2904228BEE7109BE8DC44FBFBBBCEB09750F104556BA08E7191D378594587A5

Uniqueness

Uniqueness Score: -1.00%

Function 00774C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00774C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00774C43
FreeSid.ADVAPI32(?), ref: 00774C53

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1d7436c3e46c692fd770b938dccb85b5f74d854905cfde779fa4a5c4f856f1a4
Instruction ID: c860d924f88a3abbb0fdf983d2e5f2e8a66697b2055a0b1f2786399a3b983627
Opcode Fuzzy Hash: 1d7436c3e46c692fd770b938dccb85b5f74d854905cfde779fa4a5c4f856f1a4
Instruction Fuzzy Hash: C1F03775A11208BBDF04DFE49C89AAEBBBCEB08201F1084A9E901E2181E7746A048B54

Uniqueness

Uniqueness Score: -1.00%

Function 00778B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00778B25

Part of subcall function 0073543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007791F8,00000000,?,?,?,?,007793A9,00000000,?), ref: 00735443
Part of subcall function 0073543A: __aulldiv.LIBCMT ref: 00735463

Strings

0u}, xrefs: 00778B1C

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u}
API String ID: 2893107130-2815868080
Opcode ID: 5c97ce134243ae2ca1c51c206ed13989f6aa998d5e33b1204ebba75fbaca2fbf
Instruction ID: 1425dc0fb0bcb91f148b461eff5d597981bfb3d7e836e4d244192673bc3ed949
Opcode Fuzzy Hash: 5c97ce134243ae2ca1c51c206ed13989f6aa998d5e33b1204ebba75fbaca2fbf
Instruction Fuzzy Hash: 8221E772635510CBC729CF25D441A52B3F1EBA4321B68CE6DD0F9CB2D0DA38B905CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0071E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c292ec0a8dc09104e723ff17268e4cdb6df759e9882e3cecce1fe6aaba04b1
Instruction ID: 7f13dc79cd574a1a91f7e7835299e3411446cf64acd28439a8137d93be41b480
Opcode Fuzzy Hash: 94c292ec0a8dc09104e723ff17268e4cdb6df759e9882e3cecce1fe6aaba04b1
Instruction Fuzzy Hash: A822AB70A0021ADFDB24DF58C494AEEB7F1FF08300F148469EC56AB391E778A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0077C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0077C966
FindClose.KERNEL32(00000000), ref: 0077C996

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 91cda846c155639a0b7024e1bed6f21e4f0126da13a597ace90bcb7986d8bd4a
Instruction ID: 9eda08315682efd9d453dba955e13cc8c9532ccb9ad826f25987f4e2cc29aa66
Opcode Fuzzy Hash: 91cda846c155639a0b7024e1bed6f21e4f0126da13a597ace90bcb7986d8bd4a
Instruction Fuzzy Hash: 4D11A5316006009FDB10DF29C849A6AF7E9FF84320F00C51EF9A9D7291DB38AC05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0077A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0078977D,?,0079FB84,?), ref: 0077A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0078977D,?,0079FB84,?), ref: 0077A314

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f73e6a589c3da162a6c62dd464109c140f3dbacca5a26a155c808186894f3609
Instruction ID: b80a6a1a5934979419cee17edbc876e851859bd1720a886c7348caffd9b36613
Opcode Fuzzy Hash: f73e6a589c3da162a6c62dd464109c140f3dbacca5a26a155c808186894f3609
Instruction Fuzzy Hash: 5EF0823554422DFBEB10AFA4CC49FEE776DFF09761F008266F909D6181D6349941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00768713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00768851), ref: 00768728
CloseHandle.KERNEL32(?,?,00768851), ref: 0076873A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 647df837c63438c202040b4372da71d37ed38835d6c9bea39de0e60ea4d64966
Instruction ID: 8db6a7aa0a8f1a3cadf7f09ca52a2b2e9cd108dac27fa37329f723c9c0e81d9c
Opcode Fuzzy Hash: 647df837c63438c202040b4372da71d37ed38835d6c9bea39de0e60ea4d64966
Instruction Fuzzy Hash: AAE0B676010610EFE7252B64ED09D777BA9EB04350B24892AF896C0471DB6AAC91DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0073A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00738F97,?,?,?,00000001), ref: 0073A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0073A3A3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3fbbd1754afd74da6e100fbc9f49c93dbdeb755fd33c5d3abac6c430ad665c7a
Instruction ID: 795adce89dd6bb128aeeaeeb0adb3d6bdd28038a7ce0d69299f35dd4a1afabc7
Opcode Fuzzy Hash: 3fbbd1754afd74da6e100fbc9f49c93dbdeb755fd33c5d3abac6c430ad665c7a
Instruction Fuzzy Hash: 14B09231054208EBCA002BA1EC09B883F68EB44BA2F408022F60DC4060CB6A54A28A99

Uniqueness

Uniqueness Score: -1.00%

Function 0073F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e4476be51a86eaf87b7b5a8059e92975b8f484b657f72bc6683d470ffc5a1d
Instruction ID: 3a26c9f99d697b1cf4ea6ada4efb2ffb1d0ee8b3df5045f62549b6211cb8e7ac
Opcode Fuzzy Hash: a9e4476be51a86eaf87b7b5a8059e92975b8f484b657f72bc6683d470ffc5a1d
Instruction Fuzzy Hash: 373213A2D69F414DE7279634DC32336A248AFB73C4F15D737E81AB5AA6EB2DC4834104

Uniqueness

Uniqueness Score: -1.00%

Function 0074267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5198f60ba8b755785337500d9203e0b57d70c231ca280eba120a8127793e0c3
Instruction ID: fc148340a2210c4f7869b78332275c13f3e9a5d68736189d347a2a7f79b8449f
Opcode Fuzzy Hash: e5198f60ba8b755785337500d9203e0b57d70c231ca280eba120a8127793e0c3
Instruction Fuzzy Hash: A3B1FF20E2AF414DD76396398831336BA4CAFFB2D5F91D71BFC2674D22EB2585838241

Uniqueness

Uniqueness Score: -1.00%

Function 007841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00784218

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 052a6f502e3925121b1ff9c96547c3635fd3543ff23230bd7a214e4780bcf6de
Instruction ID: 3581b821ac10fc043427cf49d31afcf93051b0fe61b798b4dfaea72c20cf1d5c
Opcode Fuzzy Hash: 052a6f502e3925121b1ff9c96547c3635fd3543ff23230bd7a214e4780bcf6de
Instruction Fuzzy Hash: 3FE04F312842159FC710EF69D844A9AF7E8AF94760F00C026FD49D7352DAB8F841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00774EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00774F18

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: fa077269431e134c2ba0e361ebe401b71598018d5b0212448e52a3a619e095b2
Instruction ID: a74fcb60ecd80743f6064b5eaf40b83d8d192b8a8a15a27f66f79c85bc98daf7
Opcode Fuzzy Hash: fa077269431e134c2ba0e361ebe401b71598018d5b0212448e52a3a619e095b2
Instruction Fuzzy Hash: 33D09EB4164609B9FC184B20AC1FF761119E3407D1FECDD89F209D54D19AED6851A035

Uniqueness

Uniqueness Score: -1.00%

Function 00768C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007688D1), ref: 00768CB3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: e6ccb59a0cd983aedb553ae7dd548fc702da4a6a54d25246b9d0ee094b65ac94
Instruction ID: f00c869a167eb82be25509cc50e998e90a54777c5b03877647e1da5710a02253
Opcode Fuzzy Hash: e6ccb59a0cd983aedb553ae7dd548fc702da4a6a54d25246b9d0ee094b65ac94
Instruction Fuzzy Hash: 5DD05E3226450EABEF018EA8DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00752230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00752242

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: edcbf6536926e2e7b72280d60d7864fff761225a649c31962129604c4ef45435
Instruction ID: 6ef49664ad9492b39c7a8642072bd898d41eeb07432ff7d004f44c55444e1ec3
Opcode Fuzzy Hash: edcbf6536926e2e7b72280d60d7864fff761225a649c31962129604c4ef45435
Instruction Fuzzy Hash: 9EC04CF1800109DBDB05DB90D988DFE77BCAB04305F104056E501F2100D7789B448A71

Uniqueness

Uniqueness Score: -1.00%

Function 0073A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0073A36A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 18b6006f344b061f3d6100d466f9772e3027aae675ad6a265ec55fbfe3dbb355
Instruction ID: 3539ce8d1c8a7523803cb021259547c7e97cb2b839c22cbab37830d458f19dde
Opcode Fuzzy Hash: 18b6006f344b061f3d6100d466f9772e3027aae675ad6a265ec55fbfe3dbb355
Instruction Fuzzy Hash: 5BA0123000010CE78A001B51EC044447F5CD6001907008021F40C80021873654514584

Uniqueness

Uniqueness Score: -1.00%

Function 00728A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03e91b3e5d5f7488294f03c223eb71f8c267d3b4d05f8bf4798318b152e287d
Instruction ID: 90fbeccaa60f803f6052f742d028e581f7ab1e6af706b7a342e9b4b56553ebdf
Opcode Fuzzy Hash: e03e91b3e5d5f7488294f03c223eb71f8c267d3b4d05f8bf4798318b152e287d
Instruction Fuzzy Hash: 47224970606626CBCF688F28E49467D77A1FB01304F2885AADC438B691DB3D9DC1DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00732405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 85a55f3b8e3034783a418b50b7ba6ff0192df5bf5e6be76136775ca04c1c73c4
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: A2C1913220619309EF2D8639943403EBBE15EA27B1B5A0B5DE4F3CB5D7EF28D525D620

Uniqueness

Uniqueness Score: -1.00%

Function 0073283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: f88982edb06aa4ac99cda376dc1df7dc428304d6b07417fbd34b1c0c0995d49e
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 97C1C6322061930AEF2D463A843413EFBE15BA27B175A0B5DE4F2DB4C7EF28D525D620

Uniqueness

Uniqueness Score: -1.00%

Function 009F3670 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: a075cfe306c9c58a61f760774a1f32d6664e7d3b3fdb2ff938778315abdb5cbc
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: D041D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D734AB41DB40

Uniqueness

Uniqueness Score: -1.00%

Function 009F3500 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 9031444b1c1eb02cca8802cfdc7675a7067cc9d1a9129b8b366824a29bf1075d
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 93019D78A04209EFCB48DF98C5909AEF7B5FB88310F608599E919A7701E734EE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 009F3560 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 8a3934c9df97f7c44c966b5588724f510ee9e9d53d27aa66f2152afcc7a05555
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: E9019278A11109EFCB44DF98C5909AEF7B5FB88310F608699E909A7701D734AE51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 009F1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677391334.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f0000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 007937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0079F910), ref: 007938AF
IsWindowVisible.USER32(?), ref: 007938D3

Strings

SELECTSTRING, xrefs: 00793A8E
UNCHECK, xrefs: 00793B0B
SETCURRENTSELECTION, xrefs: 00793A3E
CURRENTTAB, xrefs: 00793945
GETCURRENTLINE, xrefs: 00793B75
FINDSTRING, xrefs: 007939FE
ISENABLED, xrefs: 007938F3
ADDSTRING, xrefs: 0079399E
GETSELECTED, xrefs: 00793B2B
TABRIGHT, xrefs: 00793925
ISCHECKED, xrefs: 00793AC1
TABLEFT, xrefs: 0079390F
GETLINE, xrefs: 00793C23
EDITPASTE, xrefs: 00793BE7
DELSTRING, xrefs: 007939D1
SHOWDROPDOWN, xrefs: 00793968
GETCURRENTCOL, xrefs: 00793BB0
CHECK, xrefs: 00793AF5
GETLINECOUNT, xrefs: 00793B4E
ISVISIBLE, xrefs: 007938BF
GETCURRENTSELECTION, xrefs: 00793A6B
SENDCOMMANDID, xrefs: 00793C62
HIDEDROPDOWN, xrefs: 00793988

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 90bc12ba0674461a423ad2a3d95e218cca98ffe37b34bff602ba4abe6b4c3249
Instruction ID: ed58d160bf4dfc52865885fa56ac07a83c320fa56ce9808ce396e70649e46d4e
Opcode Fuzzy Hash: 90bc12ba0674461a423ad2a3d95e218cca98ffe37b34bff602ba4abe6b4c3249
Instruction Fuzzy Hash: 0ED17130204605DBCF14EF24D469AAA77A9AF55354F10846CF8865B2E3CB3DEE4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0079A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0079A89F
GetSysColorBrush.USER32(0000000F), ref: 0079A8D0
GetSysColor.USER32(0000000F), ref: 0079A8DC
SetBkColor.GDI32(?,000000FF), ref: 0079A8F6
SelectObject.GDI32(?,?), ref: 0079A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0079A930
GetSysColor.USER32(00000010), ref: 0079A938
CreateSolidBrush.GDI32(00000000), ref: 0079A93F
FrameRect.USER32(?,?,00000000), ref: 0079A94E
DeleteObject.GDI32(00000000), ref: 0079A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0079A9A0
FillRect.USER32(?,?,?), ref: 0079A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0079A9FD

Part of subcall function 0079AB60: GetSysColor.USER32(00000012), ref: 0079AB99
Part of subcall function 0079AB60: SetTextColor.GDI32(?,?), ref: 0079AB9D
Part of subcall function 0079AB60: GetSysColorBrush.USER32(0000000F), ref: 0079ABB3
Part of subcall function 0079AB60: GetSysColor.USER32(0000000F), ref: 0079ABBE
Part of subcall function 0079AB60: GetSysColor.USER32(00000011), ref: 0079ABDB
Part of subcall function 0079AB60: CreatePen.GDI32(00000000,00000001,@b}), ref: 0079ABE9
Part of subcall function 0079AB60: SelectObject.GDI32(?,00000000), ref: 0079ABFA
Part of subcall function 0079AB60: SetBkColor.GDI32(?,00000000), ref: 0079AC03
Part of subcall function 0079AB60: SelectObject.GDI32(?,?), ref: 0079AC10
Part of subcall function 0079AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0079AC2F
Part of subcall function 0079AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0079AC46
Part of subcall function 0079AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0079AC5B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e3ddc96b114b864016e7f3ed371895d4ff84036b6e1b475a37cd4c4e0600f801
Instruction ID: f8f04e02794a588e9d2e09a5c8712ace3a2cc662edf79d6767b44fbb2d920698
Opcode Fuzzy Hash: e3ddc96b114b864016e7f3ed371895d4ff84036b6e1b475a37cd4c4e0600f801
Instruction Fuzzy Hash: BFA19271009305FFDB119F64DC08E6B7BA9FF88321F108A2AF962D61A0D778D845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00712C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00712CA2
DeleteObject.GDI32(00000000), ref: 00712CE8
DeleteObject.GDI32(00000000), ref: 00712CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00712CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00712D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0074C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0074C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0074CAED

Part of subcall function 00711B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00712036,?,00000000,?,?,?,?,007116CB,00000000,?), ref: 00711B9A

SendMessageW.USER32(?,00001053), ref: 0074CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0074CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0074CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0074CB62

Strings

0, xrefs: 0074C981

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: dfa5a03f52e3d3388ba33ba0c8f4c8101b9308f2945440ecddd8ea522845b9b8
Instruction ID: 0bfbaf669d5c8b2d51f79b5f8cb8963aeaae1adc40aeed7cdde8d7432276cbb2
Opcode Fuzzy Hash: dfa5a03f52e3d3388ba33ba0c8f4c8101b9308f2945440ecddd8ea522845b9b8
Instruction Fuzzy Hash: 3D129230605201EFDB52CF28C888BA9B7E5FF45310F548569F595DB2A2C739EC92CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0079AB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0079AB99
SetTextColor.GDI32(?,?), ref: 0079AB9D
GetSysColorBrush.USER32(0000000F), ref: 0079ABB3
GetSysColor.USER32(0000000F), ref: 0079ABBE
CreateSolidBrush.GDI32(?), ref: 0079ABC3
GetSysColor.USER32(00000011), ref: 0079ABDB
CreatePen.GDI32(00000000,00000001,@b}), ref: 0079ABE9
SelectObject.GDI32(?,00000000), ref: 0079ABFA
SetBkColor.GDI32(?,00000000), ref: 0079AC03
SelectObject.GDI32(?,?), ref: 0079AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0079AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0079AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0079AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0079ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0079ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0079ACEC
DrawFocusRect.USER32(?,?), ref: 0079ACF7
GetSysColor.USER32(00000011), ref: 0079AD05
SetTextColor.GDI32(?,00000000), ref: 0079AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0079AD21
SelectObject.GDI32(?,0079A869), ref: 0079AD38
DeleteObject.GDI32(?), ref: 0079AD43
SelectObject.GDI32(?,?), ref: 0079AD49
DeleteObject.GDI32(?), ref: 0079AD4E
SetTextColor.GDI32(?,?), ref: 0079AD54
SetBkColor.GDI32(?,?), ref: 0079AD5E

Strings

@b}, xrefs: 0079ABDF, 0079ABE4

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @b}
API String ID: 1996641542-4137963638
Opcode ID: 28fcdecbf76e2d9ff61b7692a17dacd26d66a68a3b9ae4ddb7b2b01a5bb3aa95
Instruction ID: 0ce02923b83f7fad647612fc268d64d3f3ae38cfec12a688e94b5e19d2189083
Opcode Fuzzy Hash: 28fcdecbf76e2d9ff61b7692a17dacd26d66a68a3b9ae4ddb7b2b01a5bb3aa95
Instruction Fuzzy Hash: F4615E71901218FFDF119FA8DC48EAE7B79EB08320F118126F915EB2A1D6799D41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007877F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007878B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007878EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00787900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00787946
GetClientRect.USER32(00000000,?), ref: 00787952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00787996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007879A5
GetStockObject.GDI32(00000011), ref: 007879B5
SelectObject.GDI32(00000000,00000000), ref: 007879B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007879C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007879D2
DeleteDC.GDI32(00000000), ref: 007879DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00787A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00787A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00787A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00787A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00787A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00787AAE
GetStockObject.GDI32(00000011), ref: 00787AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00787AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00787ACE

Strings

DISPLAY, xrefs: 0078799B
msctls_progress32, xrefs: 00787A4F
static, xrefs: 00787990, 00787AA8
AutoIt v3, xrefs: 0078793E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9173698b21c2b67aaab6192e508e8eef0b855714298cca855fe7063c3b0f694f
Instruction ID: 568eb76e3a85f6d7652607bd6a9389f3352e6fb677ba7acb83952e50309507dd
Opcode Fuzzy Hash: 9173698b21c2b67aaab6192e508e8eef0b855714298cca855fe7063c3b0f694f
Instruction Fuzzy Hash: 92A16071A40209BFEB14DBA8DC4AFAE7BB9EB44710F108115FA15E72E0D778AD01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0077AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0077AF89
GetDriveTypeW.KERNEL32(?,0079FAC0,?,\\.\,0079F910), ref: 0077B066
SetErrorMode.KERNEL32(00000000,0079FAC0,?,\\.\,0079F910), ref: 0077B1C4

Strings

Fixed, xrefs: 0077B0AE
SATA, xrefs: 0077B177
RAMDisk, xrefs: 0077B090
MMC, xrefs: 0077B185
SCSI, xrefs: 0077B131
CDROM, xrefs: 0077B09A
iSCSI, xrefs: 0077B169
USB, xrefs: 0077B15B
\\.\, xrefs: 0077AFDB
PhysicalDrive, xrefs: 0077B012
FileBackedVirtual, xrefs: 0077B193
Removable, xrefs: 0077B0B8
Virtual, xrefs: 0077B18C
SSA, xrefs: 0077B14D
SAS, xrefs: 0077B170
ATAPI, xrefs: 0077B138
SSD, xrefs: 0077B0F1
1394, xrefs: 0077B146
RAID, xrefs: 0077B162
ATA, xrefs: 0077B13F
Unknown, xrefs: 0077B086, 0077B12A
Network, xrefs: 0077B0A4
Fibre, xrefs: 0077B154

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7450e77e4e679ea82047cde894643fb996472196033fc7b3ff36d35696bcefe3
Instruction ID: adad1983ae9ed56a04d80e39d2a205572dc644eadf2eb2cb6deedf5b6b3d202f
Opcode Fuzzy Hash: 7450e77e4e679ea82047cde894643fb996472196033fc7b3ff36d35696bcefe3
Instruction Fuzzy Hash: 15517DB068434DEA8F04DB24C9AAFBD73B2BB543C6760C01DE40EA7690D72D9D42DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00716A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00716A91
__wcsnicmp.LIBCMT ref: 00716AA9
__wcsnicmp.LIBCMT ref: 00716AC1
__wcsnicmp.LIBCMT ref: 00716AD9
__wcsnicmp.LIBCMT ref: 00716AF1
__wcsnicmp.LIBCMT ref: 00716B09
__wcsnicmp.LIBCMT ref: 00716B21
__wcsnicmp.LIBCMT ref: 00716B35
__wcsnicmp.LIBCMT ref: 00716B76
__wcsnicmp.LIBCMT ref: 00716B8A
__wcsnicmp.LIBCMT ref: 00716B9E
__wcsnicmp.LIBCMT ref: 00716BB2

Strings

Bad directive syntax error, xrefs: 0074E743
#pragma compile, xrefs: 00716A8B
#ce, xrefs: 00716BAC
#comments-end, xrefs: 00716B98
#include, xrefs: 00716B03
#include-once, xrefs: 00716AEB
#OnAutoItStartRegister, xrefs: 00716AD3
#comments-start, xrefs: 00716B1B, 00716B70
#cs, xrefs: 00716B2F, 00716B84
Cannot parse #include, xrefs: 0074E819
#notrayicon, xrefs: 00716AA3
Unterminated group of comments, xrefs: 0074E82C
#requireadmin, xrefs: 00716ABB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ccb53973b58e7add467ec90db16133b9590a3a34a08c9f6e73c1eea6cbdf4a71
Instruction ID: 59542865a0b50d20f7a99019355fc77ddeded2eda70d96c046cafa7dfe162602
Opcode Fuzzy Hash: ccb53973b58e7add467ec90db16133b9590a3a34a08c9f6e73c1eea6cbdf4a71
Instruction Fuzzy Hash: AC8108B0644205FBDB35AF38CC86FEA77A8BF15714F148025F945AA1C2EB6CDA81C291

Uniqueness

Uniqueness Score: -1.00%

Function 00798C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00798D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00798D45
CharNextW.USER32(0000014E), ref: 00798D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00798DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00798DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00798DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00798DF9
SetWindowTextW.USER32(?,0000014E), ref: 00798E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00798E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00798E8C
_memset.LIBCMT ref: 00798EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00798EFA
_memset.LIBCMT ref: 00798F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00798F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00798FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00799088
InvalidateRect.USER32(?,00000000,00000001), ref: 007990AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007990F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00799121
DrawMenuBar.USER32(?), ref: 00799130
SetWindowTextW.USER32(?,0000014E), ref: 00799158

Strings

0, xrefs: 007990C2

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ff59508a9648b9a3409fcfe962d70cecb67155fc2c027b48d7d7c5a33d541172
Instruction ID: bab70a59a34aef08eb31134c2a89ba090fe12dd4e22a1a7fb2df38e5cb2c216b
Opcode Fuzzy Hash: ff59508a9648b9a3409fcfe962d70cecb67155fc2c027b48d7d7c5a33d541172
Instruction Fuzzy Hash: FBE1A570901219EBDF20DF64DC88EEE7B79FF0A710F10815AF9159A291DB788A81DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00794B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00794C51
GetDesktopWindow.USER32 ref: 00794C66
GetWindowRect.USER32(00000000), ref: 00794C6D
GetWindowLongW.USER32(?,000000F0), ref: 00794CCF
DestroyWindow.USER32(?), ref: 00794CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00794D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00794D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00794D68
SendMessageW.USER32(?,00000421,?,?), ref: 00794D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00794D90
IsWindowVisible.USER32(?), ref: 00794DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00794DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00794DDF
GetWindowRect.USER32(?,?), ref: 00794DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00794E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00794E37
CopyRect.USER32(?,?), ref: 00794E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00794EB9

Strings

0, xrefs: 00794BFC
tooltips_class32, xrefs: 00794D1D
(, xrefs: 00794E2A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 22dde8167edf14eca199e89ff310ab09dd2e78d2cbb2ee30db3e5dc2fadb68e8
Instruction ID: 87dfbb47244fcd130b8090ec1f72656660393a7df95d99ff1e9b3a6d48d66035
Opcode Fuzzy Hash: 22dde8167edf14eca199e89ff310ab09dd2e78d2cbb2ee30db3e5dc2fadb68e8
Instruction Fuzzy Hash: E1B18A71604340AFDB04DF28D849F6ABBE4BF88714F00891DF5999B2A1D778EC46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007128BC
GetSystemMetrics.USER32(00000007), ref: 007128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007128EF
GetSystemMetrics.USER32(00000008), ref: 007128F7
GetSystemMetrics.USER32(00000004), ref: 0071291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00712939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00712949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0071297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00712990
GetClientRect.USER32(00000000,000000FF), ref: 007129AE
GetStockObject.GDI32(00000011), ref: 007129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007129D5

Part of subcall function 00712344: GetCursorPos.USER32(?), ref: 00712357
Part of subcall function 00712344: ScreenToClient.USER32(007D67B0,?), ref: 00712374
Part of subcall function 00712344: GetAsyncKeyState.USER32(00000001), ref: 00712399
Part of subcall function 00712344: GetAsyncKeyState.USER32(00000002), ref: 007123A7

SetTimer.USER32(00000000,00000000,00000028,00711256), ref: 007129FC

Strings

AutoIt v3 GUI, xrefs: 00712974

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fedff877092ef4824185bce0a8c600b2bec01f0fdaf345c779ea3b44f87f885d
Instruction ID: 73e697fb376ae2871edad1cf4ed1e4b77685e91eb764a9aa392fe30ca8850d63
Opcode Fuzzy Hash: fedff877092ef4824185bce0a8c600b2bec01f0fdaf345c779ea3b44f87f885d
Instruction Fuzzy Hash: 7BB15C7160120AEFDB14DFA8DC45BEE7BB4FB08314F10812AFA15E62D0DB789852CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00794069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007940F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007941B6

Strings

GETITEMCOUNT, xrefs: 00794128
DESELECT, xrefs: 007942A4
SELECT, xrefs: 00794250
GETSELECTED, xrefs: 007942E4
SELECTCLEAR, xrefs: 00794235
SELECTALL, xrefs: 0079421D
VIEWCHANGE, xrefs: 00794375
SELECTINVERT, xrefs: 00794286
GETSELECTEDCOUNT, xrefs: 00794199
GETTEXT, xrefs: 0079415F
GETSUBITEMCOUNT, xrefs: 00794141
FINDITEM, xrefs: 00794329
ISSELECTED, xrefs: 007941C1

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: ca3dcf8cb63d81a420ada33e0b90bee53dcb4efbf9aaa2f73ca6ce093eda384f
Instruction ID: a23bbc88bb7a229fad72533e4b2f0a5532226a3dd8d241963740f8b3fc8452f3
Opcode Fuzzy Hash: ca3dcf8cb63d81a420ada33e0b90bee53dcb4efbf9aaa2f73ca6ce093eda384f
Instruction Fuzzy Hash: 88A18F30214305DBCF14EF24D855E6AB3E9BF84314F10896CB896AB6D2DB38EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00785309
LoadCursorW.USER32(00000000,00007F8A), ref: 00785314
LoadCursorW.USER32(00000000,00007F00), ref: 0078531F
LoadCursorW.USER32(00000000,00007F03), ref: 0078532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00785335
LoadCursorW.USER32(00000000,00007F01), ref: 00785340
LoadCursorW.USER32(00000000,00007F81), ref: 0078534B
LoadCursorW.USER32(00000000,00007F88), ref: 00785356
LoadCursorW.USER32(00000000,00007F80), ref: 00785361
LoadCursorW.USER32(00000000,00007F86), ref: 0078536C
LoadCursorW.USER32(00000000,00007F83), ref: 00785377
LoadCursorW.USER32(00000000,00007F85), ref: 00785382
LoadCursorW.USER32(00000000,00007F82), ref: 0078538D
LoadCursorW.USER32(00000000,00007F84), ref: 00785398
LoadCursorW.USER32(00000000,00007F04), ref: 007853A3
LoadCursorW.USER32(00000000,00007F02), ref: 007853AE
GetCursorInfo.USER32(?), ref: 007853BE
GetLastError.KERNEL32(00000001,00000000), ref: 007853E9

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 368878f896413c21810b9095768388df61861849d4a7956f0b95b6f938afc5f0
Instruction ID: 900dea564c3e439309788c89a506045ab9e8b5ca82c6e0b2dc17c98ce8e8c42f
Opcode Fuzzy Hash: 368878f896413c21810b9095768388df61861849d4a7956f0b95b6f938afc5f0
Instruction Fuzzy Hash: B0416470E44319AADB10AFBA8C4996FFFF8EF51B50B10452FE509E7290DAB8A401CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0076AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0076AAA5
__swprintf.LIBCMT ref: 0076AB46
_wcscmp.LIBCMT ref: 0076AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0076ABAE
_wcscmp.LIBCMT ref: 0076ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0076AC21
GetDlgCtrlID.USER32(?), ref: 0076AC73
GetWindowRect.USER32(?,?), ref: 0076ACA9
GetParent.USER32(?), ref: 0076ACC7
ScreenToClient.USER32(00000000), ref: 0076ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0076AD48
_wcscmp.LIBCMT ref: 0076AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0076AD82
_wcscmp.LIBCMT ref: 0076AD96

Part of subcall function 0073386C: _iswctype.LIBCMT ref: 00733874

Strings

%s%u, xrefs: 0076AB40

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: cbc1673d6379440325ba7114e189237af397477aa5885b022b6cfb18da957b33
Instruction ID: 6c7ac990fc68299f3009102e3e4b1a93e7debb3c77a4896e0c0d662e43b80212
Opcode Fuzzy Hash: cbc1673d6379440325ba7114e189237af397477aa5885b022b6cfb18da957b33
Instruction Fuzzy Hash: 96A1BC71204306BBD714DF64C884BAAB7E8FF04355F10862AFD9AE2191D738E955CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0076B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0076B3DB
_wcscmp.LIBCMT ref: 0076B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0076B414
CharUpperBuffW.USER32(?,00000000), ref: 0076B431
_wcscmp.LIBCMT ref: 0076B44F
_wcsstr.LIBCMT ref: 0076B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0076B498
_wcscmp.LIBCMT ref: 0076B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0076B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0076B518
_wcscmp.LIBCMT ref: 0076B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0076B550
GetWindowRect.USER32(00000004,?), ref: 0076B5B9

Strings

ThumbnailClass, xrefs: 0076B4A3, 0076B523
@, xrefs: 0076B3BC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 00dffecdd4335115c3f01bef61b83671984b568704b09cc72c6c4128cb6429b8
Instruction ID: de7b24700d6d82c9cc2cf41ee159311d6b710939803102d899b4cfd49a4775cb
Opcode Fuzzy Hash: 00dffecdd4335115c3f01bef61b83671984b568704b09cc72c6c4128cb6429b8
Instruction Fuzzy Hash: 2481C0710083459BDB14DF14C885FAA7BE8EF45314F04856AFD87DA092DB38DD8ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0079C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

DragQueryPoint.SHELL32(?,?), ref: 0079C917

Part of subcall function 0079ADF1: ClientToScreen.USER32(?,?), ref: 0079AE1A
Part of subcall function 0079ADF1: GetWindowRect.USER32(?,?), ref: 0079AE90
Part of subcall function 0079ADF1: PtInRect.USER32(?,?,0079C304), ref: 0079AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0079C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0079C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0079C9AE
_wcscat.LIBCMT ref: 0079C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0079C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0079CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0079CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0079CA47
DragFinish.SHELL32(?), ref: 0079CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0079CB41

Strings

pr}, xrefs: 0079CA8B
@GUI_DRAGID, xrefs: 0079CAB9
@GUI_DROPID, xrefs: 0079CA6E
@GUI_DRAGFILE, xrefs: 0079CAF0

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr}
API String ID: 169749273-4250750409
Opcode ID: bdfae873b4096fd5a46abb2d33ae66dd7c4a53c3743ab8eb2c90e902aeb339e7
Instruction ID: 72470a809ac9dcca1a15d110b4390ab772f3badd514dbe9c132a7399c0b291b8
Opcode Fuzzy Hash: bdfae873b4096fd5a46abb2d33ae66dd7c4a53c3743ab8eb2c90e902aeb339e7
Instruction Fuzzy Hash: 94617C71108300EFCB01DF64DC89D9BBBF9EF88710F004A2EF591961A1DB389A4ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 0076B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0076B23F

Strings

[REGEXPTITLE:, xrefs: 0076B267
LAST, xrefs: 0076B204
HANDLE=, xrefs: 0076B238
ALL, xrefs: 0076B2D3
[CLASS:, xrefs: 0076B28F
REGEXP=, xrefs: 0076B254
[ALL, xrefs: 0076B2E5
ACTIVE, xrefs: 0076B21A
CLASSNAME=, xrefs: 0076B27C
[ACTIVE, xrefs: 0076B22C
[HANDLE:, xrefs: 0076B24B
[LAST, xrefs: 0076B2EC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 52802a644e9d722b7415df580fbbceecf4d280ae4809c16f363dbb7def3039ae
Instruction ID: 56348960d12f6e7b1722362d742fb449f622dd5a3c6c59336f0bbf043f4fd6c5
Opcode Fuzzy Hash: 52802a644e9d722b7415df580fbbceecf4d280ae4809c16f363dbb7def3039ae
Instruction Fuzzy Hash: 9C31D271A44209EADB14FA64CD5BFEE77B8AF21750F60002DF942B10D2EF6D6E84C551

Uniqueness

Uniqueness Score: -1.00%

Function 0076C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0076C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0076C4E6
SetWindowTextW.USER32(?,?), ref: 0076C4FD
GetDlgItem.USER32(?,000003EA), ref: 0076C512
SetWindowTextW.USER32(00000000,?), ref: 0076C518
GetDlgItem.USER32(?,000003E9), ref: 0076C528
SetWindowTextW.USER32(00000000,?), ref: 0076C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0076C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0076C569
GetWindowRect.USER32(?,?), ref: 0076C572
SetWindowTextW.USER32(?,?), ref: 0076C5DD
GetDesktopWindow.USER32 ref: 0076C5E3
GetWindowRect.USER32(00000000), ref: 0076C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0076C636
GetClientRect.USER32(?,?), ref: 0076C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0076C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0076C693

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 53f401da98d25ab2556070639439f9a79500ab312e116e9fd857a923df6ae88b
Instruction ID: 4c5e63c9653da2669a94d66d580b6b1b06df24af08c05ec0604f9f64c8eba8a5
Opcode Fuzzy Hash: 53f401da98d25ab2556070639439f9a79500ab312e116e9fd857a923df6ae88b
Instruction Fuzzy Hash: C4519D31900709EFDB21DFA8CD89B6EBBF5FF04704F104929EA83A25A0C778A915CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0079A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079A4C8
DestroyWindow.USER32(?,?), ref: 0079A542

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0079A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0079A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0079A5F1
DestroyWindow.USER32(00000000), ref: 0079A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00710000,00000000), ref: 0079A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0079A663
GetDesktopWindow.USER32 ref: 0079A67C
GetWindowRect.USER32(00000000), ref: 0079A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0079A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0079A6B3

Part of subcall function 007125DB: GetWindowLongW.USER32(?,000000EB), ref: 007125EC

Strings

tooltips_class32, xrefs: 0079A5B5, 0079A643
0, xrefs: 0079A4DE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 9aab4f5cf268b0f2c5e6268378db471d820adfceb1541be996cd6681c25a2020
Instruction ID: de95e79bcaa8b61504b7cb38c8ac2a36215b408d3eb76afcbdf45213bc407f44
Opcode Fuzzy Hash: 9aab4f5cf268b0f2c5e6268378db471d820adfceb1541be996cd6681c25a2020
Instruction Fuzzy Hash: 58719971145305AFDB20CF28DC49FAA7BF6EB88304F08452EF985872A0D778E942DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00794619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007946AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007946F6

Strings

EXISTS, xrefs: 0079475F
GETTEXT, xrefs: 00794849
GETITEMCOUNT, xrefs: 007947D8
GETTOTALCOUNT, xrefs: 007946DD
UNCHECK, xrefs: 007948D2
CHECK, xrefs: 00794716
COLLAPSE, xrefs: 0079473C
SELECT, xrefs: 007948A7
EXPAND, xrefs: 007947A8
GETSELECTED, xrefs: 00794806
ISCHECKED, xrefs: 00794879

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 9633f9abcb739d3d535c934ffd91b2c4f31ce5cdbb5643e85879fc4fd776398f
Instruction ID: c98c320491f7bf23eedab871327f2d5c7f1f566d7202d3d60460dd69e458feb8
Opcode Fuzzy Hash: 9633f9abcb739d3d535c934ffd91b2c4f31ce5cdbb5643e85879fc4fd776398f
Instruction Fuzzy Hash: B1915C74204305DBCB14EF24D465EAAB7E5AF84314F04886CF8965B3A2DB39ED4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 0077A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0079FB78), ref: 0077A0FC

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0077A11E
__swprintf.LIBCMT ref: 0077A177
__swprintf.LIBCMT ref: 0077A190
_wprintf.LIBCMT ref: 0077A246
_wprintf.LIBCMT ref: 0077A264

Strings

"%s" (%d) : ==> %s:, xrefs: 0077A25F
Line %d (File "%s"):, xrefs: 0077A171, 0077A18A
"%s" (%d) : ==> %s:%s%s, xrefs: 0077A241
%z, xrefs: 0077A0C9
Error: , xrefs: 0077A20E
^ ERROR, xrefs: 0077A1E8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%z
API String ID: 311963372-3574818463
Opcode ID: e0eb28898e579afb6a76f7e456debe3c5b98c132243dd852a1004c18063c2462
Instruction ID: 63786ac52e6c998fad964abac6272c469026ca41aa7bb5726853e43f88a65d82
Opcode Fuzzy Hash: e0eb28898e579afb6a76f7e456debe3c5b98c132243dd852a1004c18063c2462
Instruction Fuzzy Hash: 1E516072900209FADF19EBE4CD4AEEEB779AF44300F104165F505720A2EB396F99DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0077A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

CharLowerBuffW.USER32(?,?), ref: 0077A636
GetDriveTypeW.KERNEL32 ref: 0077A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077A730

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

Strings

open, xrefs: 0077A65D
type cdaudio alias cd wait, xrefs: 0077A6AE
open , xrefs: 0077A692
set cd door , xrefs: 0077A6D1
closed, xrefs: 0077A64A, 0077A653
close cd wait, xrefs: 0077A71B
wait, xrefs: 0077A6ED
close, xrefs: 0077A63C

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 06d9539cce533411313b7dfe1687eb36df4f9fe43084e6fa45a20e8d00603ca5
Instruction ID: 7c78d3e9da8c8c3d54d3d5eda29dcd8a9962b59296daec5a38d48781ebcf98a2
Opcode Fuzzy Hash: 06d9539cce533411313b7dfe1687eb36df4f9fe43084e6fa45a20e8d00603ca5
Instruction Fuzzy Hash: C7517F71104304EFC704EF24C8959AAB7F8FF84758F04896CF88597291DB39AD4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 0077A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0077A47A
__swprintf.LIBCMT ref: 0077A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0077A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0077A4FE
_memset.LIBCMT ref: 0077A51D
_wcsncpy.LIBCMT ref: 0077A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0077A58E
CloseHandle.KERNEL32(00000000), ref: 0077A599
RemoveDirectoryW.KERNEL32(?), ref: 0077A5A2
CloseHandle.KERNEL32(00000000), ref: 0077A5AC

Strings

\??\%s, xrefs: 0077A496
\, xrefs: 0077A4B2
:, xrefs: 0077A4BD

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 3b4b42a120f017f56b2f6704c72d99fb216dd5acf491f59023e529fb9be9e1ce
Instruction ID: df67a0f7e42d6caa98d886624bb5344ce976a5616dd7a9347715db2bfc8c4b7e
Opcode Fuzzy Hash: 3b4b42a120f017f56b2f6704c72d99fb216dd5acf491f59023e529fb9be9e1ce
Instruction Fuzzy Hash: C831B3B1500109BBEB219FA0DC49FEF37BCEF88741F1080B6F508D2150E77896558B25

Uniqueness

Uniqueness Score: -1.00%

Function 0074AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0074AB7B
___wtomb_environ.LIBCMT ref: 0074AB9D

Part of subcall function 00738D68: __getptd_noexit.LIBCMT ref: 00738D68

__malloc_crt.LIBCMT ref: 0074ABC5
__malloc_crt.LIBCMT ref: 0074ABE2
_free.LIBCMT ref: 0074AC19
__recalloc_crt.LIBCMT ref: 0074AC52
__recalloc_crt.LIBCMT ref: 0074AC97
_strlen.LIBCMT ref: 0074ACC3
__calloc_crt.LIBCMT ref: 0074ACCD
_strlen.LIBCMT ref: 0074ACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0074AD0A
_free.LIBCMT ref: 0074AD24
_free.LIBCMT ref: 0074AD31
_free.LIBCMT ref: 0074AD43
__invoke_watson.LIBCMT ref: 0074AD5D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 7d67faa81b4c7e8f99356f92a1025168dbe12aa0bf149f0fca92fba5b3d83b99
Instruction ID: 2af52d84a43e04e11227c5649697307f977a1d31bb161c4d2c0def33e5d49206
Opcode Fuzzy Hash: 7d67faa81b4c7e8f99356f92a1025168dbe12aa0bf149f0fca92fba5b3d83b99
Instruction Fuzzy Hash: 5461F7B2981306FFEB205F24DC45B797BA5EF11321F248116F8019B292DB3DD941CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0079C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0079C4EC
GetFocus.USER32 ref: 0079C4FC
GetDlgCtrlID.USER32(00000000), ref: 0079C507
_memset.LIBCMT ref: 0079C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0079C65D
GetMenuItemCount.USER32(?), ref: 0079C67D
GetMenuItemID.USER32(?,00000000), ref: 0079C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0079C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0079C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0079C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0079C779

Strings

0, xrefs: 0079C62A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: a1d0ebe42fbc70be5abf2f00d2827f7555409f6f872a167f0807ca9b34d4c772
Instruction ID: 568b207fd0e8adf1d9dc02b20583d68c421bbf437c737991948162bdfcdc9e3b
Opcode Fuzzy Hash: a1d0ebe42fbc70be5abf2f00d2827f7555409f6f872a167f0807ca9b34d4c772
Instruction Fuzzy Hash: F7818E70208341AFDF11CF14E985A6BBBE9FB88314F10492EF99597291D738E915CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 007683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0076874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00768766
Part of subcall function 0076874A: GetLastError.KERNEL32(?,0076822A,?,?,?), ref: 00768770
Part of subcall function 0076874A: GetProcessHeap.KERNEL32(00000008,?,?,0076822A,?,?,?), ref: 0076877F
Part of subcall function 0076874A: HeapAlloc.KERNEL32(00000000,?,0076822A,?,?,?), ref: 00768786
Part of subcall function 0076874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076879D

Part of subcall function 007687E7: GetProcessHeap.KERNEL32(00000008,00768240,00000000,00000000,?,00768240,?), ref: 007687F3
Part of subcall function 007687E7: HeapAlloc.KERNEL32(00000000,?,00768240,?), ref: 007687FA
Part of subcall function 007687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00768240,?), ref: 0076880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00768458
_memset.LIBCMT ref: 0076846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0076848C
GetLengthSid.ADVAPI32(?), ref: 0076849D
GetAce.ADVAPI32(?,00000000,?), ref: 007684DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007684F6
GetLengthSid.ADVAPI32(?), ref: 00768513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00768522
HeapAlloc.KERNEL32(00000000), ref: 00768529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0076854A
CopySid.ADVAPI32(00000000), ref: 00768551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00768582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007685A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007685BC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: e49989aeea35376143db65245521cf6152f4bfd58c33c34f62f044bc739083f7
Instruction ID: 173affbdb6acd1e7830baa3469e03ad567268fb077b70a77e5f00f50a695ade8
Opcode Fuzzy Hash: e49989aeea35376143db65245521cf6152f4bfd58c33c34f62f044bc739083f7
Instruction Fuzzy Hash: 92611C71900209EBDF50DF94DC45AAEBBB9FF04300F14826AE916E6292DB399A15CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0078762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007876A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007876AE
CreateCompatibleDC.GDI32(?), ref: 007876BA
SelectObject.GDI32(00000000,?), ref: 007876C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0078771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00787757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0078777B
SelectObject.GDI32(00000006,?), ref: 00787783
DeleteObject.GDI32(?), ref: 0078778C
DeleteDC.GDI32(00000006), ref: 00787793
ReleaseDC.USER32(00000000,?), ref: 0078779E

Strings

(, xrefs: 00787723

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ec0001cf9fca862a4d7756e8d9657ac228d1d8ce30395b35015b10cb29385cf9
Instruction ID: e5efac002b1dbda589af623d031450d14b2b4888848d0e66fb527e39e9ccc158
Opcode Fuzzy Hash: ec0001cf9fca862a4d7756e8d9657ac228d1d8ce30395b35015b10cb29385cf9
Instruction Fuzzy Hash: 97514C75A44209EFCB15DFA8CC85EAEBBB9EF48710F24842EF94AD7210D735A841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00716BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00730B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00716C6C,?,00008000), ref: 00730BB7

Part of subcall function 007148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007148A1,?,?,007137C0,?), ref: 007148CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00716D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00716E5A

Part of subcall function 007159CD: _wcscpy.LIBCMT ref: 00715A05

Part of subcall function 0073387D: _iswctype.LIBCMT ref: 00733885

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 0074E84A
Bad directive syntax error, xrefs: 0074EBC6
AU3!, xrefs: 00716CC1
Unterminated string, xrefs: 0074EC0D
Error opening the file, xrefs: 0074E866, 0074E8E1
EA06, xrefs: 0074E87B
>>>AUTOIT SCRIPT<<<, xrefs: 0074E8BF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 3db80c559e51313322324f8fa3cfcc86d59da3fbed69ca1d7e5aaac5d1581b02
Instruction ID: 1808dc6413d916140e657e3d9399550c9c67c040789053984309e3a7afe58cf8
Opcode Fuzzy Hash: 3db80c559e51313322324f8fa3cfcc86d59da3fbed69ca1d7e5aaac5d1581b02
Instruction Fuzzy Hash: 13028D71108341DFC728EF28C885AAFBBE5BF95354F04491DF486972A2DB38D989CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007145F9
GetMenuItemCount.USER32(007D6890), ref: 0074D7CD
GetMenuItemCount.USER32(007D6890), ref: 0074D87D
GetCursorPos.USER32(?), ref: 0074D8C1
SetForegroundWindow.USER32(00000000), ref: 0074D8CA
TrackPopupMenuEx.USER32(007D6890,00000000,?,00000000,00000000,00000000), ref: 0074D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0074D8E9

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 3de510869fca151d1ae65e31553f5900763fb24d7767b3cdc9bafc8bbffbe56f
Instruction ID: d9f743cc0fa8e1c0f165cd2f184b526511e24eb74aba1dcb16e264cf670bb26f
Opcode Fuzzy Hash: 3de510869fca151d1ae65e31553f5900763fb24d7767b3cdc9bafc8bbffbe56f
Instruction Fuzzy Hash: 01710670600205BEEB318F24DC49FAABF64FF05368F204216F529A61E1C7B96C60DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00788BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00788BEC
CoInitialize.OLE32(00000000), ref: 00788C19
CoUninitialize.OLE32 ref: 00788C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00788D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00788E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007A2C0C), ref: 00788E84
CoGetObject.OLE32(?,00000000,007A2C0C,?), ref: 00788EA7
SetErrorMode.KERNEL32(00000000), ref: 00788EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00788F3A
VariantClear.OLEAUT32(?), ref: 00788F4A

Strings

,,z, xrefs: 00788BD6

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,z
API String ID: 2395222682-1207407898
Opcode ID: de2b3831e4666a7dc0b96e3d2d1668bb003b1b0b2a6d8fe780eb1b35011618dd
Instruction ID: 42106fee5f557e6dc4f78dd7c0c5b8575f2eabba7c4dd6b05b39db3e38b9784e
Opcode Fuzzy Hash: de2b3831e4666a7dc0b96e3d2d1668bb003b1b0b2a6d8fe780eb1b35011618dd
Instruction Fuzzy Hash: 0FC12471208305AFC740EF68C88492AB7E9BF89748F44496DF589DB251DB35ED06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00790038,?,?), ref: 007910BC

Strings

HKEY_USERS, xrefs: 007911BD
HKCC, xrefs: 0079118A
HKEY_CURRENT_USER, xrefs: 0079119B
HKCR, xrefs: 00791164
HKLM, xrefs: 0079113A
HKEY_LOCAL_MACHINE, xrefs: 00791125
HKEY_CURRENT_CONFIG, xrefs: 00791179
HKCU, xrefs: 007911AC
HKEY_CLASSES_ROOT, xrefs: 0079114F
HKU, xrefs: 007911CE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 5cb7be45d07b1a61225b08199cc74525d8a3cd78b25941a23b844c3281f4c05b
Instruction ID: 9784c5b8e4937fefc214a9b5169ad5c502b771fbacc0574a57f7762a8f153590
Opcode Fuzzy Hash: 5cb7be45d07b1a61225b08199cc74525d8a3cd78b25941a23b844c3281f4c05b
Instruction Fuzzy Hash: F0411C3025024FDBDF14EFA4E895AEA3779BF11340F904468FC915B292D738A96AC790

Uniqueness

Uniqueness Score: -1.00%

Function 00775569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

Part of subcall function 00717A84: _memmove.LIBCMT ref: 00717B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007755D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007755E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007755F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0077560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0077561C

Strings

close PlayMe, xrefs: 007755E3, 00775610
open , xrefs: 00775581
play PlayMe wait, xrefs: 00775606
alias PlayMe, xrefs: 007755AB
status PlayMe mode, xrefs: 007755CD
play PlayMe, xrefs: 00775617

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 443ce8c222501376910bfb5040cb16b09f8c4139e00a360081229ad95efa0321
Instruction ID: 6b11b8aa3e1f31327779b0f5fc8a8d826195aaacafca428f8281eb33d8e64c86
Opcode Fuzzy Hash: 443ce8c222501376910bfb5040cb16b09f8c4139e00a360081229ad95efa0321
Instruction Fuzzy Hash: 7311E2606501ADB9DB24A7A5CC5AEFFBB7CEF91F44F40442DB404A20C1DEA80D45C5A1

Uniqueness

Uniqueness Score: -1.00%

Function 007748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0077490E
gethostname.WSOCK32(?,00000100), ref: 00774928
gethostbyname.WSOCK32(?), ref: 00774935
_wcscpy.LIBCMT ref: 0077495D
_memmove.LIBCMT ref: 00774970
inet_ntoa.WSOCK32(?), ref: 0077497B
_strcat.LIBCMT ref: 00774989
_wcscpy.LIBCMT ref: 007749A0
WSACleanup.WSOCK32 ref: 007749AE
_wcscpy.LIBCMT ref: 007749BC

Strings

0.0.0.0, xrefs: 00774957

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: a0835316c36e4f29004f6acd9fc249520d2154b36333e9faa761023808167a71
Instruction ID: c798ccdcebc513d896143cc0a76f9999f930e4645ae0226cb74ca948b0518a50
Opcode Fuzzy Hash: a0835316c36e4f29004f6acd9fc249520d2154b36333e9faa761023808167a71
Instruction Fuzzy Hash: 0411E731A04115EBDF24EB64EC4AEDB77BCDF01760F048176F548D6092EF7CAA828A51

Uniqueness

Uniqueness Score: -1.00%

Function 00775217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0077521C

Part of subcall function 00730719: timeGetTime.WINMM(?,75C0B400,00720FF9), ref: 0073071D

Sleep.KERNEL32(0000000A), ref: 00775248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0077526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0077528E
SetActiveWindow.USER32 ref: 007752AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007752BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 007752DA
Sleep.KERNEL32(000000FA), ref: 007752E5
IsWindow.USER32 ref: 007752F1
EndDialog.USER32(00000000), ref: 00775302

Strings

BUTTON, xrefs: 00775280

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 92413b4d734ac2576e381a84a7bbf09d5bc5e9587b0c0b8890487491ce51bf19
Instruction ID: ab84665706fc99e786d0d808a44202c4275787099dbe1df9058ecf49c1e01471
Opcode Fuzzy Hash: 92413b4d734ac2576e381a84a7bbf09d5bc5e9587b0c0b8890487491ce51bf19
Instruction Fuzzy Hash: A92162B1205704AFEB045B60ED89B253B7AFB543C6F10D42AF40AC1171DBAD9C61D77A

Uniqueness

Uniqueness Score: -1.00%

Function 0077D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

CoInitialize.OLE32(00000000), ref: 0077D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0077D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0077D8FC
CoCreateInstance.OLE32(007A2D7C,00000000,00000001,007CA89C,?), ref: 0077D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0077D9B7
CoTaskMemFree.OLE32(?,?), ref: 0077DA0F
_memset.LIBCMT ref: 0077DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0077DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0077DAAB
CoTaskMemFree.OLE32(00000000), ref: 0077DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0077DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0077DAEB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 1725354ce2ba994996755793b3ad65b1c28cdbb724a5464a86829c2bd1282ac4
Instruction ID: 07f0316c26364c402d8d4a638fe7b7fbe52c4493cea46070fa892cd02927021b
Opcode Fuzzy Hash: 1725354ce2ba994996755793b3ad65b1c28cdbb724a5464a86829c2bd1282ac4
Instruction Fuzzy Hash: 24B10B75A00109EFDB14DFA4C888DAEBBB9FF48354B148469F909EB261DB34ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0077052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007705A7
SetKeyboardState.USER32(?), ref: 00770612
GetAsyncKeyState.USER32(000000A0), ref: 00770632
GetKeyState.USER32(000000A0), ref: 00770649
GetAsyncKeyState.USER32(000000A1), ref: 00770678
GetKeyState.USER32(000000A1), ref: 00770689
GetAsyncKeyState.USER32(00000011), ref: 007706B5
GetKeyState.USER32(00000011), ref: 007706C3
GetAsyncKeyState.USER32(00000012), ref: 007706EC
GetKeyState.USER32(00000012), ref: 007706FA
GetAsyncKeyState.USER32(0000005B), ref: 00770723
GetKeyState.USER32(0000005B), ref: 00770731

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 57626c10e61853599ae495823aac88cc8615613ffa1e34f8a8fec2f2b2370d17
Instruction ID: 7620d9065d03271be78c7e739dee76a0090c3be47db67b3389e203ec1a69c659
Opcode Fuzzy Hash: 57626c10e61853599ae495823aac88cc8615613ffa1e34f8a8fec2f2b2370d17
Instruction Fuzzy Hash: 2F51EE20A0478899FF35DBB48855BEABFB49F013C0F48C59AD5CA5A1C2D65CAB4CCBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0076C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0076C746
GetWindowRect.USER32(00000000,?), ref: 0076C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0076C7B6
GetDlgItem.USER32(?,00000002), ref: 0076C7C1
GetWindowRect.USER32(00000000,?), ref: 0076C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0076C827
GetDlgItem.USER32(?,000003E9), ref: 0076C835
GetWindowRect.USER32(00000000,?), ref: 0076C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0076C889
GetDlgItem.USER32(?,000003EA), ref: 0076C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0076C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0076C8C1

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bbd990ea9a464560ec7e4a1bb8e10f5a4eb48c04edc856ab035ee6595be4c4de
Instruction ID: ae2489373cf94ea037a3a1e94d978958639102f0b35fa7301182f476eaba3df4
Opcode Fuzzy Hash: bbd990ea9a464560ec7e4a1bb8e10f5a4eb48c04edc856ab035ee6595be4c4de
Instruction Fuzzy Hash: A2515E71B00205AFDB18CFA8DD89ABEBBBAEB88310F14812DF916D7290D7749D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0071201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00711B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00712036,?,00000000,?,?,?,?,007116CB,00000000,?), ref: 00711B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007120D3
KillTimer.USER32(-00000001,?,?,?,?,007116CB,00000000,?,?,00711AE2,?,?), ref: 0071216E
DestroyAcceleratorTable.USER32(00000000), ref: 0074BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007116CB,00000000,?,?,00711AE2,?,?), ref: 0074BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007116CB,00000000,?,?,00711AE2,?,?), ref: 0074BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007116CB,00000000,?,?,00711AE2,?,?), ref: 0074BF5A
DeleteObject.GDI32(00000000), ref: 0074BF6C

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 9792d49e92611dab6dd10255e33dfa0cfa53dcc7cafea011106ad6762037fed4
Instruction ID: adf9891a3039f9c36e26b2619eb9a4e4c80339ec8db72bd3abb862490e6d4308
Opcode Fuzzy Hash: 9792d49e92611dab6dd10255e33dfa0cfa53dcc7cafea011106ad6762037fed4
Instruction Fuzzy Hash: 69618A31101614EFCB35DF18DD48B6AB7F2FB44312F10852AE14686AA1C77DACA6EF94

Uniqueness

Uniqueness Score: -1.00%

Function 007121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007125DB: GetWindowLongW.USER32(?,000000EB), ref: 007125EC

GetSysColor.USER32(0000000F), ref: 007121D3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: cfb56d58de3ab668b79da0456fbc152f7e3961d5347ad20a62adf44a7f2d1557
Instruction ID: fcc0ee455ee04ee5657cec65d54eaf7334119b17ae61a1bfb4b82486f7663189
Opcode Fuzzy Hash: cfb56d58de3ab668b79da0456fbc152f7e3961d5347ad20a62adf44a7f2d1557
Instruction Fuzzy Hash: A7416E31100144ABDB255F2CDC88BF93B65EB06331F298266FD658A1E6C7398C93DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0077AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0079F910), ref: 0077AB76
GetDriveTypeW.KERNEL32(00000061,007CA620,00000061), ref: 0077AC40
_wcscpy.LIBCMT ref: 0077AC6A

Strings

unknown, xrefs: 0077AC01
cdrom, xrefs: 0077AB92
all, xrefs: 0077AB7C
removable, xrefs: 0077ABA8
network, xrefs: 0077ABD4
fixed, xrefs: 0077ABBE
ramdisk, xrefs: 0077ABEA

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 96473a3f74c07cf92d4ec2ce9e2d59b433094a90bb4f2e0e0e07a0fdde9f3242
Instruction ID: fa8eeb4064b17bedc3403581adfd7646b4bb59eeb5f4bf63a748f51919328103
Opcode Fuzzy Hash: 96473a3f74c07cf92d4ec2ce9e2d59b433094a90bb4f2e0e0e07a0fdde9f3242
Instruction Fuzzy Hash: A551C570204305EBDB14EF14C895AAFB7A5EF80345F10882DF585572E2D739D94ACA53

Uniqueness

Uniqueness Score: -1.00%

Function 0079C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

Part of subcall function 00712344: GetCursorPos.USER32(?), ref: 00712357
Part of subcall function 00712344: ScreenToClient.USER32(007D67B0,?), ref: 00712374
Part of subcall function 00712344: GetAsyncKeyState.USER32(00000001), ref: 00712399
Part of subcall function 00712344: GetAsyncKeyState.USER32(00000002), ref: 007123A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0079C2E4
ImageList_EndDrag.COMCTL32 ref: 0079C2EA
ReleaseCapture.USER32 ref: 0079C2F0
SetWindowTextW.USER32(?,00000000), ref: 0079C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0079C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0079C48F

Strings

pr}, xrefs: 0079C3FD
pr}, xrefs: 0079C438
@GUI_DROPID, xrefs: 0079C3E1
@GUI_DRAGFILE, xrefs: 0079C424

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr}$pr}
API String ID: 1924731296-3786841344
Opcode ID: 40fb95c328e2c867c9824eb403487ab056a4823958c01fb6646ed95b085c3778
Instruction ID: 0cde6c0beb91179883327602297f60d4533f5804b59ad6eb15e0ca5f5121c05b
Opcode Fuzzy Hash: 40fb95c328e2c867c9824eb403487ab056a4823958c01fb6646ed95b085c3778
Instruction Fuzzy Hash: 39518B70204344EFDB04DF24D89AFAA7BF5EB88310F00852EF5958B2E1DB38A955DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00719997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 007199C2
__swprintf.LIBCMT ref: 00719A0C
__i64tow.LIBCMT ref: 0074FA0F

Strings

False, xrefs: 0074F9D7
0x%p, xrefs: 0074F9F1
True, xrefs: 0074F9D0
%.15g, xrefs: 00719A06

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: e5ec41e905fc10f0d1107368a45f06404653b11aad0dbe4ca87ee7217c127f97
Instruction ID: fd32ca6c9a854759b227555bca721205319c5f9fbc2b3a5f167862336cf78d60
Opcode Fuzzy Hash: e5ec41e905fc10f0d1107368a45f06404653b11aad0dbe4ca87ee7217c127f97
Instruction Fuzzy Hash: 2841B671614205EFEB249F38DC56FB673E8EB44300F24446EE649D7292EB79A942CB11

Uniqueness

Uniqueness Score: -1.00%

Function 007973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007973D9
CreateMenu.USER32 ref: 007973F4
SetMenu.USER32(?,00000000), ref: 00797403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00797490
IsMenu.USER32(?), ref: 007974A6
CreatePopupMenu.USER32 ref: 007974B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007974DD
DrawMenuBar.USER32 ref: 007974E5

Strings

0, xrefs: 007973CF
F, xrefs: 007974D1

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 3b128f923e5e2d5b47e8c071a85fea51c6bfa12893d5add6821d3341fb7b2ec1
Instruction ID: 6e46665d577952437a2a8f363a8bc37e7f21ad384151bb12f1c6ea8513ee35eb
Opcode Fuzzy Hash: 3b128f923e5e2d5b47e8c071a85fea51c6bfa12893d5add6821d3341fb7b2ec1
Instruction Fuzzy Hash: 4F416674A01249EFDF24DF68E888E9ABBB9FF49300F14402AE91597361D738AD20CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0079772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007977CD
CreateCompatibleDC.GDI32(00000000), ref: 007977D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007977E7
SelectObject.GDI32(00000000,00000000), ref: 007977EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 007977FA
DeleteDC.GDI32(00000000), ref: 00797803
GetWindowLongW.USER32(?,000000EC), ref: 0079780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00797821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0079782D

Strings

static, xrefs: 00797765

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 84287d41740dc52c4eb98c0e85b8fb4afa4f2d5053abba745dbf3fe7f8270eb1
Instruction ID: ab526d13d9fd54903998e0110a13346efc3a6b26f1d0c97efa46688a8ca6acd8
Opcode Fuzzy Hash: 84287d41740dc52c4eb98c0e85b8fb4afa4f2d5053abba745dbf3fe7f8270eb1
Instruction Fuzzy Hash: 91316D31115219EBDF159FA4EC09FDA3B69FF09360F114225FA15E60A0C739D822DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00737040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0073707B

Part of subcall function 00738D68: __getptd_noexit.LIBCMT ref: 00738D68

__gmtime64_s.LIBCMT ref: 00737114
__gmtime64_s.LIBCMT ref: 0073714A
__gmtime64_s.LIBCMT ref: 00737167
__allrem.LIBCMT ref: 007371BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007371D9
__allrem.LIBCMT ref: 007371F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0073720E
__allrem.LIBCMT ref: 00737225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00737243
__invoke_watson.LIBCMT ref: 007372B4

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: d404b62c8fbdc670aeb1b4148329f1ba4ed9298286c9c6853fdd9b2fdba42ae6
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: D471DBB2A04716EBF7289E79CC8575BB3B4BF55320F14422AF914D6682E778D940C790

Uniqueness

Uniqueness Score: -1.00%

Function 00772A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00772A31
GetMenuItemInfoW.USER32(007D6890,000000FF,00000000,00000030), ref: 00772A92
SetMenuItemInfoW.USER32(007D6890,00000004,00000000,00000030), ref: 00772AC8
Sleep.KERNEL32(000001F4), ref: 00772ADA
GetMenuItemCount.USER32(?), ref: 00772B1E
GetMenuItemID.USER32(?,00000000), ref: 00772B3A
GetMenuItemID.USER32(?,-00000001), ref: 00772B64
GetMenuItemID.USER32(?,?), ref: 00772BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00772BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00772C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00772C24

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: c9e10509074af79f7a70297ddeb6c13a9f831315489f7ccd7bf74ea00d36a002
Instruction ID: a8acd4d972d777054eedbf45c264915f67c5b4e91f5fac4a76bc5132726d0fb1
Opcode Fuzzy Hash: c9e10509074af79f7a70297ddeb6c13a9f831315489f7ccd7bf74ea00d36a002
Instruction Fuzzy Hash: 9A61A1B0900249EFDF11CF64C888DBE7BB8EB01384F14845AE865D3262E739AD17DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00797192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00797214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00797217
GetWindowLongW.USER32(?,000000F0), ref: 0079723B
_memset.LIBCMT ref: 0079724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0079725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007972D6

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 9935d0d869140eb960b6cf24c0775d979da78089b86b41c4f2781ab0adc08eea
Instruction ID: 942cd1e8133f76ab5bf9d027fdfe8ac7ae1f7c2ae88e69ca38151e0d425c76e4
Opcode Fuzzy Hash: 9935d0d869140eb960b6cf24c0775d979da78089b86b41c4f2781ab0adc08eea
Instruction Fuzzy Hash: 26617A71A00248AFDB10DFA4DC81EEE77F9EB09710F14416AFA14A73A1D778AD45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00767135
SafeArrayAllocData.OLEAUT32(?), ref: 0076718E
VariantInit.OLEAUT32(?), ref: 007671A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 007671C0
VariantCopy.OLEAUT32(?,?), ref: 00767213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00767227
VariantClear.OLEAUT32(?), ref: 0076723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00767249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00767252
VariantClear.OLEAUT32(?), ref: 00767264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0076726F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 57b4251e24f7290bbe8af20e7154b0a64a3477504ed60af55c2523d5193def99
Instruction ID: 0402acad43f50eef9bf374b184165e449815c9a1e5cba814a5263f608e86df5a
Opcode Fuzzy Hash: 57b4251e24f7290bbe8af20e7154b0a64a3477504ed60af55c2523d5193def99
Instruction Fuzzy Hash: F5412F35A04119EFCB04DF68DC589EEBBB9FF48354F008069E956E7261DB38A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

CoInitialize.OLE32 ref: 00788718
CoUninitialize.OLE32 ref: 00788723
CoCreateInstance.OLE32(?,00000000,00000017,007A2BEC,?), ref: 00788783
IIDFromString.OLE32(?,?), ref: 007887F6
VariantInit.OLEAUT32(?), ref: 00788890
VariantClear.OLEAUT32(?), ref: 007888F1

Strings

Invalid parameter, xrefs: 0078880F
Failed to create object, xrefs: 0078878E, 00788844
NULL Pointer assignment, xrefs: 007887C8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: c4399c81ba953eae0aa1368e4dbfca8013a3b810f20cb5caa6c5eed116e60526
Instruction ID: 0f7498d8e71235216ea88c5966b2a346cc8be9c215ffdef7e2d9e61d4c34582d
Opcode Fuzzy Hash: c4399c81ba953eae0aa1368e4dbfca8013a3b810f20cb5caa6c5eed116e60526
Instruction Fuzzy Hash: FF61AB70648301EFD750EF64C848B6ABBE8AF88714F94481DF9859B291CB38ED45CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00785A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00785AA6
inet_addr.WSOCK32(?,?,?), ref: 00785AEB
gethostbyname.WSOCK32(?), ref: 00785AF7
IcmpCreateFile.IPHLPAPI ref: 00785B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00785B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00785B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00785C00
WSACleanup.WSOCK32 ref: 00785C06

Strings

Ping, xrefs: 00785B29

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 5a5a4b3afe906dae0e143a05a4fbd8f8e8bad015f6bc804fefd3fd76a4b66d17
Instruction ID: 96b6a8e1749502ce9fc86e01c55a6a7f7d592cb1ff55c19ac391ab5bcb39388d
Opcode Fuzzy Hash: 5a5a4b3afe906dae0e143a05a4fbd8f8e8bad015f6bc804fefd3fd76a4b66d17
Instruction Fuzzy Hash: E6518F71644700DFD710AF24CC49B6ABBE4EF44320F14892AF556DB2E1DB78EC418B55

Uniqueness

Uniqueness Score: -1.00%

Function 0077B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0077B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0077B7B1
GetLastError.KERNEL32 ref: 0077B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0077B828

Strings

READY, xrefs: 0077B801
INVALID, xrefs: 0077B7FA
READONLY, xrefs: 0077B7F3
NOTREADY, xrefs: 0077B7E7
UNKNOWN, xrefs: 0077B7E0

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d09c8a1bb52f5e96e0a24a81fd4ad688d108391b4235aae035f4c3132fcdefbd
Instruction ID: 4b8058276f8af9c1e55dcd5276339d7a8808b40091527b0674a0bb36ba59970d
Opcode Fuzzy Hash: d09c8a1bb52f5e96e0a24a81fd4ad688d108391b4235aae035f4c3132fcdefbd
Instruction Fuzzy Hash: 7E318275A00209EFDB14EF68C889BBE77B8EF84754F10C02AE509D7291DB799942C791

Uniqueness

Uniqueness Score: -1.00%

Function 00769471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 0076B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0076B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007694F6
GetDlgCtrlID.USER32 ref: 00769501
GetParent.USER32 ref: 0076951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00769520
GetDlgCtrlID.USER32(?), ref: 00769529
GetParent.USER32(?), ref: 00769545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00769548

Strings

ListBox, xrefs: 007694B3
ComboBox, xrefs: 0076947E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4644d27af593a09c6c6fe0541f8c66975310c612ace3b6582ad82d44e82a4293
Instruction ID: cb2f82d0d719c84c7e128f0968f4b33758d173c6686116e1f4bf43bbec173684
Opcode Fuzzy Hash: 4644d27af593a09c6c6fe0541f8c66975310c612ace3b6582ad82d44e82a4293
Instruction Fuzzy Hash: B3219574900204FBCF059B64CC89EFEBB79EF45310F10415AFA62972E2DB7D596ADA20

Uniqueness

Uniqueness Score: -1.00%

Function 0076955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 0076B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0076B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007695DF
GetDlgCtrlID.USER32 ref: 007695EA
GetParent.USER32 ref: 00769606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00769609
GetDlgCtrlID.USER32(?), ref: 00769612
GetParent.USER32(?), ref: 0076962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00769631

Strings

ListBox, xrefs: 0076959E
ComboBox, xrefs: 00769569

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: efe51e6ee3fd789af736862c9484218e7c132f3bdb2c484b56eb91fa3e76f681
Instruction ID: 40d0b3592cb541b34e30202e8d698df7a551a8b006f8766c88a53f4f7991b4c8
Opcode Fuzzy Hash: efe51e6ee3fd789af736862c9484218e7c132f3bdb2c484b56eb91fa3e76f681
Instruction Fuzzy Hash: F921B675A00204FBDF05AB64CC89EFEBB79EF45300F104156FA12971E1DB7D996ADA20

Uniqueness

Uniqueness Score: -1.00%

Function 00769645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00769651
GetClassNameW.USER32(00000000,?,00000100), ref: 00769666
_wcscmp.LIBCMT ref: 00769678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007696F3

Strings

SHELLDLL_DefView, xrefs: 00769672
list, xrefs: 007696D5
details, xrefs: 007696A1
smallicons, xrefs: 007696BB
largeicons, xrefs: 00769687

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: a6e3873095f77591e813b2c9392f316e251811d1d519e2cedab865b4b0dcd889
Instruction ID: fa729366e58bd2f148d2ae44bfda0963fd0763c4049a96cfba9c99c0cc44c9e0
Opcode Fuzzy Hash: a6e3873095f77591e813b2c9392f316e251811d1d519e2cedab865b4b0dcd889
Instruction Fuzzy Hash: FE118A76248717FAF6112620EC0FDA6779C9B05770F20012BFF11E50D2FE7E59615658

Uniqueness

Uniqueness Score: -1.00%

Function 00774189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0077419D
__swprintf.LIBCMT ref: 007741AA

Part of subcall function 007338D8: __woutput_l.LIBCMT ref: 00733931

FindResourceW.KERNEL32(?,?,0000000E), ref: 007741D4
LoadResource.KERNEL32(?,00000000), ref: 007741E0
LockResource.KERNEL32(00000000), ref: 007741ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0077420D
LoadResource.KERNEL32(?,00000000), ref: 0077421F
SizeofResource.KERNEL32(?,00000000), ref: 0077422E
LockResource.KERNEL32(?), ref: 0077423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0077429B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: ae81827392464ef413127602934a1f302c562bec3b6df8daa92b283c121625b9
Instruction ID: 68fd9da2167d6755d855ad8f9b3fc248cdefc7244e17d71133eabf27a75007d3
Opcode Fuzzy Hash: ae81827392464ef413127602934a1f302c562bec3b6df8daa92b283c121625b9
Instruction Fuzzy Hash: 6731907160521AABDF119F60EC48EBF7BACFF04341F008526F90AD2151E778DA62CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007716DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00771700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00770778,?,00000001), ref: 00771714
GetWindowThreadProcessId.USER32(00000000), ref: 0077171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00770778,?,00000001), ref: 0077172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0077173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00770778,?,00000001), ref: 00771755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00770778,?,00000001), ref: 00771767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00770778,?,00000001), ref: 007717AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00770778,?,00000001), ref: 007717C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00770778,?,00000001), ref: 007717CC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8c189e89caef2c45a3e2ff6e8f4c2947a4f1f7264aff7773f658ee9229d72fa1
Instruction ID: 346a9c43e2832dd486585221b2a6953f844216e9a8f32495c18f8728a8c1ad20
Opcode Fuzzy Hash: 8c189e89caef2c45a3e2ff6e8f4c2947a4f1f7264aff7773f658ee9229d72fa1
Instruction Fuzzy Hash: DE31A075601304ABDF299F18DC84B6937BDAB157A2F50C016F808E62A0E77C9D41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00789428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0078947C
VariantInit.OLEAUT32(?), ref: 0078954D
VariantInit.OLEAUT32(?), ref: 0078964E
VariantClear.OLEAUT32(?), ref: 00789658
VariantClear.OLEAUT32(?), ref: 007896B5

Strings

,,z, xrefs: 007894FA
Null Object assignment in FOR..IN loop, xrefs: 007894DD, 0078960B, 007896C3
Incorrect Object type in FOR..IN loop, xrefs: 00789631

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,z$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-364764217
Opcode ID: 90e06cf8b258e8bd2c0bdf1e4d331580b6160e61942920474301ed138e3a36ed
Instruction ID: 59964e1bec4711fd8e82fbfd29fd988ec079739b37d162931f1e6f4768973aa8
Opcode Fuzzy Hash: 90e06cf8b258e8bd2c0bdf1e4d331580b6160e61942920474301ed138e3a36ed
Instruction Fuzzy Hash: 0391C070A40219EFDF24EFA5C848FAEB7B8EF85314F148159F615AB280D7789905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0076AA64), ref: 0076A9A2

Strings

CLASSNN, xrefs: 0076A744
INSTANCE, xrefs: 0076A8B0
TEXT, xrefs: 0076A8D9
REGEXPCLASS, xrefs: 0076A767
NAME, xrefs: 0076A7D4
CLASS, xrefs: 0076A721

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b80ff0c79a70953d38ca86434db2fd0da4e038dfd9e8263562349f92443d579d
Instruction ID: a1753c37ada1d57896ce46d22eef2969b8b3160f714b3a1ee21581eb8138fa02
Opcode Fuzzy Hash: b80ff0c79a70953d38ca86434db2fd0da4e038dfd9e8263562349f92443d579d
Instruction Fuzzy Hash: 8191917060060AFADB18DF60C485BE9FBB4BF04314F108129D98BB7191DB387A99DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00712E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00712EAE

Part of subcall function 00711DB3: GetClientRect.USER32(?,?), ref: 00711DDC
Part of subcall function 00711DB3: GetWindowRect.USER32(?,?), ref: 00711E1D
Part of subcall function 00711DB3: ScreenToClient.USER32(?,?), ref: 00711E45

GetDC.USER32 ref: 0074CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0074CF95
SelectObject.GDI32(00000000,00000000), ref: 0074CFA3
SelectObject.GDI32(00000000,00000000), ref: 0074CFB8
ReleaseDC.USER32(?,00000000), ref: 0074CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0074D04B

Strings

U, xrefs: 0074CF20

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1f42f00432fcf9a8b3ef30fcdf7dd2e026c5f18eadeb7531bf358e66d1d33a1b
Instruction ID: b22f6cc55f44d2b1a667dba0f768e6c9a371e33ee0c479822bb43fe931ef42c6
Opcode Fuzzy Hash: 1f42f00432fcf9a8b3ef30fcdf7dd2e026c5f18eadeb7531bf358e66d1d33a1b
Instruction Fuzzy Hash: 6D71C431501205DFCF21CF68C884AEA7BB6FF49350F14826AED959B1A6C73D8C96DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00788F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0079F910), ref: 0078903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0079F910), ref: 00789071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007891EB
SysFreeString.OLEAUT32(?), ref: 00789215

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: bd357a5b9b35183d91768baf00f2aaec3b7d7f222be321d39728db1698100a05
Instruction ID: 9c19246b62d3fdbf84fcc3f6a92a8ce404e2ce1c745c86d762d6d4d5df753b8b
Opcode Fuzzy Hash: bd357a5b9b35183d91768baf00f2aaec3b7d7f222be321d39728db1698100a05
Instruction Fuzzy Hash: B0F12971A40109EFCB14EF94C888EBEB7B9BF49314F148059F616AB290DB35AE46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0078F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0078F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0078FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0078FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0078FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0078FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0078FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0078FD90
CloseHandle.KERNEL32(?), ref: 0078FDBF
CloseHandle.KERNEL32(?), ref: 0078FE36

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: b185f7ac22a371e6288278ab9e79079d99cb9de8ffd62755c659cd542a6a9c0c
Instruction ID: 52d9797da378fa43cfa94689e1a01eae70e04a9aa8aab468e2115750ff968cda
Opcode Fuzzy Hash: b185f7ac22a371e6288278ab9e79079d99cb9de8ffd62755c659cd542a6a9c0c
Instruction Fuzzy Hash: E8E1D131244301DFCB14EF24C895A6ABBE0EF85350F14886DF9998B2A2DB39EC41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00774F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007738D3,?), ref: 007748C7

Part of subcall function 007748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007738D3,?), ref: 007748E0

Part of subcall function 00774CD3: GetFileAttributesW.KERNEL32(?,00773947), ref: 00774CD4

lstrcmpiW.KERNEL32(?,?), ref: 00774FE2
_wcscmp.LIBCMT ref: 00774FFC
MoveFileW.KERNEL32(?,?), ref: 00775017

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 4b8200086b21db703073fd7083d5e8d47f9d1e9cc5664a9d1956c0c591df3c23
Instruction ID: 0edc814f5347ab6618e45c1764bf0fbf7d43a69a9d08244cbe1263381bf4e35a
Opcode Fuzzy Hash: 4b8200086b21db703073fd7083d5e8d47f9d1e9cc5664a9d1956c0c591df3c23
Instruction Fuzzy Hash: 665185B25087859BCB24DB60C8859DFB3ECAF85341F00492EF189D7152EF78A189C766

Uniqueness

Uniqueness Score: -1.00%

Function 007988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0079896E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: be2d64c2a2dc326e4fb485e08c35ac06cadcec0b483bfc2d38094b3f2ec6c77c
Instruction ID: d261a8b4cabfa9a6a587dafcd4a403844751e31fc6cbed6097f62ab3f7429286
Opcode Fuzzy Hash: be2d64c2a2dc326e4fb485e08c35ac06cadcec0b483bfc2d38094b3f2ec6c77c
Instruction Fuzzy Hash: FD51A570500208FFDF609F28EC89FA93B65FB06360F508112F515E62A1DF7DA9909792

Uniqueness

Uniqueness Score: -1.00%

Function 00712B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0074C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0074C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0074C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0074C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0074C5C0
DestroyIcon.USER32(00000000), ref: 0074C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0074C5EC
DestroyIcon.USER32(?), ref: 0074C5FB

Part of subcall function 0079A71E: DeleteObject.GDI32(00000000), ref: 0079A757

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: faed14530c982b30cc2a110bb9c7e747857e529180efc8aba1fe75eb32c216ea
Instruction ID: 23357b2f226be2e2314cc4cbbc52cba08465d142ed9f043e8d9a43d3e283126b
Opcode Fuzzy Hash: faed14530c982b30cc2a110bb9c7e747857e529180efc8aba1fe75eb32c216ea
Instruction Fuzzy Hash: D75147B4601209EFDB24DF28CC45BAA77B5EB54350F208529F902D72E0DB78EDA1DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00768E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00768A84,00000B00,?,?), ref: 00768E0C
HeapAlloc.KERNEL32(00000000,?,00768A84,00000B00,?,?), ref: 00768E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00768A84,00000B00,?,?), ref: 00768E28
GetCurrentProcess.KERNEL32(?,00000000,?,00768A84,00000B00,?,?), ref: 00768E30
DuplicateHandle.KERNEL32(00000000,?,00768A84,00000B00,?,?), ref: 00768E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00768A84,00000B00,?,?), ref: 00768E43
GetCurrentProcess.KERNEL32(00768A84,00000000,?,00768A84,00000B00,?,?), ref: 00768E4B
DuplicateHandle.KERNEL32(00000000,?,00768A84,00000B00,?,?), ref: 00768E4E
CreateThread.KERNEL32(00000000,00000000,00768E74,00000000,00000000,00000000), ref: 00768E68

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c356f53f100dec3ca379f1bdda6823d9b55e0e68f9586c819effba023ce59996
Instruction ID: 39623971ff93a5d5db34b030b3d157674edb0e8c28774ff0ab77963398c4ea2d
Opcode Fuzzy Hash: c356f53f100dec3ca379f1bdda6823d9b55e0e68f9586c819effba023ce59996
Instruction Fuzzy Hash: E901BFB5280308FFE710AB65DC4DF5B3B6CEB89711F108422FA05DB2A1CA759C01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00789A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00767652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?,?,?,0076799D), ref: 0076766F
Part of subcall function 00767652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?,?), ref: 0076768A
Part of subcall function 00767652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?,?), ref: 00767698
Part of subcall function 00767652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?), ref: 007676A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00789B1B
_memset.LIBCMT ref: 00789B28
_memset.LIBCMT ref: 00789C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00789C97
CoTaskMemFree.OLE32(?), ref: 00789CA2

Strings

NULL Pointer assignment, xrefs: 00789CF0

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 22767d60d60f4e3258ffb65b3b7dbe4b35d5455b5e11e43225e3953f4acfdefb
Instruction ID: 742eb3ce78cb1ede72ac4c132e0c41855c8d2edb4921b60a6a297c704595394a
Opcode Fuzzy Hash: 22767d60d60f4e3258ffb65b3b7dbe4b35d5455b5e11e43225e3953f4acfdefb
Instruction Fuzzy Hash: 60913971D00219EBDF10DFA4DC84EEEBBB9AF08710F24815AF519A7281DB759A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00796FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00797093
SendMessageW.USER32(?,00001036,00000000,?), ref: 007970A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007970C1
_wcscat.LIBCMT ref: 0079711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00797133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00797161

Strings

SysListView32, xrefs: 00797065

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 47341c79196a764042e3d324530d59b103bccca70845a82a03464ef5935553d5
Instruction ID: 0efd4ddf1b8722a7d5e52c1da3f814aad1252d9b2c219f18910ede2d81b9471d
Opcode Fuzzy Hash: 47341c79196a764042e3d324530d59b103bccca70845a82a03464ef5935553d5
Instruction Fuzzy Hash: 2C41A170A54308EFEF259F68DC89BEE77A8EF08350F10442AF584E7192D67A9D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0078EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00773E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00773EB6
Part of subcall function 00773E91: Process32FirstW.KERNEL32(00000000,?), ref: 00773EC4
Part of subcall function 00773E91: CloseHandle.KERNEL32(00000000), ref: 00773F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0078ECB8
GetLastError.KERNEL32 ref: 0078ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0078ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0078ED77
GetLastError.KERNEL32(00000000), ref: 0078ED82
CloseHandle.KERNEL32(00000000), ref: 0078EDB7

Strings

SeDebugPrivilege, xrefs: 0078ECD6

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 01d217ecdae0cff80d6076289221e3960188583e420f3cb340a7ffd3f39d0aba
Instruction ID: abe2bb1f22a32c9d1279197240e1c91a325d798d120fa65a57c6e072af99ffe6
Opcode Fuzzy Hash: 01d217ecdae0cff80d6076289221e3960188583e420f3cb340a7ffd3f39d0aba
Instruction Fuzzy Hash: 5241AC71340200DFDB14EF24CC99FADB7A5AF80714F188459F9469B2C2DB7DA849CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00773226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007732C5

Strings

blank, xrefs: 00773247
question, xrefs: 0077327E
warning, xrefs: 007732AE
stop, xrefs: 00773296
info, xrefs: 00773266

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 22d4c8d8ce227974ee289c25b0e2911bb29c023a9a2bee27b9ca24e94883d617
Instruction ID: b0aeeccf071b3be5d862105350bbae603edd832fb090a2d2cc9d6a3f6bb3f695
Opcode Fuzzy Hash: 22d4c8d8ce227974ee289c25b0e2911bb29c023a9a2bee27b9ca24e94883d617
Instruction Fuzzy Hash: DC116A3124835ABBEF015B54DC47DAAB39CFF193B4F20802EF908A6183E67E5F0016A5

Uniqueness

Uniqueness Score: -1.00%

Function 00774534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0077454E
LoadStringW.USER32(00000000), ref: 00774555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0077456B
LoadStringW.USER32(00000000), ref: 00774572
_wprintf.LIBCMT ref: 00774598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007745B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00774593

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 6ac2dbb6a74d8dbdc69a5e782779177df996e41fc51be6dd81cc7ce4885d36d0
Instruction ID: 33414d3c32804dc6d4ea12e6eb61d7eb0803d97dd5bd9e9973c3385d0f82a01a
Opcode Fuzzy Hash: 6ac2dbb6a74d8dbdc69a5e782779177df996e41fc51be6dd81cc7ce4885d36d0
Instruction Fuzzy Hash: 29014FF3940208BFE750A7A09D89EF6776CD708301F0045A6FB49E2051EA789E958B74

Uniqueness

Uniqueness Score: -1.00%

Function 0079D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

GetSystemMetrics.USER32(0000000F), ref: 0079D78A
GetSystemMetrics.USER32(0000000F), ref: 0079D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0079D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0079DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0079DA24
ShowWindow.USER32(00000003,00000000), ref: 0079DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0079DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0079DA8B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 2e45a166f1d4fa5901427a8350ed7a3d4d84d5688ab84b369b289533f12190d9
Instruction ID: 7e17d95a5044b47e61f39676cbd50edc89c0b9410b640a26020bebe9f8568503
Opcode Fuzzy Hash: 2e45a166f1d4fa5901427a8350ed7a3d4d84d5688ab84b369b289533f12190d9
Instruction Fuzzy Hash: E8B17875600225EBDF24CF69D9897AD7BB1FF04711F08C06AEC489B295D738AD60CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00712A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0074C417,00000004,00000000,00000000,00000000), ref: 00712ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0074C417,00000004,00000000,00000000,00000000,000000FF), ref: 00712B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0074C417,00000004,00000000,00000000,00000000), ref: 0074C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0074C417,00000004,00000000,00000000,00000000), ref: 0074C4D6

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bc03ca39dc3f4c3cac1e84fe7d4695eda15b027ee670d7540c9837a9447ede1c
Instruction ID: 3665a2b616f84be586568ee7c32a5232c5e89be7c856e810f8d4cb80476705c6
Opcode Fuzzy Hash: bc03ca39dc3f4c3cac1e84fe7d4695eda15b027ee670d7540c9837a9447ede1c
Instruction Fuzzy Hash: 8C412B312086C0AAC7358B2C9D9C7FA3FA1AF45300F14C41AE447965E2D73D98D3D720

Uniqueness

Uniqueness Score: -1.00%

Function 00777368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0077737F

Part of subcall function 00730FF6: std::exception::exception.LIBCMT ref: 0073102C
Part of subcall function 00730FF6: __CxxThrowException@8.LIBCMT ref: 00731041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007773B6
EnterCriticalSection.KERNEL32(?), ref: 007773D2
_memmove.LIBCMT ref: 00777420
_memmove.LIBCMT ref: 0077743D
LeaveCriticalSection.KERNEL32(?), ref: 0077744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00777461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00777480

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 9b6ae07c146248c860feb23bc63f75905d6fa9bd6242c8e63fe0becfc33ca341
Instruction ID: 5ca10a3ba18ae0cdc6d2d061b630edf4f51ca66bb13f8ce1f45e4880fd8b3c2e
Opcode Fuzzy Hash: 9b6ae07c146248c860feb23bc63f75905d6fa9bd6242c8e63fe0becfc33ca341
Instruction Fuzzy Hash: F931AF31904205EBDF14DF64DC89AAE7BB8FF44310F1480A6F904EB246DB389A11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00796442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0079645A
GetDC.USER32(00000000), ref: 00796462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0079646D
ReleaseDC.USER32(00000000,00000000), ref: 00796479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007964B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007964C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00799299,?,?,000000FF,00000000,?,000000FF,?), ref: 00796500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00796520

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8e4c06661ae87d1794c9565de4aeba0141adafa14026ee7bf1aa766b092dfa7d
Instruction ID: 500488d04a187b7ae66d9b39f2a6f66271fcd9b6abeb09eb02904ad955e98077
Opcode Fuzzy Hash: 8e4c06661ae87d1794c9565de4aeba0141adafa14026ee7bf1aa766b092dfa7d
Instruction Fuzzy Hash: 4D318D72200214BFEF108F50DC8AFEA3FA9EF09761F044066FE08DA295D6799852CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0076C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0076C087
_memcmp.LIBCMT ref: 0076C0A9
_memcmp.LIBCMT ref: 0076C0C1
_memcmp.LIBCMT ref: 0076C0D4
_memcmp.LIBCMT ref: 0076C0EE
_memcmp.LIBCMT ref: 0076C101
_memcmp.LIBCMT ref: 0076C119
_memcmp.LIBCMT ref: 0076C134

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 86f905f9f97274624a29b1f8f7fbf1efa8ba933a83d77fff5744f84819261ac4
Instruction ID: 395df8b2a07a30b460bd0038696cba3759feceae4366a11b31de1ab66a676118
Opcode Fuzzy Hash: 86f905f9f97274624a29b1f8f7fbf1efa8ba933a83d77fff5744f84819261ac4
Instruction Fuzzy Hash: 012183E1640209F7A616A6258D47FBB335CAE523A4F444020FD8796283EB5DDD12C1A5

Uniqueness

Uniqueness Score: -1.00%

Function 0077ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

Part of subcall function 0072FEC6: _wcscpy.LIBCMT ref: 0072FEE9

_wcstok.LIBCMT ref: 0077EEFF
_wcscpy.LIBCMT ref: 0077EF8E
_memset.LIBCMT ref: 0077EFC1

Strings

X, xrefs: 0077EFFE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 399c0ddf983ca89b290aefc13eb96062ae78c008ad5a405d977e55855b73267b
Instruction ID: 0c94e54ce7633efaea7f524935f3bb19e44e75f57a56b4b43d27dbc1c4f7d84b
Opcode Fuzzy Hash: 399c0ddf983ca89b290aefc13eb96062ae78c008ad5a405d977e55855b73267b
Instruction Fuzzy Hash: 4CC17371508300DFCB14EF28C999A9AB7E4FF85350F00896DF599972A2DB38ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00711424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eace0290a3a8cbd3e1dd83f72778dfb615ef742e5954a263cdb9ad6bb5d083f
Instruction ID: 24abefe495da462e0370a1ad164147fc648e0bf9e15f84c6f690eb8c596fa9bd
Opcode Fuzzy Hash: 9eace0290a3a8cbd3e1dd83f72778dfb615ef742e5954a263cdb9ad6bb5d083f
Instruction Fuzzy Hash: 47716E30900149EFCB04CF98CC49AFEBB79FF85710F548159FA15AA291C738AA91CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00786E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eea52316f44d08f04c33dbef9acf10a36a9a0837965ab76eb179ecef09bedbd
Instruction ID: 232b13464de64314ed2806f94ebf0a219dd0fe2f92699f1a677647d3122825a2
Opcode Fuzzy Hash: 7eea52316f44d08f04c33dbef9acf10a36a9a0837965ab76eb179ecef09bedbd
Instruction Fuzzy Hash: 1C61FF71548300EBC714EF28CC8AEAFB7E9AF84714F508919F5469B2E2DA38DD45C792

Uniqueness

Uniqueness Score: -1.00%

Function 0079B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011E7658), ref: 0079B6A5
IsWindowEnabled.USER32(011E7658), ref: 0079B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0079B795
SendMessageW.USER32(011E7658,000000B0,?,?), ref: 0079B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0079B809
GetWindowLongW.USER32(011E7658,000000EC), ref: 0079B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0079B843

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c0b3adbc66076c4be8396543acb5aad58ecfe6f17bb679cf8c0a01f33e3e22cd
Instruction ID: 53be78caa3d1a9a7dc86bc32a29972e7287780fc008502a57e788df2a5e40022
Opcode Fuzzy Hash: c0b3adbc66076c4be8396543acb5aad58ecfe6f17bb679cf8c0a01f33e3e22cd
Instruction Fuzzy Hash: 4E71AD34600204EFDF209FA4FAD4FAA7BB9FF89310F14416AE945973A1C739A951CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0078F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0078F75C
_memset.LIBCMT ref: 0078F825
ShellExecuteExW.SHELL32(?), ref: 0078F86A

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

Part of subcall function 0072FEC6: _wcscpy.LIBCMT ref: 0072FEE9

GetProcessId.KERNEL32(00000000), ref: 0078F8E1
CloseHandle.KERNEL32(00000000), ref: 0078F910

Strings

@, xrefs: 0078F839

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: f0e64273ad1a69e8b937db5726c9944e6f67c06e1054b8957c7baa5e57703dff
Instruction ID: 2d636f7988d03ff4ed392da72d008b834e2a1227c646cbbb76a53a66814e2cf8
Opcode Fuzzy Hash: f0e64273ad1a69e8b937db5726c9944e6f67c06e1054b8957c7baa5e57703dff
Instruction Fuzzy Hash: 8261AE75A00619DFCF14EF68C4949AEBBF5FF48310F148469E846AB391DB38AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0077145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0077149C
GetKeyboardState.USER32(?), ref: 007714B1
SetKeyboardState.USER32(?), ref: 00771512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00771540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0077155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 007715A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007715C8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 07d2ff739a454fa336df3ae519afaf2e7d13617d3c7cc44ecc2cbc359f7a7992
Instruction ID: b743e2050ebed5b54676f22114609566c421b4dfd19b2e8f954c07f57a8c8606
Opcode Fuzzy Hash: 07d2ff739a454fa336df3ae519afaf2e7d13617d3c7cc44ecc2cbc359f7a7992
Instruction Fuzzy Hash: F151E3A06047D53EFF3A463C8C45BBA7FA95B46384F4CC489E1D9998C2C69CDCA4D750

Uniqueness

Uniqueness Score: -1.00%

Function 00771276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007712B5
GetKeyboardState.USER32(?), ref: 007712CA
SetKeyboardState.USER32(?), ref: 0077132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00771357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00771374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007713B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007713D9

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: dfea12b214c0610ffa4234a9f06bad55ba0b904e11ae67ac5337372c5c054576
Instruction ID: a6b92ef3cf1011c424cd7ad186f6e4cd542f0e00fde63acbfee0c2df43c1c36a
Opcode Fuzzy Hash: dfea12b214c0610ffa4234a9f06bad55ba0b904e11ae67ac5337372c5c054576
Instruction Fuzzy Hash: 8251F4A06047D57DFF3683288C45B7ABFA96B06380F48C589E1DC9A8C2D398EC94D750

Uniqueness

Uniqueness Score: -1.00%

Function 0077589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007758AC
_wcsncpy.LIBCMT ref: 007758E1
_wcsncpy.LIBCMT ref: 00775913
_wcsncpy.LIBCMT ref: 00775946
_wcsncpy.LIBCMT ref: 00775988
_wcsncpy.LIBCMT ref: 007759C2
_wcsncpy.LIBCMT ref: 007759F1

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: bfe22523bebf9afa98832e04bdfe21ed8494e4b44bfbafeb33476f6bfe25266d
Instruction ID: 9be7347e719f312b63817d5c2e32985bfb47403f37edae5fc1ac826de916516b
Opcode Fuzzy Hash: bfe22523bebf9afa98832e04bdfe21ed8494e4b44bfbafeb33476f6bfe25266d
Instruction Fuzzy Hash: D0418365C20528B6DB10EBB4888A9CF77B8AF04710F508966F618E3123F639E755C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0076DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0076DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0076DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0076DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0076DB8E

Strings

,,z, xrefs: 0076DA69
DllGetClassObject, xrefs: 0076DB01

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,z$DllGetClassObject
API String ID: 753597075-4073682629
Opcode ID: 00e953310fbad76556f79eedf6e4d4d15986e0510823244f8aa4e35aab2306a2
Instruction ID: a35d62378d01734625e1123170d6c3e4337797049c854ba421285e5bf2cb5c48
Opcode Fuzzy Hash: 00e953310fbad76556f79eedf6e4d4d15986e0510823244f8aa4e35aab2306a2
Instruction Fuzzy Hash: 484176B1B10208DFDB25CF54C884A9A7BA9EF45350F1581AEED0ADF209D7B9DD40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007738D3,?), ref: 007748C7

Part of subcall function 007748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007738D3,?), ref: 007748E0

lstrcmpiW.KERNEL32(?,?), ref: 007738F3
_wcscmp.LIBCMT ref: 0077390F
MoveFileW.KERNEL32(?,?), ref: 00773927
_wcscat.LIBCMT ref: 0077396F
SHFileOperationW.SHELL32(?), ref: 007739DB

Strings

\*.*, xrefs: 00773969

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ce98f55ccba41d918bdd94109e2cefac4c984e617ae6394fde08eb3ab7bfe807
Instruction ID: 7c6b2f3462bfb6fe139b4581e336bea12cd16d4dd28b3309ce975f6fe74d33f2
Opcode Fuzzy Hash: ce98f55ccba41d918bdd94109e2cefac4c984e617ae6394fde08eb3ab7bfe807
Instruction Fuzzy Hash: 7D4162B250C3449ACB51EF64C885ADFB7E8AF88384F44492EF589C3151EB7CD689CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00797500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00797519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007975C0
IsMenu.USER32(?), ref: 007975D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00797620
DrawMenuBar.USER32 ref: 00797633

Strings

0, xrefs: 0079750D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: f9d51fd076f0efae8585ca53064439b1df91bbc6dd5910d0fe468ef31b82b975
Instruction ID: 253e3d0d22620c2931b51cd0d3ade40713ead5154e79bbc12ff486922f79c7c9
Opcode Fuzzy Hash: f9d51fd076f0efae8585ca53064439b1df91bbc6dd5910d0fe468ef31b82b975
Instruction Fuzzy Hash: B5415675A15608EFDF24DF58E884E9ABBF9FF08310F04802AE91597290D738AD50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0079122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0079125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00791286
FreeLibrary.KERNEL32(00000000), ref: 0079133D

Part of subcall function 0079122D: RegCloseKey.ADVAPI32(?), ref: 007912A3
Part of subcall function 0079122D: FreeLibrary.KERNEL32(?), ref: 007912F5
Part of subcall function 0079122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00791318

RegDeleteKeyW.ADVAPI32(?,?), ref: 007912E0

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 6bd04e724b1366a9f7a72d89e13457278db172ea68e792511a95bb63e8035210
Instruction ID: e3323a1f19415e08949492d358b566d331dd203f69d5f30415246be90beb45be
Opcode Fuzzy Hash: 6bd04e724b1366a9f7a72d89e13457278db172ea68e792511a95bb63e8035210
Instruction Fuzzy Hash: F6312D71A0110ABFDF15DB94EC89AFEB7BCEF08300F40416AE501E2151EA789E559BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0079653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0079655B
GetWindowLongW.USER32(011E7658,000000F0), ref: 0079658E
GetWindowLongW.USER32(011E7658,000000F0), ref: 007965C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007965F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0079661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00796630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0079664A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 21f2c34814d23e83d62f7303f14b24e09533f4f8bc8fd6954b28aa9abf0ae639
Instruction ID: bc3ec6524a21c5860f92053c64ef1d42f7969f5a57722b6c2904b6c3935f2e14
Opcode Fuzzy Hash: 21f2c34814d23e83d62f7303f14b24e09533f4f8bc8fd6954b28aa9abf0ae639
Instruction Fuzzy Hash: AC31F230604250AFDF21CF18EC85F553BE1FB4A750F1A42A9F511CB2B5CB69E860DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00786486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007880CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007864D9
WSAGetLastError.WSOCK32(00000000), ref: 007864E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00786521
connect.WSOCK32(00000000,?,00000010), ref: 0078652A
WSAGetLastError.WSOCK32 ref: 00786534
closesocket.WSOCK32(00000000), ref: 0078655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00786576

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 42f95738ec7e3e11ec172bc8361a001eb5f553814f8e4f2133de87d03f0509e1
Instruction ID: dbe25e8387632c7ab6dca17654d118219c9e77cca67889e2b9fe5fe0de8584dd
Opcode Fuzzy Hash: 42f95738ec7e3e11ec172bc8361a001eb5f553814f8e4f2133de87d03f0509e1
Instruction Fuzzy Hash: C3318131640118ABDB10AF64CC89FBE7BA9EB44724F048069F949E7291DB78AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0076E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0076E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0076E120
SysAllocString.OLEAUT32(00000000), ref: 0076E123
SysAllocString.OLEAUT32 ref: 0076E144
SysFreeString.OLEAUT32 ref: 0076E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0076E167
SysAllocString.OLEAUT32(?), ref: 0076E175

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: de13d2e97ea63be303fd01297ad686e131fe1848f24e8f79fb6eeeeaf71f10c8
Instruction ID: 9369fc3244fdb5c4e75f11f8174495934eddf4ec29e8d9e2d140f784fccadcd7
Opcode Fuzzy Hash: de13d2e97ea63be303fd01297ad686e131fe1848f24e8f79fb6eeeeaf71f10c8
Instruction Fuzzy Hash: 40215379604108AFDB149FA8DC88DAB77ECEB0A760B508136FD15CB261DA78DC419B74

Uniqueness

Uniqueness Score: -1.00%

Function 0079783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00711D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00711D73
Part of subcall function 00711D35: GetStockObject.GDI32(00000011), ref: 00711D87
Part of subcall function 00711D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00711D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007978A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007978AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007978B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007978C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007978D4

Strings

Msctls_Progress32, xrefs: 00797872

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3c6d31255800948c4ff01d1649f42867e0d6ccb0dfbf1933e9d861e631557bb3
Instruction ID: 10b79756d80e1dfb7e072d98e9e2b936dd2ccf51d5dc178ebedc204c931b7d79
Opcode Fuzzy Hash: 3c6d31255800948c4ff01d1649f42867e0d6ccb0dfbf1933e9d861e631557bb3
Instruction Fuzzy Hash: 9E11B2B2110219BFEF159F64DC85EEB7F6DEF08768F014115FA04A6090C7769C21DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00734292,?), ref: 007341E3
GetProcAddress.KERNEL32(00000000), ref: 007341EA
EncodePointer.KERNEL32(00000000), ref: 007341F6
DecodePointer.KERNEL32(00000001,00734292,?), ref: 00734213

Strings

combase.dll, xrefs: 007341DE
RoInitialize, xrefs: 007341D2

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: f8704df36267a25002374a44a47d5ca78bfca77644ab7b69755de9b2675f28f7
Instruction ID: d4a462d3299d57b720b0f395327fcb9b9362807341bdc05c3859559c255ff13d
Opcode Fuzzy Hash: f8704df36267a25002374a44a47d5ca78bfca77644ab7b69755de9b2675f28f7
Instruction Fuzzy Hash: 06E01AB0692308AFEF205BB4EC0DB043BA4B761706F54C526F511E50A1DBBE50928F08

Uniqueness

Uniqueness Score: -1.00%

Function 0073429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007341B8), ref: 007342B8
GetProcAddress.KERNEL32(00000000), ref: 007342BF
EncodePointer.KERNEL32(00000000), ref: 007342CA
DecodePointer.KERNEL32(007341B8), ref: 007342E5

Strings

combase.dll, xrefs: 007342B3
RoUninitialize, xrefs: 007342A7

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 010f1e2684f7d64cc80512c27c1098447d300bbe5390a7d58cbadf8d151bcb3e
Instruction ID: 460443374c84e1571290d029705e8898fc527a704f55079b142c33b8c7143cf7
Opcode Fuzzy Hash: 010f1e2684f7d64cc80512c27c1098447d300bbe5390a7d58cbadf8d151bcb3e
Instruction Fuzzy Hash: 2AE0B6B9682315EBEB149B64EC0DB053BB4B725742F10C136F011F11A1CBBE9582CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 0077675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007768AD
_memmove.LIBCMT ref: 007767E8

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

_memmove.LIBCMT ref: 0077685B
_memmove.LIBCMT ref: 00776942
_memmove.LIBCMT ref: 0077695B
_memmove.LIBCMT ref: 00776977

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
Instruction ID: c98c09621a120fdccfa3c4b284911213df8b198262715ff38819e7f6f7ae5a4c
Opcode Fuzzy Hash: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
Instruction Fuzzy Hash: B761013050065ADBDF15EF24CC99EFE37A8AF44348F048518FA595B1D6DB38AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0079046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 007910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00790038,?,?), ref: 007910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00790548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00790588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007905AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007905D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00790617
RegCloseKey.ADVAPI32(00000000), ref: 00790624

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 8c44941e2b87a8c06880c0185b1f4ab7c45cb6ee1841c791332724b7068f3848
Instruction ID: b8bf8d9173c71862a169376ce713aa1e64344e03d2eb483556e5a6f228beaf83
Opcode Fuzzy Hash: 8c44941e2b87a8c06880c0185b1f4ab7c45cb6ee1841c791332724b7068f3848
Instruction Fuzzy Hash: 55515B31218200EFCB14EB28D889E6ABBE9FF84714F04891DF545871A1DB39E955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00795A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00795A82
GetMenuItemCount.USER32(00000000), ref: 00795AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00795AE1
GetMenuItemID.USER32(?,?), ref: 00795B50
GetSubMenu.USER32(?,?), ref: 00795B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00795BAF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 3a51f3160539d3be8e97523831a267bf79a91a86b6bb73eb9590e8cbb04ff7b2
Instruction ID: 3171de829e35ea78c5200549683d4a08308482939fa426bcf83a2663919f7784
Opcode Fuzzy Hash: 3a51f3160539d3be8e97523831a267bf79a91a86b6bb73eb9590e8cbb04ff7b2
Instruction Fuzzy Hash: 06519F71A00625EFDF11EFA4D845AAEBBB4EF48320F108469E915B7351CB78AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0076F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0076F3F7
VariantClear.OLEAUT32(00000013), ref: 0076F469
VariantClear.OLEAUT32(00000000), ref: 0076F4C4
_memmove.LIBCMT ref: 0076F4EE
VariantClear.OLEAUT32(?), ref: 0076F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0076F569

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 7e08e9693ffe8d1496fcde4d1c073a41e47571accdc9dda16fa7c89a69093645
Instruction ID: bd1612889204e91f2298139c0aa97a56cc3c9768a3e45a13d5fa42f814e827e3
Opcode Fuzzy Hash: 7e08e9693ffe8d1496fcde4d1c073a41e47571accdc9dda16fa7c89a69093645
Instruction Fuzzy Hash: 44516CB5A00249DFCB14CF58D884AAAB7B8FF4C314B15816AED5ADB311E734E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00772747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00772792
IsMenu.USER32(00000000), ref: 007727B2
CreatePopupMenu.USER32 ref: 007727E6
GetMenuItemCount.USER32(000000FF), ref: 00772844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00772875

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b45badccb3bc7c93d1e5b058888ed62d7ec90053990ec9fa5c862afc34fb54ef
Instruction ID: 85c512126a43f246faf39935fa88012b75fa694ca09ef1ce0bc977b387c4b6dc
Opcode Fuzzy Hash: b45badccb3bc7c93d1e5b058888ed62d7ec90053990ec9fa5c862afc34fb54ef
Instruction Fuzzy Hash: CA51A270A00305DFDF24CF68C888BADBBF5EF44394F108169E4299B292D7799946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00711765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0071179A
GetWindowRect.USER32(?,?), ref: 007117FE
ScreenToClient.USER32(?,?), ref: 0071181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0071182C
EndPaint.USER32(?,?), ref: 00711876

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: c4b66b3e7f5359c4d84b514ad5c71977414c95aebea038d93d38e09bcf68ddd2
Instruction ID: 084b0c4c7f657f083bda693c19ac1692e02342f3c87d1ff757079ecdce7a1e97
Opcode Fuzzy Hash: c4b66b3e7f5359c4d84b514ad5c71977414c95aebea038d93d38e09bcf68ddd2
Instruction Fuzzy Hash: 6A416F712043019FD711DF28DC84BBA7BF8EB49724F148669FA948A2E1C7399885DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0079B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007D67B0,00000000,011E7658,?,?,007D67B0,?,0079B862,?,?), ref: 0079B9CC
EnableWindow.USER32(00000000,00000000), ref: 0079B9F0
ShowWindow.USER32(007D67B0,00000000,011E7658,?,?,007D67B0,?,0079B862,?,?), ref: 0079BA50
ShowWindow.USER32(00000000,00000004,?,0079B862,?,?), ref: 0079BA62
EnableWindow.USER32(00000000,00000001), ref: 0079BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0079BAA9

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3f3c048c4a368e42e083a982c6c7fc955a6c269a354717bfc7a285ff77e25922
Instruction ID: 09a809ef866052a0eb5da5fbd4914d8a8b60e921982cd1c36e57fc4234979908
Opcode Fuzzy Hash: 3f3c048c4a368e42e083a982c6c7fc955a6c269a354717bfc7a285ff77e25922
Instruction Fuzzy Hash: 80414234600241EFDF25CF64E589B957BE1FF05324F1881B9EA488F6A2C739AC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00785134,?,?,00000000,00000001), ref: 007873BF

Part of subcall function 00783C94: GetWindowRect.USER32(?,?), ref: 00783CA7

GetDesktopWindow.USER32 ref: 007873E9
GetWindowRect.USER32(00000000), ref: 007873F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00787422

Part of subcall function 007754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0077555E

GetCursorPos.USER32(?), ref: 0078744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007874AC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: c4f9a38e7dfe1d266e6ad9048f32f256ba8f084eddb62574e72246151cb9194e
Instruction ID: 2d7b17b7b5e4e8170f1eda90b0268fb6a159900c6021f5bf34514b28c5eb68c8
Opcode Fuzzy Hash: c4f9a38e7dfe1d266e6ad9048f32f256ba8f084eddb62574e72246151cb9194e
Instruction Fuzzy Hash: 82310432508345ABC724EF14D849F9BBBE9FF88344F10491AF489D7191C778E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00768D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00768608
Part of subcall function 007685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00768612
Part of subcall function 007685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00768621
Part of subcall function 007685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00768628
Part of subcall function 007685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0076863E

GetLengthSid.ADVAPI32(?,00000000,00768977), ref: 00768DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00768DB8
HeapAlloc.KERNEL32(00000000), ref: 00768DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00768DD8
GetProcessHeap.KERNEL32(00000000,00000000,00768977), ref: 00768DEC
HeapFree.KERNEL32(00000000), ref: 00768DF3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8aea1a901c8b64a653c0c05577c7136283a369678e91c520c940f237ab2b4e72
Instruction ID: b0e79c4edadcf8fc73c9da89f248bc73748ef9eb140d64c40bb7dc86a6173f2e
Opcode Fuzzy Hash: 8aea1a901c8b64a653c0c05577c7136283a369678e91c520c940f237ab2b4e72
Instruction Fuzzy Hash: DA11E131640604FFDB549F64CC08BAE7769EF49315F10822AEC46D7250DB399D01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00768AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00768B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00768B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00768B40
CloseHandle.KERNEL32(00000004), ref: 00768B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00768B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00768B8E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e4c842803a1d1b6c9bac278b095fdd2f4484c75cbdaf98802ca349d540f720a3
Instruction ID: 34a0dbf0e22690d6428ad6dc0567a1dfb9763e4d35d09d39bdfc15be865232fb
Opcode Fuzzy Hash: e4c842803a1d1b6c9bac278b095fdd2f4484c75cbdaf98802ca349d540f720a3
Instruction Fuzzy Hash: 4A115CB2500209ABDF018FA8DD49FDE7BA9EF08304F044165FE09A2160C7798D659B61

Uniqueness

Uniqueness Score: -1.00%

Function 0079C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0071134D
Part of subcall function 007112F3: SelectObject.GDI32(?,00000000), ref: 0071135C
Part of subcall function 007112F3: BeginPath.GDI32(?), ref: 00711373
Part of subcall function 007112F3: SelectObject.GDI32(?,00000000), ref: 0071139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0079C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0079C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0079C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0079C1F6
EndPath.GDI32(00000000), ref: 0079C206
StrokePath.GDI32(00000000), ref: 0079C216

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a21a009aed551263cfff1d8abba1ba3cff3ec006b968c4229e9aa4ef433995fc
Instruction ID: 33d01fa8fd7e3f3a3f1e881af1dc59a2bbe2eb5a525bd54ea2582469e490fae2
Opcode Fuzzy Hash: a21a009aed551263cfff1d8abba1ba3cff3ec006b968c4229e9aa4ef433995fc
Instruction Fuzzy Hash: E1111B7640010DBFDF129F94DC88EEA7FADFB08354F148022FA188A1A1C7759D55DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007303D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 007303DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007303E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007303F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007303F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00730401

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: deda7b033fe8944eaeb876ad95975770b851a711ebde7db37f3d9864578e7d3d
Instruction ID: 5890e38bc2dbd0452e74f5c14056ea60e6e2d465f725a6d7050ee5949fb618e5
Opcode Fuzzy Hash: deda7b033fe8944eaeb876ad95975770b851a711ebde7db37f3d9864578e7d3d
Instruction Fuzzy Hash: 800148B0901759BDE3008F5A8C85A52FEA8FF19354F00411BE15887941C7B5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0077568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0077569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007756B1
GetWindowThreadProcessId.USER32(?,?), ref: 007756C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007756CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007756D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007756E0

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1a3e0484fa2ee4392e5710da272f7a774860900928e402a8b8113bf7736c7d42
Instruction ID: 9bf39594b0673a77b460b68a1e3a56e18e1287f3705c455c79d85c6695be624f
Opcode Fuzzy Hash: 1a3e0484fa2ee4392e5710da272f7a774860900928e402a8b8113bf7736c7d42
Instruction Fuzzy Hash: 73F03032241658BBE7215BA2DC0DEEF7F7CEFC6B11F00416AFA04D1050D7A91A0286B9

Uniqueness

Uniqueness Score: -1.00%

Function 007774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007774E5
EnterCriticalSection.KERNEL32(?,?,00721044,?,?), ref: 007774F6
TerminateThread.KERNEL32(00000000,000001F6,?,00721044,?,?), ref: 00777503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00721044,?,?), ref: 00777510

Part of subcall function 00776ED7: CloseHandle.KERNEL32(00000000,?,0077751D,?,00721044,?,?), ref: 00776EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00777523
LeaveCriticalSection.KERNEL32(?,?,00721044,?,?), ref: 0077752A

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f5dcbf2d3aaaf9e0bff6a5dd53d54905efc2829c92b3fe876a6207eaa3ab662f
Instruction ID: 141d6aaa866c42c0bde78e2ce05b8cdd686d436d6e3b01cc9be80b6328e2dca8
Opcode Fuzzy Hash: f5dcbf2d3aaaf9e0bff6a5dd53d54905efc2829c92b3fe876a6207eaa3ab662f
Instruction Fuzzy Hash: 5FF05E3A140A12EBDB111B64FC8CAEF772AFF45302B104533F202D11B4CB796822CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00768E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00768E7F
UnloadUserProfile.USERENV(?,?), ref: 00768E8B
CloseHandle.KERNEL32(?), ref: 00768E94
CloseHandle.KERNEL32(?), ref: 00768E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00768EA5
HeapFree.KERNEL32(00000000), ref: 00768EAC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5ac0f14082fec151548bce0a44eb7ff55bbaf377d2cb982e3a82ff8ce1e5e9aa
Instruction ID: 484e4c377f6c10c10de403354b908a20307c9c8fdb0aeb723be3cd7dc87c28e2
Opcode Fuzzy Hash: 5ac0f14082fec151548bce0a44eb7ff55bbaf377d2cb982e3a82ff8ce1e5e9aa
Instruction Fuzzy Hash: 62E0C236044405FBDA011FF1EC0C90ABF69FB89322B608232F219C1170CB3A9822DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00767A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007A2C7C,?), ref: 00767C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007A2C7C,?), ref: 00767C4A
CLSIDFromProgID.OLE32(?,?,00000000,0079FB80,000000FF,?,00000000,00000800,00000000,?,007A2C7C,?), ref: 00767C6F
_memcmp.LIBCMT ref: 00767C90

Strings

,,z, xrefs: 00767A85

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,z
API String ID: 314563124-1207407898
Opcode ID: 78afc926b74e7c2d1172d65efc698c21713e1dceeef18033abebd00783fee34d
Instruction ID: f4975705671cddc76cde562c4ba16d2e939b0bb9719d9f163748564cac78cefb
Opcode Fuzzy Hash: 78afc926b74e7c2d1172d65efc698c21713e1dceeef18033abebd00783fee34d
Instruction Fuzzy Hash: D1811B71A00109EFCB04DF94C988DEEB7B9FF89355F244198E906EB250DB75AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00788902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00788928
CharUpperBuffW.USER32(?,?), ref: 00788A37
VariantClear.OLEAUT32(?), ref: 00788BAF

Part of subcall function 00777804: VariantInit.OLEAUT32(00000000), ref: 00777844
Part of subcall function 00777804: VariantCopy.OLEAUT32(00000000,?), ref: 0077784D
Part of subcall function 00777804: VariantClear.OLEAUT32(00000000), ref: 00777859

Strings

AUTOIT.ERROR, xrefs: 00788A3D
Incorrect Parameter format, xrefs: 00788960, 00788B22

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e43057047922ecdf1e2216ead4f30e1ae06f7d4f9edea7eaf012b4b9eaaa8038
Instruction ID: 91853764a0d1ba14af72cb1b148f70449c21ddd0119058bc2e8b3ffc0db022c8
Opcode Fuzzy Hash: e43057047922ecdf1e2216ead4f30e1ae06f7d4f9edea7eaf012b4b9eaaa8038
Instruction Fuzzy Hash: CB918271644301DFC714EF28C48495ABBE4EFC8314F04896EF8968B3A1DB35E946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00772F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0072FEC6: _wcscpy.LIBCMT ref: 0072FEE9

_memset.LIBCMT ref: 00773077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007730A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00773159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00773187

Strings

0, xrefs: 00773063

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 620163b1dd8b9822867c1ba4d68afd1ad5b862140502c077f905726bbf2d8e8a
Instruction ID: 85050c70c2f9c03f0978d944bc6fe79957abcd8d6ba12787b28f52139e94c265
Opcode Fuzzy Hash: 620163b1dd8b9822867c1ba4d68afd1ad5b862140502c077f905726bbf2d8e8a
Instruction Fuzzy Hash: 9B51E3716083049EDB259F28C849A6BB7E4EF453A0F44892EF899D3191DB7CCE44E752

Uniqueness

Uniqueness Score: -1.00%

Function 00772C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00772CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00772CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00772D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007D6890,00000000), ref: 00772D5A

Strings

0, xrefs: 00772CA4

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 43c814c244637472ae4aea5ccd02fc75ed65449225d6c184338ffacf2ee2ccdf
Instruction ID: b1949a037e68cd09f26e95e90d760a71736c1b8c6afcf0b5ab329033e7917e1d
Opcode Fuzzy Hash: 43c814c244637472ae4aea5ccd02fc75ed65449225d6c184338ffacf2ee2ccdf
Instruction Fuzzy Hash: 6F4183302043419FDB24DF24C845B5AB7E4EF85360F14856EF97997292DB78E906CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0078DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0078DAD9

Part of subcall function 007179AB: _memmove.LIBCMT ref: 007179F9

Strings

stdcall, xrefs: 0078DB5B
winapi, xrefs: 0078DB4A
none, xrefs: 0078DBB4
cdecl, xrefs: 0078DB30

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 3c9429fb011bbc3fb473b2cc1a3c6f366831a717da4cfe365d16f8964b6aeb97
Instruction ID: 3b577f1bb7d475382da6508e7ec21dc04468f46d866d896dc8fc88093ca886b5
Opcode Fuzzy Hash: 3c9429fb011bbc3fb473b2cc1a3c6f366831a717da4cfe365d16f8964b6aeb97
Instruction Fuzzy Hash: CA318370600619DFCF14EF58C8959EEB7B5FF05320F108629E865976D1DB39AD45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00769372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 0076B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0076B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007693F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00769409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00769439

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

Strings

ListBox, xrefs: 007693B5
ComboBox, xrefs: 00769380

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 30080ad9174e0965200a051292f75835d06d9854fcb00a5d51f01068b73d7ce9
Instruction ID: 89599c6800e9321d487fa14301fbef4b7d66a026181aeb5cc833b69c35d3dfbc
Opcode Fuzzy Hash: 30080ad9174e0965200a051292f75835d06d9854fcb00a5d51f01068b73d7ce9
Instruction Fuzzy Hash: DD21A5B1A40104FADB18AB64DC89DFFBB7CDF45350B108119F926A72E1DB3D494A9610

Uniqueness

Uniqueness Score: -1.00%

Function 00796656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00711D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00711D73
Part of subcall function 00711D35: GetStockObject.GDI32(00000011), ref: 00711D87
Part of subcall function 00711D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00711D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007966D0
LoadLibraryW.KERNEL32(?), ref: 007966D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007966EC
DestroyWindow.USER32(?), ref: 007966F4

Strings

SysAnimate32, xrefs: 007966AB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: f9af0774dd4093afb0b1d4bd046be3a2a9a1d3dbeec622ca1beb31535745621d
Instruction ID: a6e372efceda1d060815f5091f358d88b053d692e2921411d51a0b5b31acfd29
Opcode Fuzzy Hash: f9af0774dd4093afb0b1d4bd046be3a2a9a1d3dbeec622ca1beb31535745621d
Instruction Fuzzy Hash: 3B218BB1200206EBEF104EA4FC81EAB37BDEB59368F10472AF95092190D7798C519760

Uniqueness

Uniqueness Score: -1.00%

Function 0077703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0077705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00777091
GetStdHandle.KERNEL32(0000000C), ref: 007770A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007770DD

Strings

nul, xrefs: 007770D8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: bf7a568257280128ba04b124e3a3e7484ef0650d943253c55b3b6040d6ab3465
Instruction ID: 9893469017c3d4744171df24bdd4bf3bae6f5aa3fc03941b699bfbe34befdac6
Opcode Fuzzy Hash: bf7a568257280128ba04b124e3a3e7484ef0650d943253c55b3b6040d6ab3465
Instruction Fuzzy Hash: A8218174604309ABDF249F38DC09BAA77A8BF44764F20C61AFCA4D72D0D7759850CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0077710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0077712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0077715D
GetStdHandle.KERNEL32(000000F6), ref: 0077716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007771A8

Strings

nul, xrefs: 007771A3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 04182d2d81688db326884751182b3d568055062d8fd5d572f19870914929d015
Instruction ID: fd91664e28c38e65d46e7904bc74f6c5498f4cc302ebc1061f962ed35597e18d
Opcode Fuzzy Hash: 04182d2d81688db326884751182b3d568055062d8fd5d572f19870914929d015
Instruction Fuzzy Hash: DF21D371504309ABDF249F289C04AAAB7E8BF853B0F60861AFCA4D32D0D7749841CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0077AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0077AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0077AF13
__swprintf.LIBCMT ref: 0077AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0079F910), ref: 0077AF6A

Strings

%lu, xrefs: 0077AF26

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: fa73aeee4c48074d86c676799fef1dca95f85605447e41c0d7286ad7508623ac
Instruction ID: b0db991dc9970f553102bc54ba76136d03ebd01f16a29d6039b0c8d084abcb19
Opcode Fuzzy Hash: fa73aeee4c48074d86c676799fef1dca95f85605447e41c0d7286ad7508623ac
Instruction Fuzzy Hash: EE214471600109EFDB10EF54C989DEE7BB8EF89704B108069F909DB251DB35EA41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0076A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

Part of subcall function 0076A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0076A399
Part of subcall function 0076A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0076A3AC
Part of subcall function 0076A37C: GetCurrentThreadId.KERNEL32 ref: 0076A3B3
Part of subcall function 0076A37C: AttachThreadInput.USER32(00000000), ref: 0076A3BA

GetFocus.USER32 ref: 0076A554

Part of subcall function 0076A3C5: GetParent.USER32(?), ref: 0076A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0076A59D
EnumChildWindows.USER32(?,0076A615), ref: 0076A5C5
__swprintf.LIBCMT ref: 0076A5DF

Strings

%s%d, xrefs: 0076A5D9

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: b147ccdfae94fef33d136bac1d9860c7e9ec2e039e435d7501d1c06b43dff246
Instruction ID: 3d805e429b4aede486b949cdb25556197abf7d8896b8c0366568171f273de166
Opcode Fuzzy Hash: b147ccdfae94fef33d136bac1d9860c7e9ec2e039e435d7501d1c06b43dff246
Instruction Fuzzy Hash: 2111A271200208BBDF11BFA4EC89FEA7778AF49700F044075FD09AA192CA7859458F75

Uniqueness

Uniqueness Score: -1.00%

Function 00772017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00772048

Strings

EXISTS, xrefs: 00772070
KEYS, xrefs: 0077205F
REMOVE, xrefs: 0077204E
APPEND, xrefs: 00772081

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d4d9a4b336ef542d64c2e2b84f36e0b570a6631b66ba094ab789f08ae0f1d73b
Instruction ID: 254ca9fe4854bf391c07df784380ebe47cdd3d923291f316e0318e5c24f516e5
Opcode Fuzzy Hash: d4d9a4b336ef542d64c2e2b84f36e0b570a6631b66ba094ab789f08ae0f1d73b
Instruction Fuzzy Hash: B411273491010DDF8F00EFA4D8519FEB7B4BF15308F20846DD8A5A7292EB3A6907CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0078EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0078EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0078EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0078F07E
CloseHandle.KERNEL32(?), ref: 0078F0FF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: b80707e821a95bbfc1858e31615a5acdba4197e0b007a085a93cbdd4e5651c65
Instruction ID: a342623f6264f3be84339d0e10909d3b57046ae7ef261893a3a49b812b3831ec
Opcode Fuzzy Hash: b80707e821a95bbfc1858e31615a5acdba4197e0b007a085a93cbdd4e5651c65
Instruction Fuzzy Hash: 4C816371644300DFD720EF28C85AB6AB7E5AF48B10F14881DF695DB2D2D778AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 007910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00790038,?,?), ref: 007910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00790388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007903C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0079040E
RegCloseKey.ADVAPI32(?,?), ref: 0079043A
RegCloseKey.ADVAPI32(00000000), ref: 00790447

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: dc72b194db8ba916a7de0c9333f7376deb80a326e822f9489e07d614244fbad1
Instruction ID: bc9150ca6a77989fa915c74a78e217cee98ec941b63badda2ec0bd268f421e59
Opcode Fuzzy Hash: dc72b194db8ba916a7de0c9333f7376deb80a326e822f9489e07d614244fbad1
Instruction Fuzzy Hash: D7516E31218204EFDB04EF58D885EAEB7E8FF84314F44851DF595871A1DB38E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0077E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0077E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0077E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0077E8F2

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0077E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0077E91F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 68e41034ff37faeebf9d872d727ade1b0f5f4a018e90fc2c2ba5ec16070c10a7
Instruction ID: 8ab4e98bce59ee525f0618d6a42c0c084b30977d98e1700f3e3a80d2315ea24f
Opcode Fuzzy Hash: 68e41034ff37faeebf9d872d727ade1b0f5f4a018e90fc2c2ba5ec16070c10a7
Instruction Fuzzy Hash: 0A513A35A00205DFCF00EF68C995AAEBBF5EF48310B148099E949AB3A2CB35ED51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0079A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ce67fc4aba851bf74af4d35b704aad597112f7e4745d550601e6d6d8165994
Instruction ID: 63d05d5595e071f047995e4e550d77b41c6328b2938c29f298350343cce7c680
Opcode Fuzzy Hash: 67ce67fc4aba851bf74af4d35b704aad597112f7e4745d550601e6d6d8165994
Instruction Fuzzy Hash: 9841E135902204BFDF20DF28EC48FA9BBA8EB09310F154166F856E72E1D778AD51DAD1

Uniqueness

Uniqueness Score: -1.00%

Function 00712344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00712357
ScreenToClient.USER32(007D67B0,?), ref: 00712374
GetAsyncKeyState.USER32(00000001), ref: 00712399
GetAsyncKeyState.USER32(00000002), ref: 007123A7

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4fe6a8c7b5ec004851c18b69efe6846a55e08e224cecdf77b2b37df85252228d
Instruction ID: d393adedded2271174ba98998666e4b5d024f68ecfe90ab5734074625c7f9f77
Opcode Fuzzy Hash: 4fe6a8c7b5ec004851c18b69efe6846a55e08e224cecdf77b2b37df85252228d
Instruction Fuzzy Hash: FF418371504119FFDF169F68C848AEDBB74FB05360F20431AF934922D1C7789AA1DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00766920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0076695D
TranslateAcceleratorW.USER32(?,?,?), ref: 007669A9
TranslateMessage.USER32(?), ref: 007669D2
DispatchMessageW.USER32(?), ref: 007669DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007669EB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: bc29451c3046e8b58be3a52aaac24d26877470738c18b300ce069e56fac64e81
Instruction ID: 9d1d30309a78fc7b862550ead560f7071e73608ba575f23ed73e31a765851cc0
Opcode Fuzzy Hash: bc29451c3046e8b58be3a52aaac24d26877470738c18b300ce069e56fac64e81
Instruction Fuzzy Hash: 7831A371901346AADB20CFB4DC44BB67BBCAB01314F54816AEC23D21A1D73DA889DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00768F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00768F12
PostMessageW.USER32(?,00000201,00000001), ref: 00768FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00768FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00768FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00768FDA

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 54112b9ee0e27a38653a259e82b7bd6905393189f39fd0374eb36c360c5e7e81
Instruction ID: a4101fed6f86108772505c85cf971770603c7db89c1028e0ed8662c69d56f81d
Opcode Fuzzy Hash: 54112b9ee0e27a38653a259e82b7bd6905393189f39fd0374eb36c360c5e7e81
Instruction Fuzzy Hash: 8831DF71500219EFDF10CF68D94CADE7BB6EB04315F108229FD26EA2D0C7B89954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0076B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0076B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0076B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0076B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0076B742
_wcsstr.LIBCMT ref: 0076B74C

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f9f721fcbad95c0d5553cacf4898b26482d683f631698cc98670a7480eb328f6
Instruction ID: 3b15ce844eb73397b191f976d4488399cbe596965ff78d78b00cc5b7e9930168
Opcode Fuzzy Hash: f9f721fcbad95c0d5553cacf4898b26482d683f631698cc98670a7480eb328f6
Instruction Fuzzy Hash: 4421FC31204204FBEB255B35DC49E7B7B9CDF4A710F00803AFD06DA162EF69DC819690

Uniqueness

Uniqueness Score: -1.00%

Function 0079B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

GetWindowLongW.USER32(?,000000F0), ref: 0079B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0079B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0079B489
GetSystemMetrics.USER32(00000004), ref: 0079B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00781184,00000000), ref: 0079B4D0

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 6db8727e1898a55f1da8fff38268bf76533242e32c0e5ad46ed7c965692ba650
Instruction ID: 6b88319ebeab3023959643c783ebde06564fb5e214a5b6e38bd457f839957527
Opcode Fuzzy Hash: 6db8727e1898a55f1da8fff38268bf76533242e32c0e5ad46ed7c965692ba650
Instruction Fuzzy Hash: EA217171614295AFCF109F38BD44A6A3BA4EB05720F158739F926D61F1E7389821EB90

Uniqueness

Uniqueness Score: -1.00%

Function 007697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00769802

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00769834
__itow.LIBCMT ref: 0076984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00769874
__itow.LIBCMT ref: 00769885

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 6b03b514a1fcf3a1df81160f2ecceaead19966fa915bbf27ebcbe5141442f95c
Instruction ID: 29bff5ab1f9fe9a148db231e771a7b74e16f39c52e879b9e742546a6d1e6ed46
Opcode Fuzzy Hash: 6b03b514a1fcf3a1df81160f2ecceaead19966fa915bbf27ebcbe5141442f95c
Instruction Fuzzy Hash: EC21C871700209EBDB109A659C8AEEE7BBCDF49710F044029FE05DB291D6788D45D791

Uniqueness

Uniqueness Score: -1.00%

Function 007112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0071134D
SelectObject.GDI32(?,00000000), ref: 0071135C
BeginPath.GDI32(?), ref: 00711373
SelectObject.GDI32(?,00000000), ref: 0071139C

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5cf8c90bb39698267ee3e864ad1f330966844f046372f9f8034fbe38607ebcbf
Instruction ID: 46c79126e7baa100a5d096bfce6462374c7a1b62ce5ee1850e625336ec0479fa
Opcode Fuzzy Hash: 5cf8c90bb39698267ee3e864ad1f330966844f046372f9f8034fbe38607ebcbf
Instruction Fuzzy Hash: 65216D70801208EFDB109F69EC057A97BB8FB00721F54C227F9609A5E4D37D98D2EB98

Uniqueness

Uniqueness Score: -1.00%

Function 0076C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0076C176
_memcmp.LIBCMT ref: 0076C194
_memcmp.LIBCMT ref: 0076C1A7
_memcmp.LIBCMT ref: 0076C1BF
_memcmp.LIBCMT ref: 0076C1D7

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 69ca7ede986898eb5dd8c3d8df1dc0b10d849c2e00f83c1d85128c9919314447
Instruction ID: 96c714b8f3f8b862f7376b9231b1bb7609cd65677c0ff40cc52ecaf57fe1b46e
Opcode Fuzzy Hash: 69ca7ede986898eb5dd8c3d8df1dc0b10d849c2e00f83c1d85128c9919314447
Instruction Fuzzy Hash: 7D01B5F260510EBBE209A6245D46FBB735C9B633A4F444121FD4796283EA5CEE12C2E1

Uniqueness

Uniqueness Score: -1.00%

Function 00774D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00774D5C
__beginthreadex.LIBCMT ref: 00774D7A
MessageBoxW.USER32(?,?,?,?), ref: 00774D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00774DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00774DAC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 8a66703a3b21eff95d8df3741c1f84465a178c7be9331ccbd3d25657d000fde9
Instruction ID: 76cb501daba8a23777631a9dd973fd6f274016be164e6799c4af52e0301e78c8
Opcode Fuzzy Hash: 8a66703a3b21eff95d8df3741c1f84465a178c7be9331ccbd3d25657d000fde9
Instruction Fuzzy Hash: FC110CB2A04248BFCB119BACDC04A9A7FACFB45360F14C266F958D3251D77D9D4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0076874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00768766
GetLastError.KERNEL32(?,0076822A,?,?,?), ref: 00768770
GetProcessHeap.KERNEL32(00000008,?,?,0076822A,?,?,?), ref: 0076877F
HeapAlloc.KERNEL32(00000000,?,0076822A,?,?,?), ref: 00768786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076879D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 4a2b995130f7784f5bb759791174834538779ef89beee4d92f237ba97dc99b2b
Instruction ID: ca9e8d5b5d3ea4e6363396a4fd8670a87434a400756556606ceb0cf8d5981de9
Opcode Fuzzy Hash: 4a2b995130f7784f5bb759791174834538779ef89beee4d92f237ba97dc99b2b
Instruction Fuzzy Hash: 34016D71200208FFDB204FA6DC88D6B7BACFF89355720453AFC4AD6260DA358C01CA60

Uniqueness

Uniqueness Score: -1.00%

Function 007754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00775502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00775510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00775518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00775522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0077555E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 509081fac646efc27f4db3dcc73dbddf6b30c2b4c4700cdc61ff7e1720ada192
Instruction ID: ad0f3a11b2743de16fe288dbc20651305519f338a9f4cac28ff3f3955ec989b1
Opcode Fuzzy Hash: 509081fac646efc27f4db3dcc73dbddf6b30c2b4c4700cdc61ff7e1720ada192
Instruction Fuzzy Hash: 14015B31D00A1DDBCF00DFE8E848AEDBB7AFB09711F008556E905F2240DB789960C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00767652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?,?,?,0076799D), ref: 0076766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?,?), ref: 0076768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?,?), ref: 00767698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?), ref: 007676A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0076758C,80070057,?,?), ref: 007676B4

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 36fd60de7cfe60940604e8e28c6704bd3b013677f42dce62f3608a9611babd2b
Instruction ID: f1a44da4e8c2efea24a0d46d2fd54d668fbdb24e4c6cb717e8012ab8d5f66bc8
Opcode Fuzzy Hash: 36fd60de7cfe60940604e8e28c6704bd3b013677f42dce62f3608a9611babd2b
Instruction Fuzzy Hash: 0401D472600604BBDB104F18DC08FAA7BACEB44BA5F104129FD06D3211E779DD51D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 007685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00768608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00768612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00768621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00768628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0076863E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 564e01aa8b4d1817cc4b862eb517e7c6fe0bc21934cc5e08746c0b31f6144eeb
Instruction ID: b8343666b3d9a45fec41aff9db1555ea38cdb694c1273abc3fd27d414c1eff1c
Opcode Fuzzy Hash: 564e01aa8b4d1817cc4b862eb517e7c6fe0bc21934cc5e08746c0b31f6144eeb
Instruction Fuzzy Hash: C3F0C230240204BFEB100FA4DC8DE6F3BACEF89754B048226F906C2161CB789C46DA65

Uniqueness

Uniqueness Score: -1.00%

Function 00768652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00768669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00768673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00768682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00768689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0076869F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5f3b1d4c6198845e1f4b4221eba3160f7c96e11f495a5ce51b3a0be94563d37f
Instruction ID: 798303c595bc1d6813879b86cd25272f9dbb7ebeface6eedf2ba072b08dc5af2
Opcode Fuzzy Hash: 5f3b1d4c6198845e1f4b4221eba3160f7c96e11f495a5ce51b3a0be94563d37f
Instruction Fuzzy Hash: 1BF0C270240304BFEB111FA4EC88E6B3BACEF89758B100126F906C6151CB79DC02DA65

Uniqueness

Uniqueness Score: -1.00%

Function 0076C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0076C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0076C6D1
MessageBeep.USER32(00000000), ref: 0076C6E9
KillTimer.USER32(?,0000040A), ref: 0076C705
EndDialog.USER32(?,00000001), ref: 0076C71F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4d8136897f05f5b62d7bcec25a5723c479f4b99c78938cbdc366ebeb268638af
Instruction ID: 90eac7e2a1c4cd2ccd13e7c246680b6112ba4d58df93c5446242d036b60624b1
Opcode Fuzzy Hash: 4d8136897f05f5b62d7bcec25a5723c479f4b99c78938cbdc366ebeb268638af
Instruction Fuzzy Hash: B7016270500704ABEB219B64ED4EFA677B8FF00705F04466AF993E14E1DBE8A9558F84

Uniqueness

Uniqueness Score: -1.00%

Function 007113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007113BF
StrokeAndFillPath.GDI32(?,?,0074BAD8,00000000,?), ref: 007113DB
SelectObject.GDI32(?,00000000), ref: 007113EE
DeleteObject.GDI32 ref: 00711401
StrokePath.GDI32(?), ref: 0071141C

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 36d5b7c022a34a35e7d454c3f3ece97d18c3c7f67a74eb2d532d7279cf555ce4
Instruction ID: 2107f574488a8764d6cb9c012d99f38ba9b596b51632a1572bc591db834a9beb
Opcode Fuzzy Hash: 36d5b7c022a34a35e7d454c3f3ece97d18c3c7f67a74eb2d532d7279cf555ce4
Instruction Fuzzy Hash: 2AF0EC30005348EBDB115F6AEC0C7983FB8A701726F54C226E969890F1D73D99A6EF58

Uniqueness

Uniqueness Score: -1.00%

Function 00722E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00730FF6: std::exception::exception.LIBCMT ref: 0073102C
Part of subcall function 00730FF6: __CxxThrowException@8.LIBCMT ref: 00731041

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 00717BB1: _memmove.LIBCMT ref: 00717C0B

__swprintf.LIBCMT ref: 0072302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00722EC6

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 4b53a9b7403d856bbc97a391a44765b34ac45865d47a77c7636a9380ac10d2c4
Instruction ID: 0d0cb6097e4a23c9db23240046b863d741ae75546cdf99427afbc4b3f8267b63
Opcode Fuzzy Hash: 4b53a9b7403d856bbc97a391a44765b34ac45865d47a77c7636a9380ac10d2c4
Instruction Fuzzy Hash: 46918E71508211DFD728EF28D889CAEB7B5EF85700F40491DF841972A1DB78EE49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0076B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0076B981

Strings

Container, xrefs: 0076B8FE
%z, xrefs: 0076BA24
AutoIt3GUI, xrefs: 0076B8F9

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%z
API String ID: 3565006973-1118916724
Opcode ID: cf4b3784589f73f3224b30581d16503fd0706b1f37abce084cdda166a1f9873a
Instruction ID: 4c49ed286314f1e270c117bf98367702c98f56b9b956318a158e5660f5c59686
Opcode Fuzzy Hash: cf4b3784589f73f3224b30581d16503fd0706b1f37abce084cdda166a1f9873a
Instruction Fuzzy Hash: 3F914A70600202DFDB64DF68C884B6AB7E8FF49710F14856DF94ADB691DB74E881CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0073524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007352DD

Part of subcall function 00740340: __87except.LIBCMT ref: 0074037B

Strings

pow, xrefs: 007352B5, 007352D2

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 56f9f074e0871da702e3532b7b2cd97e5da9b6e43798fca4a2d8dc11272ae4f0
Instruction ID: 73d0ebdd2314e7f4c0d6f28e038cb886e931acc7f264157ac486b0607a4c8175
Opcode Fuzzy Hash: 56f9f074e0871da702e3532b7b2cd97e5da9b6e43798fca4a2d8dc11272ae4f0
Instruction Fuzzy Hash: 70518871A0DA01C7EB14BB28CD4137E2B94AB41750F248D58E6D5822EBEF7C8CD4DAC6

Uniqueness

Uniqueness Score: -1.00%

Function 0073023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00730277
#, xrefs: 00730280

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 6c972b9b659dd5e6ea43f3acc762ed2a92a94da9c1cd80f588b71762ae24c68a
Instruction ID: ce63ccd14ced518e3e8724c7127f390ca71bf0f4e3c3657bcdc4bd3fa4463b47
Opcode Fuzzy Hash: 6c972b9b659dd5e6ea43f3acc762ed2a92a94da9c1cd80f588b71762ae24c68a
Instruction Fuzzy Hash: 98512175204646DFDF259F28C898AFA7BB4EF15310F184059EC929B2E1D73C9C86DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00723297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007233D7
_memmove.LIBCMT ref: 00723470
_free.LIBCMT ref: 00723496
_memmove.LIBCMT ref: 00723549

Strings

Oar, xrefs: 00723482

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove$_free
String ID: Oar
API String ID: 2620147621-1181374745
Opcode ID: f0a74a1c25cb78344b42fc74c7a34c6531645f646c86e05897e74167d697d1ba
Instruction ID: c4be6d512b23498d4983619fd861736f4e136aeb4e836596d619c686029424c5
Opcode Fuzzy Hash: f0a74a1c25cb78344b42fc74c7a34c6531645f646c86e05897e74167d697d1ba
Instruction Fuzzy Hash: EA516AB16083519FDB28CF28D450B6BBBE5FF89310F04492DE98987351EB39E941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 007262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007263A8
_memmove.LIBCMT ref: 00726446
_memset.LIBCMT ref: 0072646A

Strings

ERCP, xrefs: 00726313

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 9e8d86fc2a94077376458ebd8b4eb2056eb8975375419b69359ae043d3b4e955
Instruction ID: ddebae64d999f8c4d74d00006bcf852bf694c5289f443de6224c8b6ace176201
Opcode Fuzzy Hash: 9e8d86fc2a94077376458ebd8b4eb2056eb8975375419b69359ae043d3b4e955
Instruction Fuzzy Hash: C551E471900759DFDB28DF65D885BAABBF4EF04314F20856FE98AC7241E7789684CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00797648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007976D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007976E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00797708

Strings

SysMonthCal32, xrefs: 0079769B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7d9a6c00c583a4f02fd4109f66aaddb8ef291f3e7322ef55f6c261b74d71df23
Instruction ID: 660ac0d8397521c6a3ffd276487b55c35498514ea5add730eaa2a31abe5a4db1
Opcode Fuzzy Hash: 7d9a6c00c583a4f02fd4109f66aaddb8ef291f3e7322ef55f6c261b74d71df23
Instruction Fuzzy Hash: 3721E032610218BBDF15CFA4DC46FEA3B79EF48724F110214FE15AB1D0DAB9A851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00796F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00796FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00796FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00796FDF

Strings

Listbox, xrefs: 00796F77

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d8e204f0b7e935c09ae05eda0e5650828737db58859977cbbb0f598ceb06bd50
Instruction ID: 56d5ca8ae870c222e469fea61572c14266729deae9ed3a0237237990c86c34f3
Opcode Fuzzy Hash: d8e204f0b7e935c09ae05eda0e5650828737db58859977cbbb0f598ceb06bd50
Instruction Fuzzy Hash: EA219532610118BFDF118F54EC85FAB376AEF89754F018225F9149B190C6799C5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0079797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007979E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007979F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00797A03

Strings

msctls_trackbar32, xrefs: 007979B8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fedff69fec7be0521c229b8f9ac4a65010c7bfbaeebfdbc0befae969a31cc403
Instruction ID: 9d50b5f2c9dc27f3db3700857684d3a5bf4ab7138de3730277436041468f0e32
Opcode Fuzzy Hash: fedff69fec7be0521c229b8f9ac4a65010c7bfbaeebfdbc0befae969a31cc403
Instruction Fuzzy Hash: 2811E372254208BFEF149F74DC05FEB3BA9EF89764F014519FA41A6090D275A851CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00714C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00714C2E), ref: 00714CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00714CB5

Strings

kernel32.dll, xrefs: 00714C9E
GetNativeSystemInfo, xrefs: 00714CAF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 8ca9188ca928e518c7de3a79344d10ec669ff49b5a6457acb82689febe2eefbd
Instruction ID: 4100326d3b11f9a98225545875edf5184b89e98a691786fd6bd27239d9c238b4
Opcode Fuzzy Hash: 8ca9188ca928e518c7de3a79344d10ec669ff49b5a6457acb82689febe2eefbd
Instruction Fuzzy Hash: C7D05BB0551727CFDB209F35ED1864676E5AF05791B15C83ED885D6190D77CD4C0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00714D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00714D2E,?,00714F4F,?,007D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00714D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00714D81

Strings

kernel32.dll, xrefs: 00714D6A
Wow64DisableWow64FsRedirection, xrefs: 00714D7B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 4e8420c8350549c70ed29500b4e90caf39415fc146a21bab09e9b20ff30b727d
Instruction ID: a81a3bfc20d251b41808c97f353a2fb5fa6cf8446c51c368070ff1d788ae21dc
Opcode Fuzzy Hash: 4e8420c8350549c70ed29500b4e90caf39415fc146a21bab09e9b20ff30b727d
Instruction Fuzzy Hash: 5AD017B0650713CFDB209F35E80965676E9AF15352B21C83ED4C6D62A0EA78D8C0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00714D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00714CE1,?), ref: 00714DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00714DB4

Strings

kernel32.dll, xrefs: 00714D9D
Wow64RevertWow64FsRedirection, xrefs: 00714DAE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: d49d2c103b6664193e92bcd88fc5b0138fea9a2469480df271405becf96358ad
Instruction ID: a1f527de6cd30369b6854d93fee990e627b8e20f6676c5bf61942ce9efc86f82
Opcode Fuzzy Hash: d49d2c103b6664193e92bcd88fc5b0138fea9a2469480df271405becf96358ad
Instruction Fuzzy Hash: A4D017B1690713DFDB209F35E808A8676E5AF06355B11C83ED8C6D61A0EB78D8C1CA91

Uniqueness

Uniqueness Score: -1.00%

Function 00791072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007912C1), ref: 00791080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00791092

Strings

RegDeleteKeyExW, xrefs: 0079108C
advapi32.dll, xrefs: 0079107B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 15ff7eb7a1e85cd50a681958eeddefb65e936460ad9924beb24af0230a54d1f7
Instruction ID: dc805f33ba9cbb8ba88d3676bd7d2dbf62c64fd2555b6db41773059d962ae3cf
Opcode Fuzzy Hash: 15ff7eb7a1e85cd50a681958eeddefb65e936460ad9924beb24af0230a54d1f7
Instruction Fuzzy Hash: 08D01770550713CFDB209F39E819A1A76E8EF05362F11CC3EE48ADA160E778C8C0CA90

Uniqueness

Uniqueness Score: -1.00%

Function 007893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00789009,?,0079F910), ref: 00789403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00789415

Strings

GetModuleHandleExW, xrefs: 0078940F
kernel32.dll, xrefs: 007893FE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: ba43ea8bb0a400ff06563b1daf028d318f6b35e2061d0ea8d7ca173cbebb2455
Instruction ID: ea4601f4231d18739dbebb58d8f7f40ded0d6a5dae4ffcd432b304ebd38b320e
Opcode Fuzzy Hash: ba43ea8bb0a400ff06563b1daf028d318f6b35e2061d0ea8d7ca173cbebb2455
Instruction Fuzzy Hash: BAD0C270580717CFCB209F30D90861372D5AF01341B24C83FD489C2550D678C480C750

Uniqueness

Uniqueness Score: -1.00%

Function 007676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695c4b70426d61e66048f16424f0c0ed961a7285df0b1047f492951c3284d16a
Instruction ID: 86cefe0e2098ff7dd55ccf0a17f6e89f7a4daf272e010d0b96d9f639efe07407
Opcode Fuzzy Hash: 695c4b70426d61e66048f16424f0c0ed961a7285df0b1047f492951c3284d16a
Instruction Fuzzy Hash: 79C18274A04216EFCB18CFA8C884E6EB7F5FF48758B118599E806EB251D734ED81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0078E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0078E3D2
CharLowerBuffW.USER32(?,?), ref: 0078E415

Part of subcall function 0078DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0078DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0078E615
_memmove.LIBCMT ref: 0078E628

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: d7d1a45413cd1a5affee3f49d42fb049ef696f128de98d4e07b0a4e10163152c
Instruction ID: c29782d38888448014f274924ae82136d8d9b660028913436f8ed407dd4b08ef
Opcode Fuzzy Hash: d7d1a45413cd1a5affee3f49d42fb049ef696f128de98d4e07b0a4e10163152c
Instruction Fuzzy Hash: 8CC15971608301CFC714EF28C49496ABBE4FF88718F14896EF8999B351D739E946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 007883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007883D8
CoUninitialize.OLE32 ref: 007883E3

Part of subcall function 0076DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0076DAC5

VariantInit.OLEAUT32(?), ref: 007883EE
VariantClear.OLEAUT32(?), ref: 007886BF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 1fe17ccd6ee1c295a640d575e4e4d410bf7f9e3ab2648e478b3876b4073b907b
Instruction ID: 5172e245cbe6fbe20f5573aef28460d3a3460ebab76bcde6ecf7f3a8fb4ab0f6
Opcode Fuzzy Hash: 1fe17ccd6ee1c295a640d575e4e4d410bf7f9e3ab2648e478b3876b4073b907b
Instruction Fuzzy Hash: BEA15A35244701DFCB50EF18C895A5AB7E4BF88314F448449FA9A9B3A2DB38FD45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00766DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00766E04
SysAllocString.OLEAUT32(00000000), ref: 00766EAD
VariantCopy.OLEAUT32 ref: 00766EDC
VariantClear.OLEAUT32(?), ref: 00766F03

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: ee57b700b834e689ab81eaa02976233ad4b6cf1f9807a0f4d332d62e58047d26
Instruction ID: a0b4089d7973f861e68d201a78281ceacaa98dc51294f95ab63760e05d1e9d02
Opcode Fuzzy Hash: ee57b700b834e689ab81eaa02976233ad4b6cf1f9807a0f4d332d62e58047d26
Instruction Fuzzy Hash: D751A930604301DADB249F69D495A6AB3E5AF48354F70881FED97CB291EB7C9880DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00799A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(011EFB10,?), ref: 00799AD2
ScreenToClient.USER32(00000002,00000002), ref: 00799B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00799B72

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 112712d5b8098a0631e5b364de313288b2e4a6813bea071afdf6f87ea31b48e1
Instruction ID: ae1d3e7c8482526ee8caeccf07085c12abe6cfb62efd757154ae690c15f78f25
Opcode Fuzzy Hash: 112712d5b8098a0631e5b364de313288b2e4a6813bea071afdf6f87ea31b48e1
Instruction Fuzzy Hash: FD515F74A00209EFDF10DF68E8819AE7BB6FF55320F10816EF9159B290D738AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00786CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00786CE4
WSAGetLastError.WSOCK32(00000000), ref: 00786CF4

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00786D58
WSAGetLastError.WSOCK32(00000000), ref: 00786D64

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 7f0445a8d20298d41dcfb6c4d5fb91979b131128da87299e62077931f27c7ee8
Instruction ID: 65bf7e4443de5196cf80ab3eb021c010676ccc7e69e5e1e54fe6fc0f63cc971c
Opcode Fuzzy Hash: 7f0445a8d20298d41dcfb6c4d5fb91979b131128da87299e62077931f27c7ee8
Instruction Fuzzy Hash: 8A41A274740200AFEB20BF28DC9AFBA77E5AF44B10F44C018FA599F2D2DA789D418791

Uniqueness

Uniqueness Score: -1.00%

Function 0078672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0079F910), ref: 007867BA
_strlen.LIBCMT ref: 007867EC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: cf0b09b5ae01c514c0d7dd55305010c1ca5fd7ef207bb08a52818a4f9d98fac0
Instruction ID: 1dff7171683a90fc3b3d24c47ebeed0aa2833932d17812a6ddc15377d76f1584
Opcode Fuzzy Hash: cf0b09b5ae01c514c0d7dd55305010c1ca5fd7ef207bb08a52818a4f9d98fac0
Instruction Fuzzy Hash: 5B41B571A40104EFCB14FB68DCD9EEEB7A9AF44314F148165F91A9B2D2DB38AD41C790

Uniqueness

Uniqueness Score: -1.00%

Function 0077BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0077BB09
GetLastError.KERNEL32(?,00000000), ref: 0077BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0077BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0077BB80

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: bcae5913473f5ee5900816a8a43474b9b8eeac1ebb291e66bdc3e67a34bc31f8
Instruction ID: 0bcd9821239cb676acdd218ce6d9439e336764b65a0738c9491347ea98e692bf
Opcode Fuzzy Hash: bcae5913473f5ee5900816a8a43474b9b8eeac1ebb291e66bdc3e67a34bc31f8
Instruction Fuzzy Hash: 39412B35200510DFCF11EF18C598A5DBBE5AF89310B09C498ED4A9B3A2CB38FD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00798AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00798B4D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 80f2428f188875273b3d5f4cab876cc6a44fab6d7c8645da44c33c570a546056
Instruction ID: ff6cf4ed3bf6b0cfbb74912fc8bb6cef16d707af957dbf4af01585e61d295495
Opcode Fuzzy Hash: 80f2428f188875273b3d5f4cab876cc6a44fab6d7c8645da44c33c570a546056
Instruction Fuzzy Hash: 1231D2F4600204BFEFA09B18EC85FA937A4EB07310F288617FA55D72A1CE3CA9509756

Uniqueness

Uniqueness Score: -1.00%

Function 0079ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0079AE1A
GetWindowRect.USER32(?,?), ref: 0079AE90
PtInRect.USER32(?,?,0079C304), ref: 0079AEA0
MessageBeep.USER32(00000000), ref: 0079AF11

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fe56e2a125069742b6fa8c1811532b429687a3eec0705720960b7cac74380f8f
Instruction ID: b10f39818adca6dd483528092e765ee8dabccaf886a9848dce0b4412259a428d
Opcode Fuzzy Hash: fe56e2a125069742b6fa8c1811532b429687a3eec0705720960b7cac74380f8f
Instruction Fuzzy Hash: 3C418E70602219EFCF11CF58E885B697BF6FB49350F1881AAE414CB251D738E842DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00770FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00771037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00771053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007710B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0077110B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0c1f78422058ef4cafd7d0099a20a8783f5c84b217973a69e06361fd6a337d4f
Instruction ID: 3705b56175b091b20653080c038c9e7a98610827d8a6dd75fe82a49616b353de
Opcode Fuzzy Hash: 0c1f78422058ef4cafd7d0099a20a8783f5c84b217973a69e06361fd6a337d4f
Instruction Fuzzy Hash: 5C315E30E40688AEFF308B6D8C097F9BBA5AB45350F84C21AE588521D1C37C89D5D765

Uniqueness

Uniqueness Score: -1.00%

Function 00771121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00771176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00771192
PostMessageW.USER32(00000000,00000101,00000000), ref: 007711F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00771243

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a370f06c6611022b6350295db2b8ff22b42f497eab2a4bc4ce4fbbca50c4bfb7
Instruction ID: 03e89e94832c9086ce23c4ed333dd1b4af00f17fc56f353bd389a1a75eef9c00
Opcode Fuzzy Hash: a370f06c6611022b6350295db2b8ff22b42f497eab2a4bc4ce4fbbca50c4bfb7
Instruction Fuzzy Hash: 8D312B30A4074C9AEF308A6D8C09BFA7B6AAB45350FD4C35BE688961D1C33C4D559755

Uniqueness

Uniqueness Score: -1.00%

Function 00746415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0074644B
__isleadbyte_l.LIBCMT ref: 00746479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007464A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007464DD

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 55cb46b4549d4b54753341fa77c00ffa4866aa65e13c317b2bb7ab25d600431f
Instruction ID: 9d5ca4341820a29cb1abc168bf0d1f92710f22c0ebb901b540f3c3ea3a42a2ba
Opcode Fuzzy Hash: 55cb46b4549d4b54753341fa77c00ffa4866aa65e13c317b2bb7ab25d600431f
Instruction Fuzzy Hash: 8B31EF31600286EFDF258F68C848BBA7BA5FF42310F154029F854871A1EB39DE90DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00795175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00795189

Part of subcall function 0077387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00773897
Part of subcall function 0077387D: GetCurrentThreadId.KERNEL32 ref: 0077389E
Part of subcall function 0077387D: AttachThreadInput.USER32(00000000,?,007752A7), ref: 007738A5

GetCaretPos.USER32(?), ref: 0079519A
ClientToScreen.USER32(00000000,?), ref: 007951D5
GetForegroundWindow.USER32 ref: 007951DB

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 10393c6d09630994aedec236798be1ab621376a61511951970ceaaa9334e30b8
Instruction ID: 2b76878a89dbe46478079b7794dbfc6bf638154dfbed4934a79c8e63a08271a7
Opcode Fuzzy Hash: 10393c6d09630994aedec236798be1ab621376a61511951970ceaaa9334e30b8
Instruction Fuzzy Hash: 01311271900108AFDB00EFA9D8459EFB7F9EF58300F10806AE515E7251EA799E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0079C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

GetCursorPos.USER32(?), ref: 0079C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0074BBFB,?,?,?,?,?), ref: 0079C7D7
GetCursorPos.USER32(?), ref: 0079C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0074BBFB,?,?,?), ref: 0079C85E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 43d4e3499973bd9b4227fc49754c5a663de4687906df1720a90d0e5284630dc5
Instruction ID: 52fa5c6e0083d5d0b09544eb4c1db3be0484b0e7cf4b53d3a79c66b97f6c3266
Opcode Fuzzy Hash: 43d4e3499973bd9b4227fc49754c5a663de4687906df1720a90d0e5284630dc5
Instruction Fuzzy Hash: 58318375600018EFCF16CF58D898EEA7BB6EF49710F04816AF9058B2A1C7399D61DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00730BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00730BF2

Part of subcall function 00715B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00777B20,?,?,00000000), ref: 00715B8C
Part of subcall function 00715B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00777B20,?,?,00000000,?,?), ref: 00715BB0

_fprintf.LIBCMT ref: 00730C29
OutputDebugStringW.KERNEL32(?), ref: 00766331

Part of subcall function 00734CDA: _flsall.LIBCMT ref: 00734CF3

__setmode.LIBCMT ref: 00730C5E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: b68f1f6fc62f58a935b99938d96de18e6f518b64e00438e772fdd21e5fde602e
Instruction ID: 273edf671ab0970a73d597a29dad5b19fa3fbbf5ee7e23b61599810111bf1f19
Opcode Fuzzy Hash: b68f1f6fc62f58a935b99938d96de18e6f518b64e00438e772fdd21e5fde602e
Instruction Fuzzy Hash: 5411E772904208EAEB0877B89C4A9FE7B6D9F81320F14415AF204972D3DE2D6D8647E5

Uniqueness

Uniqueness Score: -1.00%

Function 00768B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00768652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00768669
Part of subcall function 00768652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00768673
Part of subcall function 00768652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00768682
Part of subcall function 00768652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00768689
Part of subcall function 00768652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0076869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00768BEB
_memcmp.LIBCMT ref: 00768C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00768C44
HeapFree.KERNEL32(00000000), ref: 00768C4B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 129b68ac7587ed468eb818e77bbe4698921874b2587d8ff6819f2ff44c89c87b
Instruction ID: a758fcfedb3a94a750fb9383a7f27c96c516153406235c6f963d9a5ed58f9db3
Opcode Fuzzy Hash: 129b68ac7587ed468eb818e77bbe4698921874b2587d8ff6819f2ff44c89c87b
Instruction Fuzzy Hash: 6B21B071E41208EFDB00CFA4C949BEEB7B8EF44340F148199E855A7241EB39AE06CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00781A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00781A97

Part of subcall function 00781B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00781B40
Part of subcall function 00781B21: InternetCloseHandle.WININET(00000000), ref: 00781BDD

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 5966eff8cd5ce55026ba8512bc34e572894300075014e46f56f9fd124abdf70f
Instruction ID: 26dc3ecdfcc1ef96268ff8f5fc05d577cdef8445a4557f615b51483f64e4724c
Opcode Fuzzy Hash: 5966eff8cd5ce55026ba8512bc34e572894300075014e46f56f9fd124abdf70f
Instruction Fuzzy Hash: 0221F375281600BFDB15AF60CC04FBBBBADFF44701F50401AFA02D6651EB39D8129BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0076E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0076F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0076E1C4,?,?,?,0076EFB7,00000000,000000EF,00000119,?,?), ref: 0076F5BC
Part of subcall function 0076F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0076F5E2
Part of subcall function 0076F5AD: lstrcmpiW.KERNEL32(00000000,?,0076E1C4,?,?,?,0076EFB7,00000000,000000EF,00000119,?,?), ref: 0076F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0076EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0076E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0076E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0076EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0076E237

Strings

cdecl, xrefs: 0076E22E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d43de66846fa8bb3a8f6c228ff68d0d14b177a64df58b6c0ff01c270a90f7dc4
Instruction ID: 3e112b6517eedb7b289f2b44c796f51df07b83f3e184d2363052ca0c026140ea
Opcode Fuzzy Hash: d43de66846fa8bb3a8f6c228ff68d0d14b177a64df58b6c0ff01c270a90f7dc4
Instruction Fuzzy Hash: 9C11D37A200305EFCB25AF64DC49D7A77A9FF44310B40802AFC07CB264EB799851C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00745332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00745351

Part of subcall function 0073594C: __FF_MSGBANNER.LIBCMT ref: 00735963
Part of subcall function 0073594C: __NMSG_WRITE.LIBCMT ref: 0073596A
Part of subcall function 0073594C: RtlAllocateHeap.NTDLL(011D0000,00000000,00000001,00000000,?,?,?,00731013,?), ref: 0073598F

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4f3f75a9d7aac3db741208cc15c8a73b92a0e9fad0461d03ec91f0a1c76c15a1
Instruction ID: 25c740eb81706a794f3889ec6c325ab597d7328abd2abe71e42795123213d365
Opcode Fuzzy Hash: 4f3f75a9d7aac3db741208cc15c8a73b92a0e9fad0461d03ec91f0a1c76c15a1
Instruction Fuzzy Hash: 4211E332504B15EFDB312F70EC0866D3B98AF143A4F24452AF9449A193DF7D8D418790

Uniqueness

Uniqueness Score: -1.00%

Function 00714531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00714560

Part of subcall function 0071410D: _memset.LIBCMT ref: 0071418D
Part of subcall function 0071410D: _wcscpy.LIBCMT ref: 007141E1
Part of subcall function 0071410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007141F1

KillTimer.USER32(?,00000001,?,?), ref: 007145B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007145C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0074D6CE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 5ea8e4197acc6359931002e223d6d39c3c97d50362ba2dccfea8bce9876fc0b3
Instruction ID: 84f8f3224344793708a3cc4a44b50dc433b04ad43e385150e343c8ed131d3984
Opcode Fuzzy Hash: 5ea8e4197acc6359931002e223d6d39c3c97d50362ba2dccfea8bce9876fc0b3
Instruction Fuzzy Hash: B721D770904784AFEB328B24DC59BE7BBED9F01304F04009EE6DE96282C77C5E859B52

Uniqueness

Uniqueness Score: -1.00%

Function 007740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007740D1
_memset.LIBCMT ref: 007740F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00774144
CloseHandle.KERNEL32(00000000), ref: 0077414D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: cd96a5cfc90b0d82c12efd8a9741ede050f5c920932f2cbafe7aeb35d809f433
Instruction ID: 4c6793bce501e72fb96119e3dfedd46c3c3c19de4002c6b5be6d17608901b5cd
Opcode Fuzzy Hash: cd96a5cfc90b0d82c12efd8a9741ede050f5c920932f2cbafe7aeb35d809f433
Instruction Fuzzy Hash: 2E11CD7590122C7AD7305BA59C4DFABBB7CEF44760F1041D6F908D7180D6784E80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0078667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00715B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00777B20,?,?,00000000), ref: 00715B8C
Part of subcall function 00715B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00777B20,?,?,00000000,?,?), ref: 00715BB0

gethostbyname.WSOCK32(?,?,?), ref: 007866AC
WSAGetLastError.WSOCK32(00000000), ref: 007866B7
_memmove.LIBCMT ref: 007866E4
inet_ntoa.WSOCK32(?), ref: 007866EF

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e9a415281c0efffe347b9cb59fa060917bb54a50d285602d103280f6c4e1f357
Instruction ID: d3fc8cd618babb0f8e3bcb28273b8621da7b86f31940aaa0bb5581d73717b926
Opcode Fuzzy Hash: e9a415281c0efffe347b9cb59fa060917bb54a50d285602d103280f6c4e1f357
Instruction Fuzzy Hash: 4E118E75600508EFCB04FBA8DD9ADEEB7B8AF44310B148025F502A71A1DF38AE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00769023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00769043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00769055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0076906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00769086

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2bf64babc0535b74ba3ce08b830c6243c8003d63cca9310492ee4402e71fe5b2
Instruction ID: 720601547871c17b11c509f4c061d53eff7909df4d47f0c613d87c2963709cc3
Opcode Fuzzy Hash: 2bf64babc0535b74ba3ce08b830c6243c8003d63cca9310492ee4402e71fe5b2
Instruction Fuzzy Hash: 37115E79900219FFDB10DFA5CD84EADFB78FB48310F204095EA05B7250D6716E11DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00711290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00712612: GetWindowLongW.USER32(?,000000EB), ref: 00712623

DefDlgProcW.USER32(?,00000020,?), ref: 007112D8
GetClientRect.USER32(?,?), ref: 0074B84B
GetCursorPos.USER32(?), ref: 0074B855
ScreenToClient.USER32(?,?), ref: 0074B860

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8d8f84d163bbbd2e79911fde75684249fda2cee74cca2d378aef20874c603e42
Instruction ID: c1b7001c29771f6bac1bce1f7b1b02524213fee5e3ed4e5e664cbc4465195984
Opcode Fuzzy Hash: 8d8f84d163bbbd2e79911fde75684249fda2cee74cca2d378aef20874c603e42
Instruction Fuzzy Hash: 89112835A01119EFCF10DF98D8899EE77B8FB05301F504456FA01EB291C738AA92CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00771652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007701FD,?,00771250,?,00008000), ref: 0077166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,007701FD,?,00771250,?,00008000), ref: 00771694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007701FD,?,00771250,?,00008000), ref: 0077169E
Sleep.KERNEL32(?,?,?,?,?,?,?,007701FD,?,00771250,?,00008000), ref: 007716D1

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 10c64b202f5660e40d1e508dedc568a7a517d0e9497012543d94e8a29119b060
Instruction ID: f3993b5cdf882606f796af5768de9c2a07c8ee950322d5160358a55b2e64851c
Opcode Fuzzy Hash: 10c64b202f5660e40d1e508dedc568a7a517d0e9497012543d94e8a29119b060
Instruction Fuzzy Hash: 46113C31C0151DDBCF009FA9D949AEEBB78FF09791F45805AE988F6240DF3855608BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00747207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0074722B

Part of subcall function 00747912: __fltout2.LIBCMT ref: 0074793B

__cftog_l.LIBCMT ref: 00747251
__cftoe_l.LIBCMT ref: 00747283

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 86a3d6d3502afee28d42fb7e8785a56504c5861b142635eb01fcce1758755eec
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F401403604414AFBCF1A5E94CC458EE3F72BF59351B598615FA1898031D37BC9B1EB81

Uniqueness

Uniqueness Score: -1.00%

Function 0079B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0079B59E
ScreenToClient.USER32(?,?), ref: 0079B5B6
ScreenToClient.USER32(?,?), ref: 0079B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0079B5F5

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4017a9f5a06949c3258826f2bc3c0f75cf5b442980aeee226be9669fd50f1e81
Instruction ID: 31be814abc5302bd7ed204a48d5b16018b68095cccf8656d6916457fda1cdbe0
Opcode Fuzzy Hash: 4017a9f5a06949c3258826f2bc3c0f75cf5b442980aeee226be9669fd50f1e81
Instruction Fuzzy Hash: 041146B5D00209EFDB41CF99D544AEEFBB5FB08310F108166E914E3220D735AA658F54

Uniqueness

Uniqueness Score: -1.00%

Function 0079B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0079B8FE
_memset.LIBCMT ref: 0079B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007D7F20,007D7F64), ref: 0079B93C
CloseHandle.KERNEL32 ref: 0079B94E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 319f4f8c5dadc680c90ecd5018f57a60039a6cb068e5907c033796cb271e38d5
Instruction ID: 3067510d08f9e9f01e8cf76ed7dfee68f2b5bb6c920564034ce2a1d884531d60
Opcode Fuzzy Hash: 319f4f8c5dadc680c90ecd5018f57a60039a6cb068e5907c033796cb271e38d5
Instruction Fuzzy Hash: 5BF05EB2645304BBF2242771AC4AFBB3B6DEB08354F408032FA08D5292E77D5902C7AC

Uniqueness

Uniqueness Score: -1.00%

Function 00776E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00776E88

Part of subcall function 0077794E: _memset.LIBCMT ref: 00777983

_memmove.LIBCMT ref: 00776EAB
_memset.LIBCMT ref: 00776EB8
LeaveCriticalSection.KERNEL32(?), ref: 00776EC8

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8aaf17a149c609dc19a63dca1bb88fc4860098ac83073a54ba4e1b160513fa8c
Instruction ID: e57f0b8569b0c65dbbfd2defbbae9bf62c455e1ad88825744a7e44d79972399f
Opcode Fuzzy Hash: 8aaf17a149c609dc19a63dca1bb88fc4860098ac83073a54ba4e1b160513fa8c
Instruction Fuzzy Hash: FDF0543A100204EBCF056F55DC89F4ABB2AEF45360F04C061FE089E217C739A911CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0079C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0071134D
Part of subcall function 007112F3: SelectObject.GDI32(?,00000000), ref: 0071135C
Part of subcall function 007112F3: BeginPath.GDI32(?), ref: 00711373
Part of subcall function 007112F3: SelectObject.GDI32(?,00000000), ref: 0071139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0079C030
LineTo.GDI32(00000000,?,?), ref: 0079C03D
EndPath.GDI32(00000000), ref: 0079C04D
StrokePath.GDI32(00000000), ref: 0079C05B

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 98e0fa51cddff0e0d0e59772338322add6c2c69aacb17e1535b73766d976b3dd
Instruction ID: 94340b9f6f9f5e6db1cafbd62307f1f5ec9aff4bead391345773e84e6b2f15ba
Opcode Fuzzy Hash: 98e0fa51cddff0e0d0e59772338322add6c2c69aacb17e1535b73766d976b3dd
Instruction Fuzzy Hash: B2F05E31105259FBDF126F99AC0AFCE3F69AF05311F148002FA11A50E2C77D5662DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0076A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0076A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0076A3AC
GetCurrentThreadId.KERNEL32 ref: 0076A3B3
AttachThreadInput.USER32(00000000), ref: 0076A3BA

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: bd78623258671865141e1785ad2013430cb2c3201e0d517c84c2581fe45449b2
Instruction ID: c4757c347f8e4358e1df9d3cd769425453e24a4ada284b1a617c66a3aec71dc5
Opcode Fuzzy Hash: bd78623258671865141e1785ad2013430cb2c3201e0d517c84c2581fe45449b2
Instruction Fuzzy Hash: AFE06D32141328BADB201FA2DC0CEDB3F2CEF167A1F008026FA0AD4060C679C541CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00712218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00712231
SetTextColor.GDI32(?,000000FF), ref: 0071223B
SetBkMode.GDI32(?,00000001), ref: 00712250
GetStockObject.GDI32(00000005), ref: 00712258
GetWindowDC.USER32(?,00000000), ref: 0074C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0074C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0074C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0074C112
GetPixel.GDI32(00000000,?,?), ref: 0074C132
ReleaseDC.USER32(?,00000000), ref: 0074C13D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3f8b4dcd06ee19c5d0f98cfc7ab88537de7e4fc9e6ab8ecb02e8acb2bc29fb2a
Instruction ID: f8efa9a75c0cc46c695f04013ff97eb87bca1f726df3254be98ddbcf36078293
Opcode Fuzzy Hash: 3f8b4dcd06ee19c5d0f98cfc7ab88537de7e4fc9e6ab8ecb02e8acb2bc29fb2a
Instruction Fuzzy Hash: 52E06D32240248EADB215F68FC0D7D83B10EB06332F10C367FA69C80F1877949A2DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00768C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00768C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0076882E), ref: 00768C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0076882E), ref: 00768C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0076882E), ref: 00768C7E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2a9cdacfb366a3bab3f8770bf77dc33e1c5fab4d2e7f73fd6626fbf1281ffe06
Instruction ID: a1d0e7be9cabe1dbff3cf4898b36e9c28d15f1d98ce519d3787b610a165ef2e5
Opcode Fuzzy Hash: 2a9cdacfb366a3bab3f8770bf77dc33e1c5fab4d2e7f73fd6626fbf1281ffe06
Instruction Fuzzy Hash: C2E02672602210DBD7201FB06E0CB463FACEF50792F048829F646D9080DA3C8442CB31

Uniqueness

Uniqueness Score: -1.00%

Function 00752187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00752187
GetDC.USER32(00000000), ref: 00752191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007521B1
ReleaseDC.USER32(?), ref: 007521D2

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e40b653a1db5ba38271a4523e417c51917c1946327ccd08bd5ec70f8cbf09e39
Instruction ID: 6ce6c59fa9359d66d247ae9093101ed88c39ca45d0b3195d2beb3fcb3c6df069
Opcode Fuzzy Hash: e40b653a1db5ba38271a4523e417c51917c1946327ccd08bd5ec70f8cbf09e39
Instruction Fuzzy Hash: 88E0C275840604EFDB019FA4C808A9D7BA5AB48351F20C426E95AE6260CB7C81829F45

Uniqueness

Uniqueness Score: -1.00%

Function 0075219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0075219B
GetDC.USER32(00000000), ref: 007521A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007521B1
ReleaseDC.USER32(?), ref: 007521D2

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a225dfcec5fc49419869a9bceea1170dbf4731aaa2700aaf037c3be4ef7446a8
Instruction ID: 4f2f68152c234b156ad3589429d1d3d11528e6ad47638baa17e6552ffd577f6c
Opcode Fuzzy Hash: a225dfcec5fc49419869a9bceea1170dbf4731aaa2700aaf037c3be4ef7446a8
Instruction Fuzzy Hash: E7E0E575800304AFCB019FA4C80869D7BA5AB4C310F20C426F95AE7260CB7C9142DF44

Uniqueness

Uniqueness Score: -1.00%

Function 007163A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%z, xrefs: 007163AE

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID:
String ID: %z
API String ID: 0-3155352665
Opcode ID: b6d37913951a7da5162ddd686b82d739df292bbd6b3c58e60f40e90d444eee36
Instruction ID: dacd2b02c47ccb83bfeb61e1392cc03679d65d9fd0edf9061fd1be2feb36f760
Opcode Fuzzy Hash: b6d37913951a7da5162ddd686b82d739df292bbd6b3c58e60f40e90d444eee36
Instruction Fuzzy Hash: 0FB18C75900209DACF24EF9CC4859EEB7B9FF44310F50412AE902A72D5EB389ED6CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0078B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0078B2C3

Strings

xr}, xrefs: 0078B2F9
xr}, xrefs: 0078B325

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __itow_s
String ID: xr}$xr}
API String ID: 3653519197-1129111282
Opcode ID: a0fad8c36614a66eef3427debdf578cc0140f35baf5352199b3915513c9dcb7a
Instruction ID: c41daf1a2e102925d7e48ce4840862365fd3bd5321f4413075b511d24e2cbe9d
Opcode Fuzzy Hash: a0fad8c36614a66eef3427debdf578cc0140f35baf5352199b3915513c9dcb7a
Instruction Fuzzy Hash: B3B18270A40205EFDB14EF58C895DEEB7B9FF58300F148459F9459B292EB78E981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0077B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0072FEC6: _wcscpy.LIBCMT ref: 0072FEE9

Part of subcall function 00719997: __itow.LIBCMT ref: 007199C2
Part of subcall function 00719997: __swprintf.LIBCMT ref: 00719A0C

__wcsnicmp.LIBCMT ref: 0077B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0077B361

Strings

LPT, xrefs: 0077B292

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 81105efe04b67d301edb1e5a0e7d0b26c9413090f4e2079c089f6a2ae87bd447
Instruction ID: c2d4103b291a5b76770c881614edbfd62d5b581589c5e7b666c7ad08e917ed9f
Opcode Fuzzy Hash: 81105efe04b67d301edb1e5a0e7d0b26c9413090f4e2079c089f6a2ae87bd447
Instruction Fuzzy Hash: C9617475A00215EFDF14DF98C895FAEB7B4EF08350F11806AF54AAB291D778AE81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00758A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00758B1E
_memmove.LIBCMT ref: 00758B78

Strings

Oar, xrefs: 00758BF2, 0075E39A, 0075E3B6

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _memmove
String ID: Oar
API String ID: 4104443479-1181374745
Opcode ID: 4a22dd31e8c84695dab09dd596700991f57f119b0e5a392e41e06bbb1dcf854f
Instruction ID: f877d0af22ee3e734802dc920c6a95e48e1faf8ce998a63334292bf67edc48b4
Opcode Fuzzy Hash: 4a22dd31e8c84695dab09dd596700991f57f119b0e5a392e41e06bbb1dcf854f
Instruction Fuzzy Hash: E65193B0A00619DFCF64CF68D880AEEB7F5FF44305F14852AE85AE7240DB78A959CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00722AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00722AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00722AE1

Strings

@, xrefs: 00722AD5

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 92fd576a1b39ab2714848a76bc7ce07da4ef810bf390881b836b1d5aa6536ddd
Instruction ID: ef0fba987fb47297f743402821b2067edf5ff459656ed68fc33b18d4660635c8
Opcode Fuzzy Hash: 92fd576a1b39ab2714848a76bc7ce07da4ef810bf390881b836b1d5aa6536ddd
Instruction Fuzzy Hash: BD515771418745DBD320AF14D89ABAFBBE8FF84310F42885DF2D9511A1DB38856ACB26

Uniqueness

Uniqueness Score: -1.00%

Function 007799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0071506B: __fread_nolock.LIBCMT ref: 00715089

_wcscmp.LIBCMT ref: 00779AAE
_wcscmp.LIBCMT ref: 00779AC1

Strings

FILE, xrefs: 007799FA

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 65a13efbb0960fcafd3de364793e6eaff91191a83f082d4c12f06433c0fa2cd7
Instruction ID: 706299e1fc9d75930db1e925b997d36baff297a4a728d681bba2b6b3bcb0ecc9
Opcode Fuzzy Hash: 65a13efbb0960fcafd3de364793e6eaff91191a83f082d4c12f06433c0fa2cd7
Instruction Fuzzy Hash: 06410BB1A00609FADF209AE4DC4AFEFB7BDDF49710F004079FA04A71C1D679AA4487A1

Uniqueness

Uniqueness Score: -1.00%

Function 0075099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007509A9

Strings

Dt}, xrefs: 0071A477
Dt}, xrefs: 0071A2B1

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClearVariant
String ID: Dt}$Dt}
API String ID: 1473721057-2180860347
Opcode ID: ef23ed300061f34ddba4004e1f9dcd588e231cc1c98ef6c06e545b6d65b83731
Instruction ID: 7f5dd92c8dedcfd6c3af3e4a558e8b276e14807bab1643bc7e56fe5437dd20db
Opcode Fuzzy Hash: ef23ed300061f34ddba4004e1f9dcd588e231cc1c98ef6c06e545b6d65b83731
Instruction Fuzzy Hash: 0D5117B4609342DFC754CF18C480A9ABBF1BF99354F54885DE9858B3A1E379EC85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00782882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00782892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007828C8

Strings

|, xrefs: 00782899

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 7cb02b4c8c76cca53ccd395e04660c3409986107b1389cb89913c15bcf0922c0
Instruction ID: de7028be789ddba2f6e73a95986df196fb819e0c9c9830ce1d2363ea55221406
Opcode Fuzzy Hash: 7cb02b4c8c76cca53ccd395e04660c3409986107b1389cb89913c15bcf0922c0
Instruction Fuzzy Hash: 28311A71800119EFCF05AFA5CC89EEEBFB9FF08300F104029F815A6166DB355A96DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00796CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00796D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00796DC2

Strings

static, xrefs: 00796D22

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d7c8a22573813a9451c523529a652bbf95571d87506aa9352d1e24a7a1c2b8d3
Instruction ID: edca03094a7aa0f19151e492f15750da4d99c126ac976333a3369f056038025d
Opcode Fuzzy Hash: d7c8a22573813a9451c523529a652bbf95571d87506aa9352d1e24a7a1c2b8d3
Instruction Fuzzy Hash: 70319C71210604AADF109F68EC84AFB77B9FF48720F508619F9A5D7190DA39AC91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00772D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00772E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00772E3B

Strings

0, xrefs: 00772DF9

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d5c066a720178c783e94dd14416ca9a67860bb80a0d34b57132a15890066db81
Instruction ID: 0510371890718ff711eebfe727d9cc40f9ce50faa9b5a082fde5263c4176fb85
Opcode Fuzzy Hash: d5c066a720178c783e94dd14416ca9a67860bb80a0d34b57132a15890066db81
Instruction Fuzzy Hash: 0731EB31600305DBEF248F54C849BAE7BB5FF05390F24802EE9E9D61A2D7B89942CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00796943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007969D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007969DB

Strings

Combobox, xrefs: 0079699D

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6f4aaf76ebae4f7c29769e07a1a0b6ab7e1703c211ed5623d5e3796042512e5d
Instruction ID: d6b0ec9ade24d55c8b12cde219737e64da4372a1e590a827d2905d63654a62f3
Opcode Fuzzy Hash: 6f4aaf76ebae4f7c29769e07a1a0b6ab7e1703c211ed5623d5e3796042512e5d
Instruction Fuzzy Hash: 5C11C871700208AFEF119F14EC91FFB376EEB993B4F114229F95897290D679AC5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00796E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00711D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00711D73
Part of subcall function 00711D35: GetStockObject.GDI32(00000011), ref: 00711D87
Part of subcall function 00711D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00711D91

GetWindowRect.USER32(00000000,?), ref: 00796EE0
GetSysColor.USER32(00000012), ref: 00796EFA

Strings

static, xrefs: 00796EBD

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4435e44aee9369eeca13aa1dcb738636c4e491e9d495c492fe57550651007652
Instruction ID: 7dfedeaeb7c54e0dc08ed3086615c8a602ecb6cfc55f8902a1a5921ad9c594d7
Opcode Fuzzy Hash: 4435e44aee9369eeca13aa1dcb738636c4e491e9d495c492fe57550651007652
Instruction Fuzzy Hash: 5221267261020AAFDF04DFA8ED45AEA7BB9FB08314F054629F955D3250E638E8619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00796B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00796C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00796C20

Strings

edit, xrefs: 00796BF5

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 4cc86fa58762f84cd20454cd3b9fd03490f8780f48062ea0ff9cdb46f6acbb47
Instruction ID: 8cb69ffc2326391003612ddc1a8fc05b9c8acec2ebd040b4fbd90a43287bd440
Opcode Fuzzy Hash: 4cc86fa58762f84cd20454cd3b9fd03490f8780f48062ea0ff9cdb46f6acbb47
Instruction Fuzzy Hash: 7C11BCB1100208ABEF108F64EC45EEB3B69EB05378F604724FA60D71E0D739EC919B60

Uniqueness

Uniqueness Score: -1.00%

Function 00772E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00772F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00772F30

Strings

0, xrefs: 00772F07

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2928f24332f9db02196e8cf4ed6bf86ed355857d72f8dcc15b5a8a987584f327
Instruction ID: 8bd058139bfde1e6f39709fc91014f214af5e1fbad49b24d8f9a300277d32c02
Opcode Fuzzy Hash: 2928f24332f9db02196e8cf4ed6bf86ed355857d72f8dcc15b5a8a987584f327
Instruction Fuzzy Hash: 1411B231901214ABDF24DB58DC48F9977B9EB05390F14C0B6E868A72A2D7B8AD06C795

Uniqueness

Uniqueness Score: -1.00%

Function 007824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00782520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00782549

Strings

<local>, xrefs: 00782511

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0bd90ef4d4bd6eed427ec9667158560bdf066cf7b7d11e8cd1178b5518075520
Instruction ID: 3905cfa481db5cd216fc579ae999f75e2e7980c9501b882a6ee63c22a3eb976a
Opcode Fuzzy Hash: 0bd90ef4d4bd6eed427ec9667158560bdf066cf7b7d11e8cd1178b5518075520
Instruction Fuzzy Hash: C311C6B05C1225BADB24AF518C99EBBFF68FF06752F10816AF90586041D2785D62D7F0

Uniqueness

Uniqueness Score: -1.00%

Function 007880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0078830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007880C8,?,00000000,?,?), ref: 00788322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007880CB
htons.WSOCK32(00000000,?,00000000), ref: 00788108

Strings

255.255.255.255, xrefs: 007880E3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 6892e66cf92d8c8c470b357575b621733e6d15ab440648eee4c7462f654cbd80
Instruction ID: 53904705ae8efda5ab111af1c20fa084a8b9b051d8f9eed8da72c20e04a5bcc6
Opcode Fuzzy Hash: 6892e66cf92d8c8c470b357575b621733e6d15ab440648eee4c7462f654cbd80
Instruction Fuzzy Hash: F711A574540209EBDB20AFA4CC8AFEDB764FF44310F50852BE911972D1DF75A815C796

Uniqueness

Uniqueness Score: -1.00%

Function 00720A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00713C26,007D62F8,?,?,?), ref: 00720ACE

Part of subcall function 00717D2C: _memmove.LIBCMT ref: 00717D66

_wcscat.LIBCMT ref: 007550E1

Strings

c}, xrefs: 00720B0E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c}
API String ID: 257928180-2220204409
Opcode ID: 998fc1f3e53bc5568d32445ce2743ef2912e774949f89535b258b06b63546b43
Instruction ID: 59d5334083f624ae1f480509fc0c948590523e0f14b039398b0c61d8b424dc03
Opcode Fuzzy Hash: 998fc1f3e53bc5568d32445ce2743ef2912e774949f89535b258b06b63546b43
Instruction Fuzzy Hash: CF116975A0421CDB8B50EBB4EC45DD977B8FF08350B0040A6B988D7292DA7CDAC49765

Uniqueness

Uniqueness Score: -1.00%

Function 007692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 0076B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0076B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00769355

Strings

ListBox, xrefs: 0076931F
ComboBox, xrefs: 007692F4

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3322a4daf3f475955bba424a9743c3d2f36b8580d01d3394cab23b3b75453820
Instruction ID: fa2dcf6e0eca22e7b4d6482bf4773168602817e566ed11b98c1b3bd955c298f7
Opcode Fuzzy Hash: 3322a4daf3f475955bba424a9743c3d2f36b8580d01d3394cab23b3b75453820
Instruction Fuzzy Hash: A901DE71A41214EB8B08EBA4CC9ACFE776DBF06320B100619FA33A73D1DB3959488650

Uniqueness

Uniqueness Score: -1.00%

Function 007691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 0076B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0076B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0076924D

Strings

ListBox, xrefs: 00769217
ComboBox, xrefs: 007691EC

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0be4d963b15bf48f1e6074cf07041bdb348041689be3560e086d08acfc0eb6ef
Instruction ID: a59a6cd44dce39c89db3a2b9203f8f0cce3ad9660e2f459fd6710b570d6587d0
Opcode Fuzzy Hash: 0be4d963b15bf48f1e6074cf07041bdb348041689be3560e086d08acfc0eb6ef
Instruction Fuzzy Hash: 31018471A41204FBCB08EBA4C9AAEFF77ACAF45300F140119BA13672C1EB295F5C9671

Uniqueness

Uniqueness Score: -1.00%

Function 00769264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717F41: _memmove.LIBCMT ref: 00717F82

Part of subcall function 0076B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0076B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 007692D0

Strings

ListBox, xrefs: 0076929C
ComboBox, xrefs: 00769271

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cca1f2a91e1a326254d23d6f9ea6d9fa3aba424e9e55467c5d57b088dfc370a1
Instruction ID: ed9ebf648d2ba1a296e96e1eaee9ae4c92cd22defa322f8cd9489f0ee16d22f4
Opcode Fuzzy Hash: cca1f2a91e1a326254d23d6f9ea6d9fa3aba424e9e55467c5d57b088dfc370a1
Instruction Fuzzy Hash: 56014471A41104FBCB04E6A4C996EEF77ACAF15300B144119BD13A32C1DA295E5D9665

Uniqueness

Uniqueness Score: -1.00%

Function 00736DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00736DD0
__calloc_crt.LIBCMT ref: 00736DE9

Strings

@R}, xrefs: 00736E00

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: __calloc_crt
String ID: @R}
API String ID: 3494438863-702703237
Opcode ID: 3bc3cf847315747f759569025fb18f95ff3dc08da6a73520bf998a27ba5ac19b
Instruction ID: 074ccf1cd24bfeb967b45c69ff64c598603330b93b24d62abbec0a4bd3519787
Opcode Fuzzy Hash: 3bc3cf847315747f759569025fb18f95ff3dc08da6a73520bf998a27ba5ac19b
Instruction Fuzzy Hash: 3DF0627135A716BBFB24DF59FD05B6127A5F710720F10C43BF140CA296EB3CA8818699

Uniqueness

Uniqueness Score: -1.00%

Function 007751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007751E8
_wcscmp.LIBCMT ref: 007751FA

Strings

#32770, xrefs: 007751F4

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c71fd2a90955572ad2bd697e356ba733c99ff2e6c635be14576efd9f47be4296
Instruction ID: 8e17bf845bff2090df9e261768163578926512da2bfcee5e7eef5cc236542afb
Opcode Fuzzy Hash: c71fd2a90955572ad2bd697e356ba733c99ff2e6c635be14576efd9f47be4296
Instruction Fuzzy Hash: A6E06872A0022C2BE720AB99AC4AFA7F7ECFB40771F00006BFD14D3041E5689A158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 007681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007681CA

Part of subcall function 00733598: _doexit.LIBCMT ref: 007335A2

Strings

AutoIt, xrefs: 007681BE
Error allocating memory., xrefs: 007681C3

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 3cbf140f1134003da54af468a9a94c6e74e1dd1ab879410aac66a5e993f6946e
Instruction ID: 5331548cc87b6c05462ea27bd1c9f7f3d29a78ce99fec041e15d0f19c5f691e3
Opcode Fuzzy Hash: 3cbf140f1134003da54af468a9a94c6e74e1dd1ab879410aac66a5e993f6946e
Instruction Fuzzy Hash: 66D05B323C535872E25832B96C0FFC676884B05B52F44402AFB08955D38DDD55D242ED

Uniqueness

Uniqueness Score: -1.00%

Function 0074B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0074B564: _memset.LIBCMT ref: 0074B571

Part of subcall function 00730B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0074B540,?,?,?,0071100A), ref: 00730B89

IsDebuggerPresent.KERNEL32(?,?,?,0071100A), ref: 0074B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0071100A), ref: 0074B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0074B54E

Memory Dump Source

Source File: 00000000.00000002.1676736422.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1676717899.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.000000000079F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676825275.00000000007C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676869033.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1676894815.00000000007E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_PDT_7367027738832_789257820__________________________.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 44e3f56a4f44e01ee77d92b72a610fcdafe6e91f342850534beded644f529267
Instruction ID: 5a23db2c037dfb0b9eaeb50bed38e3e2e760c0ef867b2abe61ae6e943e847298
Opcode Fuzzy Hash: 44e3f56a4f44e01ee77d92b72a610fcdafe6e91f342850534beded644f529267
Instruction Fuzzy Hash: 4FE06DB02003108BD320DF29D808386FBE0BB04754F00892DE446C2651D7BCE845CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PDT_7367027738832_789257820__________________________.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut6466.tmp

C:\Users\user\AppData\Local\Temp\aut6503.tmp

C:\Users\user\AppData\Local\Temp\electicism

C:\Users\user\AppData\Local\Temp\phytographical

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
PDT_7367027738832_789257820__________________________.exe

Function 00713B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00714FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00714AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 007793DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00713015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Function 00713041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 007171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00713633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00713A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00713778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0071F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 009F2650 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 007139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 009F2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Function 0071410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre