Edit tour

Windows Analysis Report
r)_78768.exe

Overview

General Information

Sample name:	r)_78768.exe renamed because original name is a hash value
Original sample name:	(Purchase Order)_78768.exe
Analysis ID:	1430779
MD5:	19bfc45905c5ffc65bc1eb28653c8d5a
SHA1:	0ffd6ef93cd63cfbf559713b26c3b40f3b205ad4
SHA256:	ae9f157e9ac6956863d36c82f45f27fa14fa6f78ad98ba73218593b5d32f44c6
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

r)_78768.exe (PID: 5368 cmdline: "C:\Users\user\Desktop\r)_78768.exe" MD5: 19BFC45905C5FFC65BC1EB28653C8D5A)

RegSvcs.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\r)_78768.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.elquijotebanquetes.com", "Username": "mybloddycockcpanel_owner@elquijotebanquetes.com", "Password": "4r@d15PS!-!h"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34673:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3476f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34801:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3486b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34973:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31783:$s2: GetPrivateProfileString 0x30d7a:$s3: get_OSFullName 0x32505:$s5: remove_Key 0x326e8:$s5: remove_Key 0x335e8:$s6: FtpWebRequest 0x34655:$s7: logins 0x34bc7:$s7: logins 0x378aa:$s7: logins 0x3798a:$s7: logins 0x392dd:$s7: logins 0x38524:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3350699056.0000000002755000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: r)_78768.exe PID: 5368	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: r)_78768.exe PID: 5368	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: r)_78768.exe PID: 5368	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6944	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6944	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.r)_78768.exe.37b0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.r)_78768.exe.37b0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.r)_78768.exe.37b0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32873:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x328e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3296f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32a01:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32a6b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32add:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32b73:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32c03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.r)_78768.exe.37b0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f983:$s2: GetPrivateProfileString 0x2ef7a:$s3: get_OSFullName 0x30705:$s5: remove_Key 0x308e8:$s5: remove_Key 0x317e8:$s6: FtpWebRequest 0x32855:$s7: logins 0x32dc7:$s7: logins 0x35aaa:$s7: logins 0x35b8a:$s7: logins 0x374dd:$s7: logins 0x36724:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34673:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3476f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34801:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3486b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34973:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31783:$s2: GetPrivateProfileString 0x30d7a:$s3: get_OSFullName 0x32505:$s5: remove_Key 0x326e8:$s5: remove_Key 0x335e8:$s6: FtpWebRequest 0x34655:$s7: logins 0x34bc7:$s7: logins 0x378aa:$s7: logins 0x3798a:$s7: logins 0x392dd:$s7: logins 0x38524:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.r)_78768.exe.37b0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.r)_78768.exe.37b0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.r)_78768.exe.37b0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.r)_78768.exe.37b0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34673:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x346e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3476f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34801:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3486b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x348dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34973:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34a03:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.r)_78768.exe.37b0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31783:$s2: GetPrivateProfileString 0x30d7a:$s3: get_OSFullName 0x32505:$s5: remove_Key 0x326e8:$s5: remove_Key 0x335e8:$s6: FtpWebRequest 0x34655:$s7: logins 0x34bc7:$s7: logins 0x378aa:$s7: logins 0x3798a:$s7: logins 0x392dd:$s7: logins 0x38524:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.elquijotebanquetes.com", "Username": "mybloddycockcpanel_owner@elquijotebanquetes.com", "Password": "4r@d15PS!-!h"}

Multi AV Scanner detection for submitted file

Source: r)_78768.exe	ReversingLabs: Detection: 36%
Source: r)_78768.exe	Virustotal: Detection: 42%			Perma Link

Machine Learning detection for sample

Source: r)_78768.exe

Joe Sandbox ML: detected

Source: r)_78768.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: r)_78768.exe, 00000000.00000003.2101942253.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, r)_78768.exe, 00000000.00000003.2101005906.00000000037F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: r)_78768.exe, 00000000.00000003.2101942253.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, r)_78768.exe, 00000000.00000003.2101005906.00000000037F0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D14696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D14696
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00D1C9C7
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1C93C FindFirstFileW,FindClose,	0_2_00D1C93C
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D1F200
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D1F35D
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D1F65E
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D13A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D13A2B
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D13D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D13D4E
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D1BF27

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D225E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00D225E2

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.3350699056.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: r)_78768.exe, 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.3350570623.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting-0?
Source: RegSvcs.exe, 00000002.00000002.3350570623.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting80
Source: RegSvcs.exe, 00000002.00000002.3350699056.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: r)_78768.exe, 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, xljC6U.cs

.Net Code: YPw7g

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D2425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D2425A

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D24458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D24458

Source: C:\Users\user\Desktop\r)_78768.exe

0_2_00D2425A

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D10219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00D10219

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D3CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D3CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.r)_78768.exe.37b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.r)_78768.exe.37b0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00CB3B4C
Source: r)_78768.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: r)_78768.exe, 00000000.00000000.2092055993.0000000000D65000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8a82333f-c
Source: r)_78768.exe, 00000000.00000000.2092055993.0000000000D65000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7c190585-1
Source: r)_78768.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_08d1f022-e
Source: r)_78768.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ef181ae8-f

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D140B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00D140B1

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D08858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D08858

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D1545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D1545F

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBE800	0_2_00CBE800
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CDDBB5	0_2_00CDDBB5
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D3804A	0_2_00D3804A
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBE060	0_2_00CBE060
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC4140	0_2_00CC4140
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CD2405	0_2_00CD2405
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CE6522	0_2_00CE6522
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CE267E	0_2_00CE267E
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D30665	0_2_00D30665
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC6843	0_2_00CC6843
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CD283A	0_2_00CD283A
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CE89DF	0_2_00CE89DF
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D30AE2	0_2_00D30AE2
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CE6A94	0_2_00CE6A94
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC8A0E	0_2_00CC8A0E
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D18B13	0_2_00D18B13
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D0EB07	0_2_00D0EB07
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CDCD61	0_2_00CDCD61
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CE7006	0_2_00CE7006
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC3190	0_2_00CC3190
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC710E	0_2_00CC710E
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CB1287	0_2_00CB1287
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CD33C7	0_2_00CD33C7
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CDF419	0_2_00CDF419
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CD16C4	0_2_00CD16C4
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC5680	0_2_00CC5680
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC58C0	0_2_00CC58C0
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CD78D3	0_2_00CD78D3
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CD1BB8	0_2_00CD1BB8
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CE9D05	0_2_00CE9D05
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBFE40	0_2_00CBFE40
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CD1FD0	0_2_00CD1FD0
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CDBFE6	0_2_00CDBFE6
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00E136B0	0_2_00E136B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00ACA358	2_2_00ACA358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00AC4AA0	2_2_00AC4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00ACAB10	2_2_00ACAB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00AC3E88	2_2_00AC3E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00AC41D0	2_2_00AC41D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_061A4200	2_2_061A4200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_061A2348	2_2_061A2348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_061A59A8	2_2_061A59A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_061A0040	2_2_061A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_061A52C0	2_2_061A52C0

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: String function: 00CD8B40 appears 42 times
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: String function: 00CD0D27 appears 70 times
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: String function: 00CB7F41 appears 35 times

Source: r)_78768.exe, 00000000.00000003.2102202419.0000000003963000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs r)_78768.exe
Source: r)_78768.exe, 00000000.00000003.2101942253.0000000003B0D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs r)_78768.exe
Source: r)_78768.exe, 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef45b853c-c9d3-495e-9acb-d41a4a90029f.exeP vs r)_78768.exe

Source: r)_78768.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.r)_78768.exe.37b0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.r)_78768.exe.37b0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, 9O2OLI.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, hdYUG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, LGBZ4N2f.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, F8OmG.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, Bgo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, k7FmsUgnvL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, dVjkZ3EEsen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, dVjkZ3EEsen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, dVjkZ3EEsen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, dVjkZ3EEsen.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D1A2D5 GetLastError,FormatMessageW,

0_2_00D1A2D5

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D08713 AdjustTokenPrivileges,CloseHandle,		0_2_00D08713
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D08CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D08CC3

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D1B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D1B59E

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D2F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D2F121

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D286D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00D286D0

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CB4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CB4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\r)_78768.exe

File created: C:\Users\user\AppData\Local\Temp\aut3B9B.tmp

Jump to behavior

Source: r)_78768.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\r)_78768.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3350699056.000000000281C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.000000000282F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: r)_78768.exe	ReversingLabs: Detection: 36%
Source: r)_78768.exe	Virustotal: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\r)_78768.exe "C:\Users\user\Desktop\r)_78768.exe"
Source: C:\Users\user\Desktop\r)_78768.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\r)_78768.exe"
Source: C:\Users\user\Desktop\r)_78768.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\r)_78768.exe"	Jump to behavior

Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: r)_78768.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: r)_78768.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: r)_78768.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: r)_78768.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: r)_78768.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: r)_78768.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: r)_78768.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: r)_78768.exe, 00000000.00000003.2101942253.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, r)_78768.exe, 00000000.00000003.2101005906.00000000037F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: r)_78768.exe, 00000000.00000003.2101942253.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, r)_78768.exe, 00000000.00000003.2101005906.00000000037F0000.00000004.00001000.00020000.00000000.sdmp

Source: r)_78768.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: r)_78768.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: r)_78768.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: r)_78768.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: r)_78768.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D2C304 LoadLibraryA,GetProcAddress,

0_2_00D2C304

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D0019E pushfd ; iretd	0_2_00D001A5
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D00181 pushfd ; iretd	0_2_00D00195
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D001B7 pushfd ; iretd	0_2_00D001C1
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D001A6 pushfd ; iretd	0_2_00D001AD
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D001AE pushfd ; iretd	0_2_00D001B1
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D002AB push FFFFFFC0h; iretd	0_2_00D002AD
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC64F push FFFFFFC5h; retf	0_2_00CBC656
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC64C push FFFFFFC5h; retf	0_2_00CBC64E
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC94C push ds; iretd	0_2_00CBC94D
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC946 push ds; iretd	0_2_00CBC949
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC95E push ds; iretd	0_2_00CBC961
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC950 push ds; iretd	0_2_00CBC951
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC927 push ds; iretd	0_2_00CBC929
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC93F push ds; iretd	0_2_00CBC945
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CB6930 push 67ED00CBh; retf	0_2_00CB693A
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC937 push ds; iretd	0_2_00CBC93D
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBC934 push ds; iretd	0_2_00CBC935
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC0A47 push eax; iretd	0_2_00CC0A51
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC0A68 push eax; iretd	0_2_00CC0A69
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC0A64 push eax; iretd	0_2_00CC0A65
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CC0A3B push eax; iretd	0_2_00CC0A41
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CD8B85 push ecx; ret	0_2_00CD8B98
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBB88B push cs; iretd	0_2_00CBB892
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBB889 push cs; iretd	0_2_00CBB88A
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBB894 push cs; iretd	0_2_00CBB89A
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CBB840 push cs; iretd	0_2_00CBB872
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CF1A8E push ss; iretd	0_2_00CF1A90
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CF1A9D push ss; iretd	0_2_00CF1AA0
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CF1A9A push ss; iretd	0_2_00CF1A9C
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CF1AA2 push ss; iretd	0_2_00CF1AAC
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CF1A3A push ss; iretd	0_2_00CF1A3C

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00CB4A35
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D355FD

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CD33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00CD33C7

Source: C:\Users\user\Desktop\r)_78768.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\r)_78768.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: r)_78768.exe PID: 5368, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegSvcs.exe, 00000002.00000002.3350699056.00000000027F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLT-
Source: r)_78768.exe, 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.0000000002755000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\r)_78768.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-101914

Source: C:\Users\user\Desktop\r)_78768.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D14696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D14696
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00D1C9C7
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1C93C FindFirstFileW,FindClose,	0_2_00D1C93C
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D1F200
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D1F35D
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D1F65E
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D13A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D13A2B
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D13D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D13D4E
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D1BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00D1BF27

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB4AFE

Source: RegSvcs.exe, 00000002.00000002.3350699056.0000000002755000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.3350699056.0000000002755000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.3351659922.0000000005B5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\r)_78768.exe	API call chain: ExitProcess graph end node			graph_0-99116
Source: C:\Users\user\Desktop\r)_78768.exe	API call chain: ExitProcess graph end node			graph_0-99182

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_00AC7090 CheckRemoteDebuggerPresent,

2_2_00AC7090

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D241FD BlockInput,

0_2_00D241FD

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CB3B4C

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CE5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00CE5CCC

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D2C304 LoadLibraryA,GetProcAddress,

0_2_00D2C304

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00E135A0 mov eax, dword ptr fs:[00000030h]	0_2_00E135A0
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00E13540 mov eax, dword ptr fs:[00000030h]	0_2_00E13540
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00E11ED0 mov eax, dword ptr fs:[00000030h]	0_2_00E11ED0

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00D081F7

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CDA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00CDA395
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00CDA364 SetUnhandledExceptionFilter,		0_2_00CDA364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\r)_78768.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\r)_78768.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 657008

Jump to behavior

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D08C93 LogonUserW,

0_2_00D08C93

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CB3B4C

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00CB4A35

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D14EC9 mouse_event,

0_2_00D14EC9

Source: C:\Users\user\Desktop\r)_78768.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\r)_78768.exe"

Jump to behavior

Source: C:\Users\user\Desktop\r)_78768.exe

0_2_00D081F7

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00D14C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D14C03

Source: r)_78768.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: r)_78768.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CD886B cpuid

0_2_00CD886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CE50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00CE50D7

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CF2230 GetUserNameW,

0_2_00CF2230

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CE418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00CE418A

Source: C:\Users\user\Desktop\r)_78768.exe

Code function: 0_2_00CB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.r)_78768.exe.37b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: r)_78768.exe PID: 5368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6944, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: r)_78768.exe	Binary or memory string: WIN_81
Source: r)_78768.exe	Binary or memory string: WIN_XP
Source: r)_78768.exe	Binary or memory string: WIN_XPe
Source: r)_78768.exe	Binary or memory string: WIN_VISTA
Source: r)_78768.exe	Binary or memory string: WIN_7
Source: r)_78768.exe	Binary or memory string: WIN_8
Source: r)_78768.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.r)_78768.exe.37b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3350699056.0000000002755000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: r)_78768.exe PID: 5368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6944, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.r)_78768.exe.37b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.r)_78768.exe.37b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: r)_78768.exe PID: 5368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6944, type: MEMORYSTR

Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D26596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00D26596
Source: C:\Users\user\Desktop\r)_78768.exe	Code function: 0_2_00D26A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D26A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	551 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Virtualization/Sandbox Evasion	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
r)_78768.exe	37%	ReversingLabs	Win32.Trojan.Strab
r)_78768.exe	43%	Virustotal		Browse
r)_78768.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://ip-api.com/line/?fields=hosting80	RegSvcs.exe, 00000002.00000002.3350570623.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://account.dyn.com/	r)_78768.exe, 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3350699056.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com/line/?fields=hosting-0?	RegSvcs.exe, 00000002.00000002.3350570623.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000002.00000002.3350699056.0000000002721000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.00000000027F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3350699056.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430779
Start date and time:	2024-04-24 07:12:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	r)_78768.exe renamed because original name is a hash value
Original Sample Name:	(Purchase Order)_78768.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	ip-api.com/line/?fields=hosting
	X1.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\r)_78768.exe
File Type:	data
Category:	dropped
Size (bytes):	158870
Entropy (8bit):	7.922782759227117
Encrypted:	false
SSDEEP:	3072:gR3eXG5SdPyH+Gkk4t2WQQu40Z74VmPRZ1xFTQz03WyKSY:IOXkKPPGkkLHQi4VmP1Y8zY
MD5:	A891E4A7C235B627686B79E43D7C4660
SHA1:	80509B40FA8C666E711D5AF02ED1E1BEA3929841
SHA-256:	C22B3EC452D4317E006422A86F197A17210B6AD86ACA49D4EB170B855C6D9AE1
SHA-512:	3D2BB05B0605B93D9501FEAA27E2935C3081640BE34B56BD4E6CE7B41CD774FCEC5C4DBF5E50F4C253D749471892515C22E82DD977A9781E2314120A6188C4B6
Malicious:	false
Reputation:	low
Preview:	EA06........$.3.NjT.."sC..t..J.O.T...<..4V...,.sC...f..5....K.`.......U`y.......z...3.Yj..m~[?..&.I.yp..b.;.Z'5.M.V.....N../P.B.4I.....4kWO.T....J...L(...,Z.......hl...DBaG..A.....i.x...9..l.i.<....t....i.L(....P.4;..T.Q....F...._=.iI.......bsZ...r.P.F..;k..'tP.......@.......'z.O.L..)..H.h.N]p.B..4y.._.J.E...5It.Y2.V....L.. .....r....y....8.f...3GP..`.............k.....\|..1...o3.<....J8.N..E......:....9}Xe...q.....P.........?.m..<.R.=.._....S:,..%..&:Jn..l..l.x...I..(...k}..V.M......_.)6.Dc..D..H+...A>.....VoZ.........gr.n.fs..S:D..!.[.=.W..Q..<...~T..M.4....9.. @..x.@..u....r..@.[17..u...Br.h].......Wh..'FUB...G......z.~..U...P.Fv.......\|.....V>..[.....zo...`.I,..I..!.z4.1..+....\|..:M.mW.R...6.{..r1-\....l\|].....830.ln&.]..1...........u9..F.q0..7S>..O.Vk....;.....yF.D!.....I.H'.7X.L5.Mb....f..UbsX.........H.UJl....S..J,..8.S.....a..%.z}B.-.........3...M.^...l...Vf..X.Ae..gS.M..K.F/.Z.J....(.H.M8.lh....B..bU.....s..m...y.P.

C:\Users\user\AppData\Local\Temp\aut3BFA.tmp

Download File

Process:	C:\Users\user\Desktop\r)_78768.exe
File Type:	data
Category:	dropped
Size (bytes):	9954
Entropy (8bit):	7.5864355242289765
Encrypted:	false
SSDEEP:	192:m+cKTG02JtOno/1F8+szxWdxvzYSjB6ajnsDCRCnECYXp:97TGRJtOnojddlTB6IJmENp
MD5:	81B6A2C00F9F52D31486F5138ED12382
SHA1:	17A5E82C9551DAB5088A32196BA6AB9410627A48
SHA-256:	AE591270D5DF6FF2D9CC52504EB1879680E11299A87B2216098B96E683B2ED81
SHA-512:	E651B91931831BEB482D541F9532FC5F4F6CA678898BA526E41B82A86A5CA465BDCE808774EE6390ABADE48655446F8866FDBE1F608B1FDB1B8373AC72E90525
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\derogates

Download File

Process:	C:\Users\user\Desktop\r)_78768.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.552938221328909
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbYE+I563b4vfF3if6gyd:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Rt
MD5:	A1AB00EFB91025B54086AC779C06912F
SHA1:	F5DDBB16771CA24AFDB97123E58B302373008523
SHA-256:	AF1EFAB04356D2265B10D1F371A54AB990DFCC8A2F3209FC58A4B235933D7EFD
SHA-512:	77BA65333B06B2F1DE2CD02BDB7B5D59664E072DCBA6819BAAEE53EE9073C101ACE441442FBDC3952125FEFAC495448AC9B6BB7B8361874B1D1B4DFF40DFEE32
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\putrefactible

Download File

Process:	C:\Users\user\Desktop\r)_78768.exe
File Type:	data
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.694787293084107
Encrypted:	false
SSDEEP:	6144:G38G7XjGW2AGYjP72eJ0HnKP3xCp2lCnbpPxTsHAIjxq25EvC3H+VwEnS:s5MYfzwTsHACzJH+Vw
MD5:	1009A51DA342B1FCBECC5314F5F1CEB9
SHA1:	E69082504D3A6F672B7C62A58153385C27DF4FE5
SHA-256:	5F4C89955B051531BE7DDF7576A68C2DBCA585600A516373EBAF53F0805AF5E8
SHA-512:	A2541416249D999053FD863D834943DAD2BBB5BA5A12609840DCB3E96E3065B4A4B0B9BB0510DDBCF02404C842EBE66040ED74392ED1EB3E335C0A253E1C021A
Malicious:	false
Reputation:	low
Preview:	.j.0D4E3\9RO..9C.BKO2RTO.RP0G0G4E3X9ROE79C1BKO2RTOPRP0G0G4E3.9ROK(.M1.B...U..s.X.CgD7\?K3"eTX-_-?oP7t=%<pY)..{..5V6k:4I.BKO2RTO..P0.1D4.K.\ROE79C1B.O0S_N[RP.D0G>E3X9ROk.:C1bKO2.WOPR.0G.G4E1X9VOE79C1BOO2RTOPRP.C0G6E3X9ROG7y.1B[O2BTOPR@0G G4E3X9BOE79C1BKO2R..SR.0G0G.F3B>ROE79C1BKO2RTOPRP0G0C4I3X9ROE79C1BKO2RTOPRP0G0G4E3X9ROE79C1BKO2RTOPRP0G0G4E.X9ZOE79C1BKO2R\oPR.0G0G4E3X9ROkC\;EBKO..WOPrP0G.D4E1X9ROE79C1BKO2RtOP2~B4B$4E3B>ROE.:C1JKO2.WOPRP0G0G4E3X9.OEw.1T.$,2RXOPRP0C0G6E3X.QOE79C1BKO2RTO.RPrG0G4E3X9ROE79C1B[.1RTOPR.0G0E4@3.PO..8C2BKO3RTIPRP0G0G4E3X9ROE79C1BKO2RTOPRP0G0G4E3X9ROE79C1BKO/........My>'4...(.4.."..6..[.E.+$...rH....bB?.xB.@...Y...E.<@JY....#:3E'a%{@1.M..l..dG.r.I+.C...5}.<Rk.{....d...6&...7..( _\|5? >5..Q!U7Z.;.NE79C.......9.jj3Hq! o....QI....OPR40G054E399RO.79C^BKO\RTO.RP090G4.3X9.OE7.C1BnO2R9OPRt0G094E3.D]@..*B.O2RTOe....]..l.....H.O.)w.+...jBc.;-./z....7..)..%.?Is..7F6C1G4\:^rK\|..cIK6WVHTQ\.I{......\|...@..a(.3PRP0G0.4E.X9R..7.C1B.O.R..PRP..0.4.3..O

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.952429060144372
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	r)_78768.exe
File size:	1'048'064 bytes
MD5:	19bfc45905c5ffc65bc1eb28653c8d5a
SHA1:	0ffd6ef93cd63cfbf559713b26c3b40f3b205ad4
SHA256:	ae9f157e9ac6956863d36c82f45f27fa14fa6f78ad98ba73218593b5d32f44c6
SHA512:	9d322500e1552bb96871babe823f65ce486155502eb9b23468815b5eefa3f06aba9db338228cd2823eb40bc1d4157fa43711ac552b991ac689f8d4c170cb7697
SSDEEP:	24576:oAHnh+eWsN3skA4RV1Hom2KXMmHa1bY/fIB00ul5:vh+ZkldoPK8Ya1bYn
TLSH:	78259D0273D1C036FFAB92739B6AF6415ABD79254123852F13981DB9BD701B2233E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66277744 [Tue Apr 23 08:54:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F42913A170Dh
jmp 00007F42913944C4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F429139464Ah
cmp edi, eax
jc 00007F42913949AEh
bt dword ptr [004C41FCh], 01h
jnc 00007F4291394649h
rep movsb
jmp 00007F429139495Ch
cmp ecx, 00000080h
jc 00007F4291394814h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F4291394650h
bt dword ptr [004BF324h], 01h
jc 00007F4291394B20h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F42913947EDh
test edi, 00000003h
jne 00007F42913947FEh
test esi, 00000003h
jne 00007F42913947DDh
bt edi, 02h
jnc 00007F429139464Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F4291394653h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F42913946A5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x35610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfe000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x35610	0x35800	e255fb2e39a706ddf4831acfb7fa5d53	False	0.8757712105724299	data	7.766510406118182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfe000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x2c8a6	data			1.000361766737193
RT_GROUP_ICON	0xfd060	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xfd0d8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xfd0ec	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xfd100	0x14	data	English	Great Britain	1.25
RT_VERSION	0xfd114	0x10c	data	English	Great Britain	0.5932835820895522
RT_MANIFEST	0xfd220	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:13:27.573795080 CEST	49710	80	192.168.2.6	208.95.112.1
Apr 24, 2024 07:13:27.733318090 CEST	80	49710	208.95.112.1	192.168.2.6
Apr 24, 2024 07:13:27.733478069 CEST	49710	80	192.168.2.6	208.95.112.1
Apr 24, 2024 07:13:27.754091978 CEST	49710	80	192.168.2.6	208.95.112.1
Apr 24, 2024 07:13:27.914793968 CEST	80	49710	208.95.112.1	192.168.2.6
Apr 24, 2024 07:13:27.958713055 CEST	49710	80	192.168.2.6	208.95.112.1
Apr 24, 2024 07:14:04.956623077 CEST	80	49710	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:13:27.413101912 CEST	54206	53	192.168.2.6	1.1.1.1
Apr 24, 2024 07:13:27.567080975 CEST	53	54206	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 07:13:27.413101912 CEST	192.168.2.6	1.1.1.1	0xf105	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 07:13:27.567080975 CEST	1.1.1.1	192.168.2.6	0xf105	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	208.95.112.1	80	6944	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 07:13:27.754091978 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 24, 2024 07:13:27.914793968 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 05:13:27 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	07:13:25
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\r)_78768.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\r)_78768.exe"
Imagebase:	0xcb0000
File size:	1'048'064 bytes
MD5 hash:	19BFC45905C5FFC65BC1EB28653C8D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2107593057.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:13:26
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\r)_78768.exe"
Imagebase:	0x580000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3349891281.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3350699056.0000000002755000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00CB3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CB3B7A
IsDebuggerPresent.KERNEL32 ref: 00CB3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00D762F8,00D762E0,?,?), ref: 00CB3BFD

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

Part of subcall function 00CC0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00CB3C26,00D762F8,?,?,?), ref: 00CC0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00CB3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00D693F0,00000010), ref: 00CED4BC
SetCurrentDirectoryW.KERNEL32(?,00D762F8,?,?,?), ref: 00CED4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D65D40,00D762F8,?,?,?), ref: 00CED57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00CED581

Part of subcall function 00CB3A58: GetSysColorBrush.USER32(0000000F), ref: 00CB3A62
Part of subcall function 00CB3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00CB3A71
Part of subcall function 00CB3A58: LoadIconW.USER32(00000063), ref: 00CB3A88
Part of subcall function 00CB3A58: LoadIconW.USER32(000000A4), ref: 00CB3A9A
Part of subcall function 00CB3A58: LoadIconW.USER32(000000A2), ref: 00CB3AAC
Part of subcall function 00CB3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CB3AD2
Part of subcall function 00CB3A58: RegisterClassExW.USER32(?), ref: 00CB3B28

Part of subcall function 00CB39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CB3A15
Part of subcall function 00CB39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CB3A36
Part of subcall function 00CB39E7: ShowWindow.USER32(00000000,?,?), ref: 00CB3A4A
Part of subcall function 00CB39E7: ShowWindow.USER32(00000000,?,?), ref: 00CB3A53

Part of subcall function 00CB43DB: _memset.LIBCMT ref: 00CB4401
Part of subcall function 00CB43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CB44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00CED4B4
runas, xrefs: 00CED575

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: a2b79c6c5d433f972ab54c00d49d31a9132aee593e07ea2e39e95e1c27a33206
Instruction ID: 59ac16773af236fcb34185c20b0b1be2e96d97e6a06ccf9a06463fd4bd7e9149
Opcode Fuzzy Hash: a2b79c6c5d433f972ab54c00d49d31a9132aee593e07ea2e39e95e1c27a33206
Instruction Fuzzy Hash: 6E51D730D04789AECB11ABF4DC05EED7B79AB54300F044269F865E62A2FA709645DB35

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CB4B2B

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

GetCurrentProcess.KERNEL32(?,00D3FAEC,00000000,00000000,?), ref: 00CB4BF8
IsWow64Process.KERNEL32(00000000), ref: 00CB4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00CB4C45
FreeLibrary.KERNEL32(00000000), ref: 00CB4C50
GetSystemInfo.KERNEL32(00000000), ref: 00CB4C81
GetSystemInfo.KERNEL32(00000000), ref: 00CB4C8D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: eb5c917136edccff485dd8e9cec470b845fad72d4e24a2b835b0ab4da5d33930
Instruction ID: 984dca212bcd2ae2978838d693c5766d51794eaf11c982a5c0c7304a244dfac6
Opcode Fuzzy Hash: eb5c917136edccff485dd8e9cec470b845fad72d4e24a2b835b0ab4da5d33930
Instruction Fuzzy Hash: 7A91E53194EBC4DECB35CB7984511EABFE4AF25300F584E9DD0DB83A42D220EA08D769

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00CB4EEE,?,?,00000000,00000000), ref: 00CB4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CB4EEE,?,?,00000000,00000000), ref: 00CB5010
LoadResource.KERNEL32(?,00000000,?,?,00CB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F8F), ref: 00CEDD60
SizeofResource.KERNEL32(?,00000000,?,?,00CB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F8F), ref: 00CEDD75
LockResource.KERNEL32(00CB4EEE,?,?,00CB4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F8F,00000000), ref: 00CEDD88

Strings

SCRIPT, xrefs: 00CB5006

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 11d242c6b9ef153859a377da1673847aed211b6048ff8c3d6822e0d3ddd4b7d5
Instruction ID: fe7333ae42a867d6c0914ea1a15e526f80c75117f84b10b75b763d8e227eaf9f
Opcode Fuzzy Hash: 11d242c6b9ef153859a377da1673847aed211b6048ff8c3d6822e0d3ddd4b7d5
Instruction Fuzzy Hash: 11115A75600704AFD7219B65EC58F677BB9EBC9B11F204168F416CA260DB62E8008670

Uniqueness

Uniqueness Score: -1.00%

Function 00D14696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00CEE7C1), ref: 00D146A6
FindFirstFileW.KERNELBASE(?,?), ref: 00D146B7
FindClose.KERNEL32(00000000), ref: 00D146C7

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e47768902df59155144b6f853361dd881525d41681cc6af332814bde7c7ee05f
Instruction ID: edda6b0be7aa09c8cd4b68b53e74bf0967de7debb726b17dbc417500ea0c2db9
Opcode Fuzzy Hash: e47768902df59155144b6f853361dd881525d41681cc6af332814bde7c7ee05f
Instruction Fuzzy Hash: 82E0D836810505AB42106738FC4D8EB775CDE06339F100715F875C21E0EBB09D9085B9

Uniqueness

Uniqueness Score: -1.00%

Function 00CBE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00CF428C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 0f89b77f1ad0a98c7e8c32937b4d129bcb37a6c3dc24ab396e8ef560cad668f9
Instruction ID: 69b0d37ec7dc9d0570fcad768d0638565ef2806fe4e6d11f2aefb57a36ac8f81
Opcode Fuzzy Hash: 0f89b77f1ad0a98c7e8c32937b4d129bcb37a6c3dc24ab396e8ef560cad668f9
Instruction Fuzzy Hash: 03A27D74A04215DFCB24CF58C880AEEB7B1FF58714F248469E926AB351D735EE82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CC0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CC0BBB
timeGetTime.WINMM ref: 00CC0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CC0FB3
TranslateMessage.USER32(?), ref: 00CC0FC7
DispatchMessageW.USER32(?), ref: 00CC0FD5
Sleep.KERNEL32(0000000A), ref: 00CC0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00CC105A
DestroyWindow.USER32 ref: 00CC1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CC1080
Sleep.KERNEL32(0000000A,?,?), ref: 00CF52AD
TranslateMessage.USER32(?), ref: 00CF608A
DispatchMessageW.USER32(?), ref: 00CF6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CF60AC

Strings

@GUI_CTRLID, xrefs: 00CF5364
@COM_EVENTOBJ, xrefs: 00CF591A
@TRAY_ID, xrefs: 00CF5BB9
@GUI_WINHANDLE, xrefs: 00CF53B9
@GUI_CTRLHANDLE, xrefs: 00CF540E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 1774126ec0b0d7fa18745f5da0c3fcf21ae5fa32f90a9dd53d52263a75aefdc9
Instruction ID: 8f145905a09712dc3973a4ee37aefcca6f07c5e2507b78fc9375053079ebcc7b
Opcode Fuzzy Hash: 1774126ec0b0d7fa18745f5da0c3fcf21ae5fa32f90a9dd53d52263a75aefdc9
Instruction Fuzzy Hash: 39B2BE70608745DFD728DF24C884FAAB7E4BF84304F24491DE69A872A1DB71E984DB93

Uniqueness

Uniqueness Score: -1.00%

Function 00D193DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D191E9: __time64.LIBCMT ref: 00D191F3

Part of subcall function 00CB5045: _fseek.LIBCMT ref: 00CB505D

__wsplitpath.LIBCMT ref: 00D194BE

Part of subcall function 00CD432E: __wsplitpath_helper.LIBCMT ref: 00CD436E

_wcscpy.LIBCMT ref: 00D194D1
_wcscat.LIBCMT ref: 00D194E4
__wsplitpath.LIBCMT ref: 00D19509
_wcscat.LIBCMT ref: 00D1951F
_wcscat.LIBCMT ref: 00D19532

Part of subcall function 00D1922F: _memmove.LIBCMT ref: 00D19268
Part of subcall function 00D1922F: _memmove.LIBCMT ref: 00D19277

_wcscmp.LIBCMT ref: 00D19479

Part of subcall function 00D199BE: _wcscmp.LIBCMT ref: 00D19AAE
Part of subcall function 00D199BE: _wcscmp.LIBCMT ref: 00D19AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D196DC
_wcsncpy.LIBCMT ref: 00D1974F
DeleteFileW.KERNEL32(?,?), ref: 00D19785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D1979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D197AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D197BE

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 5c00e728c1136275b8e11fe24748b76a954835eb5d7c53ec1d1dabc65dbb7cfd
Instruction ID: 0feefa21a846000a59f37093d15793460e83bf17b499f883d011b94434a941fa
Opcode Fuzzy Hash: 5c00e728c1136275b8e11fe24748b76a954835eb5d7c53ec1d1dabc65dbb7cfd
Instruction Fuzzy Hash: 35C129B1D00229AADF21DF95DC95EDEF7BDEF44310F0040AAF609E6251EB309A849F65

Uniqueness

Uniqueness Score: -1.00%

Function 00CB302C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CB3074
RegisterClassExW.USER32(00000030), ref: 00CB309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CB30AF
InitCommonControlsEx.COMCTL32(?), ref: 00CB30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CB30DC
LoadIconW.USER32(000000A9), ref: 00CB30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CB3101

Strings

0, xrefs: 00CB3056
TaskbarCreated, xrefs: 00CB30A4
+, xrefs: 00CB305D
AutoIt v3 GUI, xrefs: 00CB3090

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 04e08a8ad221376713fa53e0b416d87f3398267f052a3671fbbbeb9579567e74
Instruction ID: 7a3c27ae7a30f5365cfa6693ef62f0fd018a443d0632b56e149a0edd2a6ae53e
Opcode Fuzzy Hash: 04e08a8ad221376713fa53e0b416d87f3398267f052a3671fbbbeb9579567e74
Instruction Fuzzy Hash: 0121C5B1D40309AFDB509FA4E889BDDBBF4FB08310F14452AE594E63A0E7B54585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CB3074
RegisterClassExW.USER32(00000030), ref: 00CB309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CB30AF
InitCommonControlsEx.COMCTL32(?), ref: 00CB30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CB30DC
LoadIconW.USER32(000000A9), ref: 00CB30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CB3101

Strings

0, xrefs: 00CB3056
TaskbarCreated, xrefs: 00CB30A4
+, xrefs: 00CB305D
AutoIt v3 GUI, xrefs: 00CB3090

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 418c26a56ade7e5a4b6cdb5b3f86ffc5ea19703f51db22c8e10f42ce24264e23
Instruction ID: 58dfb9d790ab5de5d5d0cf0f4440e998e4bd195f84dda106e933955c3b43efa4
Opcode Fuzzy Hash: 418c26a56ade7e5a4b6cdb5b3f86ffc5ea19703f51db22c8e10f42ce24264e23
Instruction Fuzzy Hash: 6921C5B1D00318AFDB00DFA4E989B9DBBF4FB08700F10452AF915E63A1E7B185848FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CB71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CB4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D762F8,?,00CB37C0,?), ref: 00CB4882

Part of subcall function 00CD074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00CB72C5), ref: 00CD0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00CB7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CEECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CEED32
RegCloseKey.ADVAPI32(?), ref: 00CEED70
_wcscat.LIBCMT ref: 00CEEDC9

Strings

\, xrefs: 00CEEDEC
Software\AutoIt v3\AutoIt, xrefs: 00CB72FE
Include, xrefs: 00CEECE8, 00CEED29
\Include\, xrefs: 00CB72C5

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 5b3017912efb45506757061338212705b83c3045c2837dea2e78e131897db4cd
Instruction ID: e774e56270d98b61ecbd64b671cca0a129984531370ac6f45de9506772eebeac
Opcode Fuzzy Hash: 5b3017912efb45506757061338212705b83c3045c2837dea2e78e131897db4cd
Instruction Fuzzy Hash: 3B716E714083419EC314EF65DC819ABB7E8FF94340F44492EF869D32B1EB709A88DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CB3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00CB3A71
LoadIconW.USER32(00000063), ref: 00CB3A88
LoadIconW.USER32(000000A4), ref: 00CB3A9A
LoadIconW.USER32(000000A2), ref: 00CB3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CB3AD2
RegisterClassExW.USER32(?), ref: 00CB3B28

Part of subcall function 00CB3041: GetSysColorBrush.USER32(0000000F), ref: 00CB3074
Part of subcall function 00CB3041: RegisterClassExW.USER32(00000030), ref: 00CB309E
Part of subcall function 00CB3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CB30AF
Part of subcall function 00CB3041: InitCommonControlsEx.COMCTL32(?), ref: 00CB30CC
Part of subcall function 00CB3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CB30DC
Part of subcall function 00CB3041: LoadIconW.USER32(000000A9), ref: 00CB30F2
Part of subcall function 00CB3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CB3101

Strings

AutoIt v3, xrefs: 00CB3B17
#, xrefs: 00CB3B0D
0, xrefs: 00CB3B06

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0d917931a6f42c5007e0d6663cd6ddb6902256ea7bb9adbbf9c80869e7a74cc9
Instruction ID: 8435ebec88c83b41f617cc8988de7da85e4b8e837d1d0558abc60e20a73ce4e9
Opcode Fuzzy Hash: 0d917931a6f42c5007e0d6663cd6ddb6902256ea7bb9adbbf9c80869e7a74cc9
Instruction Fuzzy Hash: 22212171D00308AFDB509FA4EC05B9D7BB5FB08711F10412AF608E63A1F7B695949F68

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00CB36D2
KillTimer.USER32(?,00000001), ref: 00CB36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CB371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CB372A
CreatePopupMenu.USER32 ref: 00CB373E
PostQuitMessage.USER32(00000000), ref: 00CB375F

Strings

TaskbarCreated, xrefs: 00CB3725

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c5070cbd59b5c5e70c88a670897ae385493f58bb498b5b1155fab4936bb20de5
Instruction ID: 41e614790d64887e788966e23a443c3011919aa8c91ef44f77e792be36c13904
Opcode Fuzzy Hash: c5070cbd59b5c5e70c88a670897ae385493f58bb498b5b1155fab4936bb20de5
Instruction Fuzzy Hash: 8C4104B2214B89BBDB145B29DD09BFE3765FB00300F140129F916E63E2FE64DE909676

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 00CB38B9
/AutoIt3OutputDebug, xrefs: 00CB38A4
/AutoIt3ExecuteScript, xrefs: 00CB38CE
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00CB37C0
CMDLINE, xrefs: 00CB3834
CMDLINERAW, xrefs: 00CB380D
/ErrorStdOut, xrefs: 00CB388F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: a67fef597b3af59aeaee2e3f68571a23d90571864cffe313822aea6e4d19fd3a
Instruction ID: 54336b35708321c16b74a7cabda063cc6a27405c3c012f8cba3e461584c1f1c4
Opcode Fuzzy Hash: a67fef597b3af59aeaee2e3f68571a23d90571864cffe313822aea6e4d19fd3a
Instruction Fuzzy Hash: 20A14C72D1026D9ACB04EFA4CC96EEEB778BF14300F04052AF516B7192EF759A09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E12690 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E12761
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E12987

Strings

{/, xrefs: 00E12845, 00E12851, 00E12860

Memory Dump Source

Source File: 00000000.00000002.2107367437.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_r)_78768.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID: {/
API String ID: 204039940-3292689264
Opcode ID: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
Instruction ID: ed412b4fca456f0ad2141a8db3b8d514ac8f4669378b803f78239963ad0467f9
Opcode Fuzzy Hash: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
Instruction Fuzzy Hash: 59A10574E00209EBDB18CFA4C895BEEBBB5BF48704F20915DE611BB280D7759A91CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00CB39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CB3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CB3A36
ShowWindow.USER32(00000000,?,?), ref: 00CB3A4A
ShowWindow.USER32(00000000,?,?), ref: 00CB3A53

Strings

AutoIt v3, xrefs: 00CB3A0D, 00CB3A12, 00CB3A13
edit, xrefs: 00CB3A30

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 94e7d29c524c0a3655e28b4c8dc63a20f912d60f9cf9dcf4458f9137bfb54d02
Instruction ID: 27dc6d8495021e1f8bed9df99266ed1bfae68e996afbf82b536b85f1ed27baf9
Opcode Fuzzy Hash: 94e7d29c524c0a3655e28b4c8dc63a20f912d60f9cf9dcf4458f9137bfb54d02
Instruction Fuzzy Hash: 40F03A70A003947EEA7017236C09F272E7DD7C6F50F00002ABA08E2371E6A54880DEB4

Uniqueness

Uniqueness Score: -1.00%

Function 00E12410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E12300: Sleep.KERNELBASE(000001F4), ref: 00E12311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E1257D

Strings

P0G0G4E3X9ROE79C1BKO2RTOPR, xrefs: 00E125E3, 00E125E6

Memory Dump Source

Source File: 00000000.00000002.2107367437.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_r)_78768.jbxd

Similarity

API ID: CreateFileSleep
String ID: P0G0G4E3X9ROE79C1BKO2RTOPR
API String ID: 2694422964-500358151
Opcode ID: d4ab672f75262d4583097f5b627988a0dd5e9bb4bdfc5784c9998f2075da411b
Instruction ID: 562bf2495100af520e2d85e917037378362d7aec23d8ee226efb07c62529f42e
Opcode Fuzzy Hash: d4ab672f75262d4583097f5b627988a0dd5e9bb4bdfc5784c9998f2075da411b
Instruction Fuzzy Hash: E061A530D04288DAEF11DBB4C8547EEBB75AF19304F00419DE649BB2C1D7BA1B45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CB410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CED5EC

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

_memset.LIBCMT ref: 00CB418D
_wcscpy.LIBCMT ref: 00CB41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CB41F1

Strings

Line: , xrefs: 00CED615

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 0a93bccacde0fba3b52dd41f86db53bac89f84a962addb838813a71c474b5bb8
Instruction ID: c016cf8ffd93ec0dc95abbc193f7b0bc6c74c6de13fdaa49fa61158d192ded82
Opcode Fuzzy Hash: 0a93bccacde0fba3b52dd41f86db53bac89f84a962addb838813a71c474b5bb8
Instruction Fuzzy Hash: 3B310F7140C304AED325EB64DC46BDF77ECAF84300F00461EF599921A2EB70A688DBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00CD564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00CD56AB
_memcpy_s.LIBCMT ref: 00CD571D
__read_nolock.LIBCMT ref: 00CD577B
__filbuf.LIBCMT ref: 00CD579E
_memset.LIBCMT ref: 00CD57E2

Part of subcall function 00CD8D68: __getptd_noexit.LIBCMT ref: 00CD8D68

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: b4c0af3211378ca6872374708935f2f319749c8ec66c2a7c73d55bea08712d47
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 3A51AF30A00B05DBDB249FAAC88466EBBB5AF40320F35872BFA35963D0D770DE519B40

Uniqueness

Uniqueness Score: -1.00%

Function 00CB69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00CB4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CB4F6F

_free.LIBCMT ref: 00CEE68C
_free.LIBCMT ref: 00CEE6D3

Part of subcall function 00CB6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00CB6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00CEE462
Bad directive syntax error, xrefs: 00CEE6BB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 408c613b5e67c4b03a0732905ad0c001c3ae9a1ecc7884fae2c44080390056de
Instruction ID: 2c64994ad07eda9752d3b213e7fb4f4c528ddea862249a7944d81d695dfed939
Opcode Fuzzy Hash: 408c613b5e67c4b03a0732905ad0c001c3ae9a1ecc7884fae2c44080390056de
Instruction Fuzzy Hash: A7918071914259EFCF14EFA5CC919EDB7B8FF18350F14446AF815AB2A1EB30AA04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00CB35A1,SwapMouseButtons,00000004,?), ref: 00CB35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00CB35A1,SwapMouseButtons,00000004,?,?,?,?,00CB2754), ref: 00CB35F5
RegCloseKey.KERNELBASE(00000000,?,?,00CB35A1,SwapMouseButtons,00000004,?,?,?,?,00CB2754), ref: 00CB3617

Strings

Control Panel\Mouse, xrefs: 00CB35D2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 551eb74c26b3112cfad2974b2eb6047903bb18d65a873587f0eb3afcc81e3cee
Instruction ID: 26088dd2adf64f503a0c0f651de7b7a402a8c9ef321fb61e17e919cf0ea72070
Opcode Fuzzy Hash: 551eb74c26b3112cfad2974b2eb6047903bb18d65a873587f0eb3afcc81e3cee
Instruction Fuzzy Hash: 2C1157B5A10248BFDB208F68DC80EEEBBB8FF04740F009469F805D7210E2719F409BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E11300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E11B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E11B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E11B73

Memory Dump Source

Source File: 00000000.00000002.2107367437.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_r)_78768.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction ID: 52881bb9d0c6ea087024551f251b6f45d9779b0927ed7f3c1b379c426c4687f5
Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction Fuzzy Hash: 36620930A14258DBEB24CFA4C841BDEB376EF58304F1091A9D60DEB394E7759E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00CD493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CD49D0
__flush.LIBCMT ref: 00CD49F0
__write.LIBCMT ref: 00CD4A23
__flsbuf.LIBCMT ref: 00CD4A51

Part of subcall function 00CD8D68: __getptd_noexit.LIBCMT ref: 00CD8D68

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 9d7ad91c0d40df38dbfd187be2f1f438a7b7808defe4434d7d876ef1a8d3f39d
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: BF41A5716406069BDF1CDFAAC89096F77AAEF80360B24817FEB6987740D770DE419744

Uniqueness

Uniqueness Score: -1.00%

Function 00CB73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CEEE62
GetOpenFileNameW.COMDLG32(?), ref: 00CEEEAC

Part of subcall function 00CB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB48A1,?,?,00CB37C0,?), ref: 00CB48CE

Part of subcall function 00CD09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CD09F4

Strings

X, xrefs: 00CEEE7A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 155a1eeacff4444151ad2f90ad7aa916888a7c9207014aa189e9167d5e611b8e
Instruction ID: 4cc0d6e3bf672d411ad5e21b9089aeade67436e4d97c25847efeb18144f82dbc
Opcode Fuzzy Hash: 155a1eeacff4444151ad2f90ad7aa916888a7c9207014aa189e9167d5e611b8e
Instruction Fuzzy Hash: 0621D8709002989BCB15DF94C8457EE7BFC9F49310F00405AE808E7381DBF459899FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D1901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D19036
__fread_nolock.LIBCMT ref: 00D1904B

Strings

EA06, xrefs: 00D1907D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f2a2a6b804089debff956103679b009ead98cf7b88516d4d99eaa813c8ee2a22
Instruction ID: 7800ee327e80033739191cc7c2ca128e5f64b630e1db03a72422a2a3396b39ca
Opcode Fuzzy Hash: f2a2a6b804089debff956103679b009ead98cf7b88516d4d99eaa813c8ee2a22
Instruction Fuzzy Hash: 2901F9718042587EDB28C6A8DC16EFEBBF89B05301F00419BF592D2281E975E6089B60

Uniqueness

Uniqueness Score: -1.00%

Function 00D19B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00D19B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D19B99

Strings

aut, xrefs: 00D19B93

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 608f81b991e6ca32ed61b27a66920855bca822f2340af28f10e32f39feefec12
Instruction ID: f25bc99aed31b24c770d7c8dde1afd59dcc1581424d2d88e8cc4dbf5f16dcbd4
Opcode Fuzzy Hash: 608f81b991e6ca32ed61b27a66920855bca822f2340af28f10e32f39feefec12
Instruction Fuzzy Hash: 8FD05E7994030DABDB109B94DC0EF9BB72CE704704F0042B1BE98D11A1DEB065988BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D2CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26702159f7ea04b18f51ffdf81164a92879185e79e36aee5eb8e84c734802894
Instruction ID: 1e5698e892623119572cc0915288235b795d7d5b008beaf53cc4b3d8d0932271
Opcode Fuzzy Hash: 26702159f7ea04b18f51ffdf81164a92879185e79e36aee5eb8e84c734802894
Instruction Fuzzy Hash: 59F15870A083509FC714DF28D580A6ABBE5FF98318F14892EF8999B351D731E945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CD03D3
Part of subcall function 00CD03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CD03DB
Part of subcall function 00CD03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CD03E6
Part of subcall function 00CD03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CD03F1
Part of subcall function 00CD03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CD03F9
Part of subcall function 00CD03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CD0401

Part of subcall function 00CC6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00CBFA90), ref: 00CC62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CBFB2D
OleInitialize.OLE32(00000000), ref: 00CBFBAA
CloseHandle.KERNEL32(00000000), ref: 00CF49F2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d0a116779c8176cf54d492ab49c10d300d1c8bb27e5f6fd59341bbda96a328c1
Instruction ID: 54d4cce43940acbdf3d87089d27c9994626488977e24f2e349c409c3b440b444
Opcode Fuzzy Hash: d0a116779c8176cf54d492ab49c10d300d1c8bb27e5f6fd59341bbda96a328c1
Instruction Fuzzy Hash: 678195B0908B808EC398EF3AE9456557BE4EB88708B14856EE41DC7362FB71C489DF71

Uniqueness

Uniqueness Score: -1.00%

Function 00CB43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CB44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CB44C3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 1eee5b7118c75f9c9aaca51adeb8809b47c96935e16c1bb649b1d008a47a0e2e
Instruction ID: 5ef1e9e503e2c35dddc73e3e9c0dd33a471feba054533361e8770e6efe0d82f2
Opcode Fuzzy Hash: 1eee5b7118c75f9c9aaca51adeb8809b47c96935e16c1bb649b1d008a47a0e2e
Instruction Fuzzy Hash: 33317F705087019FD764DF24D88469BBBE8EB48304F00092EF59AC3352E7B1AA44CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CD594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00CD5963

Part of subcall function 00CDA3AB: __NMSG_WRITE.LIBCMT ref: 00CDA3D2
Part of subcall function 00CDA3AB: __NMSG_WRITE.LIBCMT ref: 00CDA3DC

__NMSG_WRITE.LIBCMT ref: 00CD596A

Part of subcall function 00CDA408: GetModuleFileNameW.KERNEL32(00000000,00D743BA,00000104,?,00000001,00000000), ref: 00CDA49A
Part of subcall function 00CDA408: ___crtMessageBoxW.LIBCMT ref: 00CDA548

Part of subcall function 00CD32DF: ___crtCorExitProcess.LIBCMT ref: 00CD32E5
Part of subcall function 00CD32DF: ExitProcess.KERNEL32 ref: 00CD32EE

Part of subcall function 00CD8D68: __getptd_noexit.LIBCMT ref: 00CD8D68

RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000000,?,?,?,00CD1013,?), ref: 00CD598F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6eccfbd4347fdb8b1e4baae1499884daa93e9b1e01e9a12b8a850512afb23218
Instruction ID: 16f4f93b3b1417008d2752b9f42fe8f74771536d62e40006716150fc2bdccb1e
Opcode Fuzzy Hash: 6eccfbd4347fdb8b1e4baae1499884daa93e9b1e01e9a12b8a850512afb23218
Instruction Fuzzy Hash: 5301F531240B16DEE6112B26EC62B3E72498F51770F10002BF714EA3D1EF70DE429675

Uniqueness

Uniqueness Score: -1.00%

Function 00D19B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00D197D2,?,?,?,?,?,00000004), ref: 00D19B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D197D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00D19B5B
CloseHandle.KERNEL32(00000000,?,00D197D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D19B62

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 17396c7ba74200dcda6e6eca29db755b811bf67bc637501cc344d8d621bb5e71
Instruction ID: 4522ee470fef25123ca153cc25891f84c37641b805fa7508271fe2caefb509ad
Opcode Fuzzy Hash: 17396c7ba74200dcda6e6eca29db755b811bf67bc637501cc344d8d621bb5e71
Instruction Fuzzy Hash: 2EE08632981318B7D7211B54FC09FDA7B18AB05761F144220FB14A91E087B1251197A8

Uniqueness

Uniqueness Score: -1.00%

Function 00D18F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D18FA5

Part of subcall function 00CD2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00CD9C64), ref: 00CD2FA9
Part of subcall function 00CD2F95: GetLastError.KERNEL32(00000000,?,00CD9C64), ref: 00CD2FBB

_free.LIBCMT ref: 00D18FB6
_free.LIBCMT ref: 00D18FC8

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction ID: 90b8d3da03848569bc00a583ca92cdd0245774920c5bf83be7a380dfc64d9e5a
Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction Fuzzy Hash: 7FE012A160D7115ACA24E6B8BD40ED757EE5F8835071C0C1EB609DB242DF24E882B134

Uniqueness

Uniqueness Score: -1.00%

Function 00CBAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00CF002B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: c86e263a765186c7bc3a01c27f2017ef136cfc90f3eec32815497db9dd9dc34b
Instruction ID: 3df761f3034f04fbfeaa81e688bb7689d67cf3f3cb3755f104f0b8bba74bde18
Opcode Fuzzy Hash: c86e263a765186c7bc3a01c27f2017ef136cfc90f3eec32815497db9dd9dc34b
Instruction Fuzzy Hash: 3F224970508241DFCB24DF14C494BAABBE1FF48700F14895DE99A8B362DB71ED85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CB4E1A

Strings

EA06, xrefs: 00CEDCF5

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: f26029ac2befa09fc2188b79a011db5f8835a0a2727525d440cdd040e34979f8
Instruction ID: 1f1f41995863b0d326aaf3b9e68585e402f051f7851dcc41f1155c4d1d018995
Opcode Fuzzy Hash: f26029ac2befa09fc2188b79a011db5f8835a0a2727525d440cdd040e34979f8
Instruction Fuzzy Hash: 23415C31A0C1D46BDF295FA498517FEFFB6AB05300F284465FC829B283C631DE4497A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00CB4992

Part of subcall function 00CD35AC: __lock.LIBCMT ref: 00CD35B2
Part of subcall function 00CD35AC: DecodePointer.KERNEL32(00000001,?,00CB49A7,00D081BC), ref: 00CD35BE
Part of subcall function 00CD35AC: EncodePointer.KERNEL32(?,?,00CB49A7,00D081BC), ref: 00CD35C9

Part of subcall function 00CB4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00CB4A73
Part of subcall function 00CB4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00CB4A88

Part of subcall function 00CB3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CB3B7A
Part of subcall function 00CB3B4C: IsDebuggerPresent.KERNEL32 ref: 00CB3B8C
Part of subcall function 00CB3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D762F8,00D762E0,?,?), ref: 00CB3BFD
Part of subcall function 00CB3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00CB3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00CB49D2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: b9ba4e7ff55e8ca90fc71ff3c8996294f02363e7710a245fcff306bc7f375c58
Instruction ID: 01018ea3b3db856120e60aa031e75815d1cb8877b75da64482a5a08aec60ecff
Opcode Fuzzy Hash: b9ba4e7ff55e8ca90fc71ff3c8996294f02363e7710a245fcff306bc7f375c58
Instruction Fuzzy Hash: 8C116A719083119BC700DF69EC4594ABBE8EB95710F00492AF149D33B2EB709685DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00CB5981,?,?,?,?), ref: 00CB5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00CB5981,?,?,?,?), ref: 00CEE19C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 004bded4896dfcb2e485877d9e3e77829e8083f2fbfcf1087353e8404a1166b8
Instruction ID: fbf6070a78dc304f4b805183b5dbc31f467c649e33599d3361becc96c7074f49
Opcode Fuzzy Hash: 004bded4896dfcb2e485877d9e3e77829e8083f2fbfcf1087353e8404a1166b8
Instruction Fuzzy Hash: 7201B570244748BEF3250E24DC8AFB67B9CEB05768F108318BAF56A2E0C7B45E458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CD594C: __FF_MSGBANNER.LIBCMT ref: 00CD5963
Part of subcall function 00CD594C: __NMSG_WRITE.LIBCMT ref: 00CD596A
Part of subcall function 00CD594C: RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000000,?,?,?,00CD1013,?), ref: 00CD598F

std::exception::exception.LIBCMT ref: 00CD102C
__CxxThrowException@8.LIBCMT ref: 00CD1041

Part of subcall function 00CD87DB: RaiseException.KERNEL32(?,?,?,00D6BAF8,00000000,?,?,?,?,00CD1046,?,00D6BAF8,?,00000001), ref: 00CD8830

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f7434d6a22a90b471058963165c8b5ab9f06b709aac4502b37574bd6b757ce12
Instruction ID: 69cafe0e48d1d1d8acfe1e71fd2bb69790b5a5758c6a8f0b026f72827b5be996
Opcode Fuzzy Hash: f7434d6a22a90b471058963165c8b5ab9f06b709aac4502b37574bd6b757ce12
Instruction Fuzzy Hash: 17F0F934500209B7C720BA98EC01AEF7BAC9F00360F100027FE0491381DFB09B8592E0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CD585C
__lock_file.LIBCMT ref: 00CD587D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: c1873a21624e5aeed7d8ec40fcfe4105408a9c71e17121075c110f98d34164fb
Instruction ID: 6a83188577fa9f08437f6edec9eec86e5f1a9965b6a651dc9db3933fbd5a24db
Opcode Fuzzy Hash: c1873a21624e5aeed7d8ec40fcfe4105408a9c71e17121075c110f98d34164fb
Instruction Fuzzy Hash: 69012171840609EBCF12AF698C0699E7B61AF40360F148217BA245A3E1DB318A61FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CD55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CD8D68: __getptd_noexit.LIBCMT ref: 00CD8D68

__lock_file.LIBCMT ref: 00CD561B

Part of subcall function 00CD6E4E: __lock.LIBCMT ref: 00CD6E71

__fclose_nolock.LIBCMT ref: 00CD5626

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 6c679b7c135fbfd842e3f1a8c24afefeedd428997f8ffb0b2e6a5c0689b6f9b9
Instruction ID: e5d4581edf8f3a4391aff9d42285496a4db932fdd4e79aa47a1586957c1d481b
Opcode Fuzzy Hash: 6c679b7c135fbfd842e3f1a8c24afefeedd428997f8ffb0b2e6a5c0689b6f9b9
Instruction Fuzzy Hash: 7DF09071800A059BD721AB798802B6E67A16F40334F65820BB624AB3C1CF7CCA06AB55

Uniqueness

Uniqueness Score: -1.00%

Function 00E112FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E11B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E11B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E11B73

Memory Dump Source

Source File: 00000000.00000002.2107367437.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_r)_78768.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction ID: 0f9653b177b0f8b9722a4231c0ca29e480b088a7c827ea84e9f11eb044721191
Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction Fuzzy Hash: 8C12CE24E14658C6EB24DF64D8507DEB232EF68300F10A1E9910DEB7A5E77A4FC1CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00CC2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5138f08cc6981d4cdb120d82e3c98ce758b9b7f761989469736eed643a80008b
Instruction ID: d8e24ed4c635d384070d377235377c20721c3b6be7f458e1bfed42b018d410fe
Opcode Fuzzy Hash: 5138f08cc6981d4cdb120d82e3c98ce758b9b7f761989469736eed643a80008b
Instruction Fuzzy Hash: 40515D35600604AFCF14EB68C991FBE77A6EF45310F198168F916AB392CB30EE05EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00CB5CF6

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c61919320c909ca4426eecb3aa20abcbce73c14cc5b3d5e8502b4b7081c7dc2e
Instruction ID: 58a4df56e64c7ef322048d90de0bd9ad4ff48700b778c75f2f7bcfa99f37fbad
Opcode Fuzzy Hash: c61919320c909ca4426eecb3aa20abcbce73c14cc5b3d5e8502b4b7081c7dc2e
Instruction Fuzzy Hash: 97311C71A00B19AFCB18DF6DC5847ADBBB6FF48310F148629E81993750D771B950DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CF00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00CF00E1

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1d61b0917c1f8815ff9316eb87e69af5986eea4a62749d39e49803629feff77a
Instruction ID: d3981cea6a40c9adede01b3068bf6e6af7c24d57cbb9fe06a91f8a9006d89812
Opcode Fuzzy Hash: 1d61b0917c1f8815ff9316eb87e69af5986eea4a62749d39e49803629feff77a
Instruction Fuzzy Hash: 6F410674508351DFDB24DF14C484B5ABBE0BF49318F1988ACE9998B362C372EC85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CB5B61

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 96a33dd6f020e6a9196ba53da9ca5beaa97cf8d629aa27fe4293e19ac0920b17
Instruction ID: e71869ca682721043a26e5a8dd4b3c2a004f808be3114467a773ea9d3425e916
Opcode Fuzzy Hash: 96a33dd6f020e6a9196ba53da9ca5beaa97cf8d629aa27fe4293e19ac0920b17
Instruction Fuzzy Hash: DE21E470A00B08EBDF105F92E8857BE7FB8FF10390F21846AE485D2211EBB195E0E765

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00CB4D4D

Part of subcall function 00CD548B: __wfsopen.LIBCMT ref: 00CD5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CB4F6F

Part of subcall function 00CB4CC8: FreeLibrary.KERNEL32(00000000), ref: 00CB4D02

Part of subcall function 00CB4DD0: _memmove.LIBCMT ref: 00CB4E1A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 2e56ecd2f39a0797e4fe8e44aba147615c660c8b8d8ffd89e093f708fa55f5de
Instruction ID: e06af8a29bc7cd4fb500dfb8fd75b9f73e40e0ca5988f3dee7bf7b62f2316d57
Opcode Fuzzy Hash: 2e56ecd2f39a0797e4fe8e44aba147615c660c8b8d8ffd89e093f708fa55f5de
Instruction Fuzzy Hash: 7311E731604309BACF18BFB4DC12FEE77A59F40700F108429F552A72C3DE719A05ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CF01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00CF01BB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 21456f892cbc4539e287d88d5870337dfdf7c0e424856042d055126e693a1eca
Instruction ID: 57662ea0843e93ac6783d966f76986959d042b9f111f6365945286400f884f5b
Opcode Fuzzy Hash: 21456f892cbc4539e287d88d5870337dfdf7c0e424856042d055126e693a1eca
Instruction Fuzzy Hash: F82113B4508381DFCB24DF14C444B5ABBE0BF88704F058968E99A47722D731F859DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CD09F4

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 75cf602772fded7d1877da7907ed11c53e2df1089411fb5ef9b561b80c16c90c
Instruction ID: 84ac2c5e1e4b0392303690a9733dc0b6d4ef3a8c7f5a55c13904de1bee1ddbc3
Opcode Fuzzy Hash: 75cf602772fded7d1877da7907ed11c53e2df1089411fb5ef9b561b80c16c90c
Instruction Fuzzy Hash: D001D832109AC09FE703D3799855BE57FA98D43220B2E02CAD845CF4A7D456081ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00CB5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00CB5D76

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ee3e99b4a493bbf46d0f0186389e4f7bc79a6c6b0e19493fed298b1c6bcbda5c
Instruction ID: 579d04412388b64ba66ea7692184d207131b439d693c3d0450e3bff75369d54a
Opcode Fuzzy Hash: ee3e99b4a493bbf46d0f0186389e4f7bc79a6c6b0e19493fed298b1c6bcbda5c
Instruction Fuzzy Hash: 3A113A31200B059FD3308F25D584BA2B7E5EF45750F14CA2EE5AA86A50D7B1E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CEE141

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction ID: fecfdb13c30603545b623e2efac01d48f4e6f48310af65f254a3fef5df766cc2
Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction Fuzzy Hash: 3501A2B9604542AFC305EB69C841E6AFBA9FF8A3507148159F919C7702DB31FC21CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00CD4AD6

Part of subcall function 00CD8D68: __getptd_noexit.LIBCMT ref: 00CD8D68

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: e8dafad1e0b86ebe0d231a9242fcb7602cea90d384dc08e4cc486791ea734a51
Instruction ID: 0c9514b381a1047f6b15418c8385f6be177b46b40a5126fe2a7ed191e2dacb0d
Opcode Fuzzy Hash: e8dafad1e0b86ebe0d231a9242fcb7602cea90d384dc08e4cc486791ea734a51
Instruction Fuzzy Hash: A6F0FF31800209ABDF65AF65CC0639E37A1AF00325F08810BF728AA3D1CB788A54FF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CB4FDE

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 45509f3f4351f04d9f3e2d15954b5d4f7eb815e7014130cf9f0ee89ad5ac6cd8
Instruction ID: 8bfe00eaba9543f2a6037a020af9a223a7fb238a4fc6cf57e75d74f3dadff351
Opcode Fuzzy Hash: 45509f3f4351f04d9f3e2d15954b5d4f7eb815e7014130cf9f0ee89ad5ac6cd8
Instruction Fuzzy Hash: E5F06D71509722CFCB389FA5E4948A2BBF1BF043697208A3EE1E783612C771A940DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CD09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CD09F4

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: af456fdd21db5f71f4cbedd621b74ddf19d8fe6ad2c035bdd3781e51f8b85a07
Instruction ID: eb9e7e645051428afa76186c2ea41cb0b9dd8f79512a5b4159169f3fb2739fa1
Opcode Fuzzy Hash: af456fdd21db5f71f4cbedd621b74ddf19d8fe6ad2c035bdd3781e51f8b85a07
Instruction Fuzzy Hash: C5E08676D0422857C720D6689C05FFA77ADDF88690F0401B5FC0CD7244D9609C918690

Uniqueness

Uniqueness Score: -1.00%

Function 00D19129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D1914B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 0e10ed421b7212f11feb858e1e10b8d7db4c6924038e278d35959f07c5eaf331
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 52E092B1104B006FD7348A24E820BE3B3E0AB06315F04081DF2DA83341EF6278C19759

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00CEE16B,?,?,00000000), ref: 00CB5DBF

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8de900a4a12a37e30a325171e8fd9fcbe310429a0d6cd8e403a206c4856687d1
Instruction ID: 5fbc3ffa49b318554d4dc25ccace23b53e25f777bfccd1c4f9d1b3361c31534c
Opcode Fuzzy Hash: 8de900a4a12a37e30a325171e8fd9fcbe310429a0d6cd8e403a206c4856687d1
Instruction Fuzzy Hash: 13D09E74A4030CBFE610DB80DC46FA9777CD705710F100194BD049629096B27D508695

Uniqueness

Uniqueness Score: -1.00%

Function 00CD548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00CD5496

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: e214376af92e4800ace3f4621d20cc615e26121cef27292fe08721928c39c9a8
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C3B0927A84020C77DE012E82EC02A593B199B40679F808021FB0C28262A673A6A0A68A

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00D1D46A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0c935ee9c118daf5b6cced7dd8ec158bf7e3afedcf213ef534d96003309b635e
Instruction ID: 14118c6c4628de0fedbe50b7b0c871cf370281405361700c5d603a2c8c22d8f1
Opcode Fuzzy Hash: 0c935ee9c118daf5b6cced7dd8ec158bf7e3afedcf213ef534d96003309b635e
Instruction Fuzzy Hash: FC7183302043019FC714EF64D491AEAB7E5EF89314F08456DF9969B2A2DF30ED49DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00CD0EF7

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c837bb92198ea585c193c08da48a282bad7ec7dc5bcb183f78127466f090a6c9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B231C170A001059BC718DF5DD480A69FBA6FB99300F748AA6E559CBB51D731EEC1CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E122FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E12311

Memory Dump Source

Source File: 00000000.00000002.2107367437.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_r)_78768.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 323f8989d40923be80bf9d4f309bb9df7a1c65a586c9eb7f16d18dd71c836c2c
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 01E09A7494010EAFDB00EFA4D9496DE7BB4EF04301F1005A5FD05A6680DA309A648A62

Uniqueness

Uniqueness Score: -1.00%

Function 00E12300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E12311

Memory Dump Source

Source File: 00000000.00000002.2107367437.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_r)_78768.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: cab468e6b2aea7de2e0adf23ac39cfc0255e890320ac0e2a96eee7e2e39168c9
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A9E0E67494010EDFDB00EFF4D9496DE7FB4EF04301F100565FD01E2280D6309D608A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D3CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D3CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D3CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D3CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D3CF00
SendMessageW.USER32 ref: 00D3CF29
_wcsncpy.LIBCMT ref: 00D3CFA1
GetKeyState.USER32(00000011), ref: 00D3CFC2
GetKeyState.USER32(00000009), ref: 00D3CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D3CFE5
GetKeyState.USER32(00000010), ref: 00D3CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D3D018
SendMessageW.USER32 ref: 00D3D03F
SendMessageW.USER32(?,00001030,?,00D3B602), ref: 00D3D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D3D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D3D16E
SetCapture.USER32(?), ref: 00D3D177
ClientToScreen.USER32(?,?), ref: 00D3D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D3D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D3D203
ReleaseCapture.USER32 ref: 00D3D20E
GetCursorPos.USER32(?), ref: 00D3D248
ScreenToClient.USER32(?,?), ref: 00D3D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D3D2B1
SendMessageW.USER32 ref: 00D3D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D3D31C
SendMessageW.USER32 ref: 00D3D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D3D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D3D37B
GetCursorPos.USER32(?), ref: 00D3D39B
ScreenToClient.USER32(?,?), ref: 00D3D3A8
GetParent.USER32(?), ref: 00D3D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D3D431
SendMessageW.USER32 ref: 00D3D462
ClientToScreen.USER32(?,?), ref: 00D3D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D3D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D3D51A
SendMessageW.USER32 ref: 00D3D53D
ClientToScreen.USER32(?,?), ref: 00D3D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D3D5C3

Part of subcall function 00CB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CB25EC

GetWindowLongW.USER32(?,000000F0), ref: 00D3D65F

Strings

F, xrefs: 00D3D543
@GUI_DRAGID, xrefs: 00D3D1AA

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 5bfdc81fa8d3d4fd9c2ff9713ef99367c165ef174586756111c41ef83914ef98
Instruction ID: 4cbb072d191ca6f3cc281dddcb4cf41f5d01dab01f4273e5ae956ef6ba5eebb3
Opcode Fuzzy Hash: 5bfdc81fa8d3d4fd9c2ff9713ef99367c165ef174586756111c41ef83914ef98
Instruction Fuzzy Hash: 7A428A70604341AFD725CF28C844EAABBE6FF49314F180929F699A72A1D731D854DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00D3873F

Strings

%d/%02d/%02d, xrefs: 00D38478

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: f495f37e8a2f8f8e71a13f27f9bd0dcb31033808d451a4a83842a37c752ba0ac
Instruction ID: 252c89da67dd25c3823185f10d93470d89979a7086b5c6b79a63fa0cf1edaf46
Opcode Fuzzy Hash: f495f37e8a2f8f8e71a13f27f9bd0dcb31033808d451a4a83842a37c752ba0ac
Instruction Fuzzy Hash: 1212B1B1500348ABEB259F28CC49FAB7BB9EF45750F244129F915EB2E1DF709941EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00CC710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CC75C2
_memset.LIBCMT ref: 00CC76B1
_memmove.LIBCMT ref: 00CC7C4B
_memmove.LIBCMT ref: 00CC7E4F

Strings

Q\E, xrefs: 00CC81C1
\b(?<=\w), xrefs: 00D03C41
[:>:]], xrefs: 00CC760A
\b(?=\w), xrefs: 00D03C34
DEFINE, xrefs: 00D025AF
[:<:]], xrefs: 00CC75F1

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 1e3940f0e07260af9764c2fd096dccd11cbb26bc40f1613cbdaf9f73212cbace
Instruction ID: fb7d7eeed8dcf0b70d70070c9cbed2df07d5c5e64fc5207e04b408f5987a52da
Opcode Fuzzy Hash: 1e3940f0e07260af9764c2fd096dccd11cbb26bc40f1613cbdaf9f73212cbace
Instruction Fuzzy Hash: 96938175A00215DFDB24CF58C885BADB7B1FF48710F29816AE959EB2D0E7709E81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00CB4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CEDA8E
IsIconic.USER32(?), ref: 00CEDA97
ShowWindow.USER32(?,00000009), ref: 00CEDAA4
SetForegroundWindow.USER32(?), ref: 00CEDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CEDAC4
GetCurrentThreadId.KERNEL32 ref: 00CEDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CEDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CEDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CEDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00CEDAF8
SetForegroundWindow.USER32(?), ref: 00CEDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CEDB10
keybd_event.USER32(00000012,00000000), ref: 00CEDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CEDB25
keybd_event.USER32(00000012,00000000), ref: 00CEDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CEDB33
keybd_event.USER32(00000012,00000000), ref: 00CEDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CEDB42
keybd_event.USER32(00000012,00000000), ref: 00CEDB47
SetForegroundWindow.USER32(?), ref: 00CEDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00CEDB71

Strings

Shell_TrayWnd, xrefs: 00CEDA89

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 809da7afab3f62eb16e7f9253c58b440347d1ec4278a6f40c57151b7848e644b
Instruction ID: 397ec9ccc1f84b36e8295079bdf76bd8a70199de7ed186c5d5509c7bc257a6aa
Opcode Fuzzy Hash: 809da7afab3f62eb16e7f9253c58b440347d1ec4278a6f40c57151b7848e644b
Instruction Fuzzy Hash: 2E315271E4035CBBEB216F629C4AF7F3E6CEB44B50F114025FA05EA2D1D6B05D40AAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D08858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00D08CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D08D0D
Part of subcall function 00D08CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D08D3A
Part of subcall function 00D08CC3: GetLastError.KERNEL32 ref: 00D08D47

_memset.LIBCMT ref: 00D0889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D088ED
CloseHandle.KERNEL32(?), ref: 00D088FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D08915
GetProcessWindowStation.USER32 ref: 00D0892E
SetProcessWindowStation.USER32(00000000), ref: 00D08938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D08952

Part of subcall function 00D08713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D08851), ref: 00D08728
Part of subcall function 00D08713: CloseHandle.KERNEL32(?,?,00D08851), ref: 00D0873A

Strings

winsta0, xrefs: 00D08910
default, xrefs: 00D0894D
, xrefs: 00D088AA

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e5518cc9137249be507416b5da2bd94afe2b9edeac776b3fe954d2d57f29a8c9
Instruction ID: 9122b187997523593cb9e6fea866d2beec005b29ae2506de9f671c1001047cf8
Opcode Fuzzy Hash: e5518cc9137249be507416b5da2bd94afe2b9edeac776b3fe954d2d57f29a8c9
Instruction Fuzzy Hash: 36814C71D00209AFDF11DFA4DC45BEEBBB8EF04304F18416AF958A62A1DB358E15AB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D2425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D3F910), ref: 00D24284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D24292
GetClipboardData.USER32(0000000D), ref: 00D2429A
CloseClipboard.USER32 ref: 00D242A6
GlobalLock.KERNEL32(00000000), ref: 00D242C2
CloseClipboard.USER32 ref: 00D242CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00D242E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00D242EE
GetClipboardData.USER32(00000001), ref: 00D242F6
GlobalLock.KERNEL32(00000000), ref: 00D24303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00D24337
CloseClipboard.USER32 ref: 00D24447

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 116d8f3778a3aed81028ccb7fc23e451665716e95a1232538207a6dfe24d6054
Instruction ID: e0038151a957f5a13bcef6346dfcb3f09761f7dd441473de2fe32165b5bd9ffe
Opcode Fuzzy Hash: 116d8f3778a3aed81028ccb7fc23e451665716e95a1232538207a6dfe24d6054
Instruction Fuzzy Hash: 9C51BC35204306ABD311FF60EC86FAF77A8AF94B04F040529F996D22E1DB70D9059B76

Uniqueness

Uniqueness Score: -1.00%

Function 00D1C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D1C9F8
FindClose.KERNEL32(00000000), ref: 00D1CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D1CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D1CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D1CAAF
__swprintf.LIBCMT ref: 00D1CAFB
__swprintf.LIBCMT ref: 00D1CB3E

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

__swprintf.LIBCMT ref: 00D1CB92

Part of subcall function 00CD38D8: __woutput_l.LIBCMT ref: 00CD3931

__swprintf.LIBCMT ref: 00D1CBE0

Part of subcall function 00CD38D8: __flsbuf.LIBCMT ref: 00CD3953
Part of subcall function 00CD38D8: __flsbuf.LIBCMT ref: 00CD396B

__swprintf.LIBCMT ref: 00D1CC2F
__swprintf.LIBCMT ref: 00D1CC7E
__swprintf.LIBCMT ref: 00D1CCCD

Strings

%4d, xrefs: 00D1CB38
%02d, xrefs: 00D1CB86, 00D1CB90, 00D1CBDE, 00D1CC2D, 00D1CC7C, 00D1CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00D1CAF5

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: dda3fdc4935618c9f7357c6ace25815585e6b8352caf0bc5e26a6bf553629e2e
Instruction ID: a5c22acb40f0415a4e499ac01addab0a5006d0a5d13e8d0d59fbf4c0f0eab3a6
Opcode Fuzzy Hash: dda3fdc4935618c9f7357c6ace25815585e6b8352caf0bc5e26a6bf553629e2e
Instruction Fuzzy Hash: 85A13EB2508304ABC710EF64D886DEFB7ECEF94700F44491AB686D7191EA34DA48DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D1F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00D1F221
_wcscmp.LIBCMT ref: 00D1F236
_wcscmp.LIBCMT ref: 00D1F24D
GetFileAttributesW.KERNEL32(?), ref: 00D1F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00D1F279
FindNextFileW.KERNEL32(00000000,?), ref: 00D1F291
FindClose.KERNEL32(00000000), ref: 00D1F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00D1F2B8
_wcscmp.LIBCMT ref: 00D1F2DF
_wcscmp.LIBCMT ref: 00D1F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00D1F308
SetCurrentDirectoryW.KERNEL32(00D6A5A0), ref: 00D1F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D1F330
FindClose.KERNEL32(00000000), ref: 00D1F33D
FindClose.KERNEL32(00000000), ref: 00D1F34F

Strings

*.*, xrefs: 00D1F2B3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: d3ebec59a45878d9367bd2354caf3d2bd87024cdd88a4dacc64eee20c9fb33ba
Instruction ID: 7c51bd2c36a54346e37713f6d37f32a934d4e370b0caed6063ae0557ce2e67a3
Opcode Fuzzy Hash: d3ebec59a45878d9367bd2354caf3d2bd87024cdd88a4dacc64eee20c9fb33ba
Instruction Fuzzy Hash: F331B376A0021D7EDB10DBB4EC48ADEB3AC9F08360F180176E915E31A0EB30DA85CA74

Uniqueness

Uniqueness Score: -1.00%

Function 00D30AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D30BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D3F910,00000000,?,00000000,?,?), ref: 00D30C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00D30C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00D30D1D
RegCloseKey.ADVAPI32(?), ref: 00D3103D
RegCloseKey.ADVAPI32(00000000), ref: 00D3104A

Strings

REG_QWORD, xrefs: 00D30F8B
REG_MULTI_SZ, xrefs: 00D30E05
REG_DWORD, xrefs: 00D30F0E
REG_BINARY, xrefs: 00D30FD8
REG_EXPAND_SZ, xrefs: 00D30CBA
REG_SZ, xrefs: 00D30D5B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 7063b329c45d133cff9844c3c73eb7312f48507c1befd23f445f3bc36b234f03
Instruction ID: b6417826b4445d0ab134f585611395caaa77aafa0f09c5b4759d37c21d5f715e
Opcode Fuzzy Hash: 7063b329c45d133cff9844c3c73eb7312f48507c1befd23f445f3bc36b234f03
Instruction Fuzzy Hash: DE027D756006119FCB14EF24C891E6ABBE5FF89714F04885DF98A9B362CB30ED41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D1F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00D1F37E
_wcscmp.LIBCMT ref: 00D1F393
_wcscmp.LIBCMT ref: 00D1F3AA

Part of subcall function 00D145C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D145DC

FindNextFileW.KERNEL32(00000000,?), ref: 00D1F3D9
FindClose.KERNEL32(00000000), ref: 00D1F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00D1F400
_wcscmp.LIBCMT ref: 00D1F427
_wcscmp.LIBCMT ref: 00D1F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00D1F450
SetCurrentDirectoryW.KERNEL32(00D6A5A0), ref: 00D1F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D1F478
FindClose.KERNEL32(00000000), ref: 00D1F485
FindClose.KERNEL32(00000000), ref: 00D1F497

Strings

*.*, xrefs: 00D1F3FB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: d0abde7f9df6a2cd0c76998a44a84e76dfb5ecbbb5d4a5f102c3762dd5c6c6f1
Instruction ID: ddc3656007696486e41e81ba5adc34dee0aa00ea8ee0ca36dcbb67685cb07fd3
Opcode Fuzzy Hash: d0abde7f9df6a2cd0c76998a44a84e76dfb5ecbbb5d4a5f102c3762dd5c6c6f1
Instruction Fuzzy Hash: 4931B37660121D7FCB109BA4FC88ADFB7AC9F49360F180276E954E31A0DB30DA84CA74

Uniqueness

Uniqueness Score: -1.00%

Function 00D081F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D08766
Part of subcall function 00D0874A: GetLastError.KERNEL32(?,00D0822A,?,?,?), ref: 00D08770
Part of subcall function 00D0874A: GetProcessHeap.KERNEL32(00000008,?,?,00D0822A,?,?,?), ref: 00D0877F
Part of subcall function 00D0874A: HeapAlloc.KERNEL32(00000000,?,00D0822A,?,?,?), ref: 00D08786
Part of subcall function 00D0874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0879D

Part of subcall function 00D087E7: GetProcessHeap.KERNEL32(00000008,00D08240,00000000,00000000,?,00D08240,?), ref: 00D087F3
Part of subcall function 00D087E7: HeapAlloc.KERNEL32(00000000,?,00D08240,?), ref: 00D087FA
Part of subcall function 00D087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D08240,?), ref: 00D0880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D0825B
_memset.LIBCMT ref: 00D08270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D0828F
GetLengthSid.ADVAPI32(?), ref: 00D082A0
GetAce.ADVAPI32(?,00000000,?), ref: 00D082DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D082F9
GetLengthSid.ADVAPI32(?), ref: 00D08316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D08325
HeapAlloc.KERNEL32(00000000), ref: 00D0832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D0834D
CopySid.ADVAPI32(00000000), ref: 00D08354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D08385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D083AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D083BF

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 4883346414d8ab50eb5350c1c16725fc17f3db8f2cf5017f22ca86ff7b081978
Instruction ID: a7b3805710d03437877bf00e974a271a34b33941ba6bb62904b562099b3aa655
Opcode Fuzzy Hash: 4883346414d8ab50eb5350c1c16725fc17f3db8f2cf5017f22ca86ff7b081978
Instruction Fuzzy Hash: 9761567190020AABDF049FA4DD85BAEBBB9FF44710F088129E859E7291DB319A05DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CC6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

LF), xrefs: 00D016DD
NO_START_OPT), xrefs: 00D01588
LIMIT_MATCH=, xrefs: 00D015A9
UTF), xrefs: 00D01533
ANY), xrefs: 00D01717
CR), xrefs: 00D016C0
NO_AUTO_POSSESS), xrefs: 00D01567
UTF16), xrefs: 00D01508
ANYCRLF), xrefs: 00D01734
CRLF), xrefs: 00D016FA
LIMIT_RECURSION=, xrefs: 00D01635
UCP), xrefs: 00D01546
BSR_ANYCRLF), xrefs: 00D01757
BSR_UNICODE), xrefs: 00D01771

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 71a94d0f645a19e9ba8e9e34d5ada5ad7f4b777f677c666e56a7b516a1bb1417
Instruction ID: 0f5e726b5f37abd318c091c541ccd26e7c673b370f20b93c6314e6c4d1055348
Opcode Fuzzy Hash: 71a94d0f645a19e9ba8e9e34d5ada5ad7f4b777f677c666e56a7b516a1bb1417
Instruction Fuzzy Hash: 98727175E00219DBDB24CF59D890BAEB7B5FF48310F14816AE859EB290D7709E81DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D30665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D30038,?,?), ref: 00D310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D30737

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D307D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D3086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00D30AAD
RegCloseKey.ADVAPI32(00000000), ref: 00D30ABA

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 86a713622925777f360ed7f1b7c7f012d725705b9162c874411b13541aa1fb33
Instruction ID: 5166adc1f26ab2e1b31514d676c0045cb10e9b075b3b1b45e0aa2674d51bbccb
Opcode Fuzzy Hash: 86a713622925777f360ed7f1b7c7f012d725705b9162c874411b13541aa1fb33
Instruction Fuzzy Hash: C3E15F71604314AFCB14DF28C891E6ABBE5EF89714F04856DF84ADB261DB30ED05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D10219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D10241
GetAsyncKeyState.USER32(000000A0), ref: 00D102C2
GetKeyState.USER32(000000A0), ref: 00D102DD
GetAsyncKeyState.USER32(000000A1), ref: 00D102F7
GetKeyState.USER32(000000A1), ref: 00D1030C
GetAsyncKeyState.USER32(00000011), ref: 00D10324
GetKeyState.USER32(00000011), ref: 00D10336
GetAsyncKeyState.USER32(00000012), ref: 00D1034E
GetKeyState.USER32(00000012), ref: 00D10360
GetAsyncKeyState.USER32(0000005B), ref: 00D10378
GetKeyState.USER32(0000005B), ref: 00D1038A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a352384eada5a72d61131f43543e61aca3d32ea2685b1ae90ede0ecf766d114c
Instruction ID: bb3d551b7a2be3646203ac4f2b7ba2dc1c4156f05e49fd4ea567646529145203
Opcode Fuzzy Hash: a352384eada5a72d61131f43543e61aca3d32ea2685b1ae90ede0ecf766d114c
Instruction Fuzzy Hash: B14188249047C9BEFF31BB64E8083E5BEA06B16344F0C409DD9D6866C2EFE459C487B6

Uniqueness

Uniqueness Score: -1.00%

Function 00D286D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

CoInitialize.OLE32 ref: 00D28718
CoUninitialize.OLE32 ref: 00D28723
CoCreateInstance.OLE32(?,00000000,00000017,00D42BEC,?), ref: 00D28783
IIDFromString.OLE32(?,?), ref: 00D287F6
VariantInit.OLEAUT32(?), ref: 00D28890
VariantClear.OLEAUT32(?), ref: 00D288F1

Strings

Failed to create object, xrefs: 00D2878E, 00D28844
Invalid parameter, xrefs: 00D2880F
NULL Pointer assignment, xrefs: 00D287C8

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 195ba1c064cf270cdf87c4b92a6aca87cdc7c4099d0bb84cadf37a4321c84183
Instruction ID: 4815bf51742e2ec41b71cd674abdedd0f3c3e8eddb78111725df8422180fe559
Opcode Fuzzy Hash: 195ba1c064cf270cdf87c4b92a6aca87cdc7c4099d0bb84cadf37a4321c84183
Instruction Fuzzy Hash: 3F61DF706093219FD710DF24E848B6ABBE4EF58718F14481DF9859B291CB30ED48EBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D24458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D2447F
EmptyClipboard.USER32 ref: 00D24485
GlobalAlloc.KERNEL32(00000002,?), ref: 00D2449A
CloseClipboard.USER32 ref: 00D24539

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1d2d29f7cd5f648e56025414cd8f85bf11abc4378f04f501af475af10c5c0740
Instruction ID: 2cb9832c910c8560903cf27a1e58ad3bf06d1080f4bf220548a43329fde9c8df
Opcode Fuzzy Hash: 1d2d29f7cd5f648e56025414cd8f85bf11abc4378f04f501af475af10c5c0740
Instruction Fuzzy Hash: 6F218D35600624AFDB10AF60EC09B6A7BA8EF14714F14802AFD4ADB3B1DB70ED01DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00D13A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB48A1,?,?,00CB37C0,?), ref: 00CB48CE

Part of subcall function 00D14CD3: GetFileAttributesW.KERNEL32(?,00D13947), ref: 00D14CD4

FindFirstFileW.KERNEL32(?,?), ref: 00D13ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00D13B87
MoveFileW.KERNEL32(?,?), ref: 00D13B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00D13BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D13BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00D13BF5

Strings

\*.*, xrefs: 00D13A8A, 00D13A93, 00D13AA8

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 9fe82acd76f56d52e58c16af8d76f0645dd8cab02adac234b014f6b7b91953c3
Instruction ID: 5f05d4cbb4907c19e510db80360bbbe8d3fb1a6074e93fec65d5838019e840c2
Opcode Fuzzy Hash: 9fe82acd76f56d52e58c16af8d76f0645dd8cab02adac234b014f6b7b91953c3
Instruction Fuzzy Hash: DB51A33180524CAACF15EBA0DE929FDB779AF54300F6441A9E442B7192EF306F49DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D1F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00D1F6AB
Sleep.KERNEL32(0000000A), ref: 00D1F6DB
_wcscmp.LIBCMT ref: 00D1F6EF
_wcscmp.LIBCMT ref: 00D1F70A
FindNextFileW.KERNEL32(?,?), ref: 00D1F7A8
FindClose.KERNEL32(00000000), ref: 00D1F7BE

Strings

*.*, xrefs: 00D1F690

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 68fb3b4f864069b8b877e6199d243113f150c49217979a6eb9b76d9071890e9d
Instruction ID: 195bf7b4c675ad489370892f8bd411deb8687615f5a257f39b866759dd92addd
Opcode Fuzzy Hash: 68fb3b4f864069b8b877e6199d243113f150c49217979a6eb9b76d9071890e9d
Instruction Fuzzy Hash: 7E41617190420AAFCF11EF64DC49AEEBBB8FF05310F144566E815A32A1DB309E84DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CC4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CF7B0C
VUUU, xrefs: 00CC44ED
VUUU, xrefs: 00CC4520
ERCP, xrefs: 00CC421F
VUUU, xrefs: 00CC44DB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3237772befe23019f88576dccc31a76dccaf94a5b208186b905e8bd400558d70
Instruction ID: ca7b2f9f9937d8a571eab610ff1bb4b750374f61fb2142bdb1ac45157032771d
Opcode Fuzzy Hash: 3237772befe23019f88576dccc31a76dccaf94a5b208186b905e8bd400558d70
Instruction Fuzzy Hash: 74A29070E0421ACBDF68CF58C960BBDB7B1BF54314F24C2AAE965A7284D7309E85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CC58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CC5A05
_memmove.LIBCMT ref: 00CC5A55
_memmove.LIBCMT ref: 00CC5ABB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9019986947ce6d4b0241ad37b98befddecf95d498cc7873a69ec3007cdb7722a
Instruction ID: 7c3ec49ee444f78b157c75b00654e769a3cf726f9b9f8a95cb3566367b6a7e7c
Opcode Fuzzy Hash: 9019986947ce6d4b0241ad37b98befddecf95d498cc7873a69ec3007cdb7722a
Instruction Fuzzy Hash: 09128A70A00609EBDF04DFA5D981BEEB7B5FF48300F148169E806E7291EB35AE55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D1545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D08CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D08D0D
Part of subcall function 00D08CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D08D3A
Part of subcall function 00D08CC3: GetLastError.KERNEL32 ref: 00D08D47

ExitWindowsEx.USER32(?,00000000), ref: 00D1549B

Strings

SeShutdownPrivilege, xrefs: 00D1546B
@, xrefs: 00D1548E
, xrefs: 00D15489

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e26a15d4e24ccba35a41d5008e59c368271c4f16a8cd02a97550c77889968f08
Instruction ID: 8ece8154a8be1fe1faa28126cad7d598212d10edb651a05665ca7f955ac5592a
Opcode Fuzzy Hash: e26a15d4e24ccba35a41d5008e59c368271c4f16a8cd02a97550c77889968f08
Instruction Fuzzy Hash: 0F012431A54B05FAE7285378FC4ABFA7258EB80352F280420FC47D21D6DEB95CC081B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D26596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D265EF
WSAGetLastError.WSOCK32(00000000), ref: 00D265FE
bind.WSOCK32(00000000,?,00000010), ref: 00D2661A
listen.WSOCK32(00000000,00000005), ref: 00D26629
WSAGetLastError.WSOCK32(00000000), ref: 00D26643
closesocket.WSOCK32(00000000,00000000), ref: 00D26657

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 9ecf9fb5a59dcf21da62f09e19fa8711f8f749042929c242b006ab4099fe1de6
Instruction ID: 98f494cb5561bf48ada8db25fd70b2662b5f46e74aefa8c2a92f23addf353d91
Opcode Fuzzy Hash: 9ecf9fb5a59dcf21da62f09e19fa8711f8f749042929c242b006ab4099fe1de6
Instruction Fuzzy Hash: 0221CE71600314AFCB10AF24D845B6EB7A9EF48324F148199F95AE73D1CB30ED009B61

Uniqueness

Uniqueness Score: -1.00%

Function 00CC5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00CD0FF6: std::exception::exception.LIBCMT ref: 00CD102C
Part of subcall function 00CD0FF6: __CxxThrowException@8.LIBCMT ref: 00CD1041

_memmove.LIBCMT ref: 00D0062F
_memmove.LIBCMT ref: 00D00744
_memmove.LIBCMT ref: 00D007EB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: daccd4aa3f50b634b3572981b09aebaae753f3402af3d82227711878464ae096
Instruction ID: 3e50a4ea02e55d0ebd9b91aa7883c12beb9fc0aba4d2a2541c9e94b29b65edad
Opcode Fuzzy Hash: daccd4aa3f50b634b3572981b09aebaae753f3402af3d82227711878464ae096
Instruction Fuzzy Hash: 7D027370A00205EBDF04DF64D981BAEBBB5FF44300F148069E80ADB395EB35E955DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CB19FA
GetSysColor.USER32(0000000F), ref: 00CB1A4E
SetBkColor.GDI32(?,00000000), ref: 00CB1A61

Part of subcall function 00CB1290: DefDlgProcW.USER32(?,00000020,?), ref: 00CB12D8

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 5a959af7c44f38c4503baa4d4568faf98914dba2b040348de67fe2d2a50900b1
Instruction ID: 5e67153648bad34d4d75339f6fb8e121b3ea755741516fc6de2925dce05c3cfc
Opcode Fuzzy Hash: 5a959af7c44f38c4503baa4d4568faf98914dba2b040348de67fe2d2a50900b1
Instruction Fuzzy Hash: FAA15A711155C4BFDA38AB2B9C79DFF369DDB41381FAC0119FC22E6191DA14EE01A2B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D26A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D280CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D26AB1
WSAGetLastError.WSOCK32(00000000), ref: 00D26ADA
bind.WSOCK32(00000000,?,00000010), ref: 00D26B13
WSAGetLastError.WSOCK32(00000000), ref: 00D26B20
closesocket.WSOCK32(00000000,00000000), ref: 00D26B34

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 879ec6c616592f56b64c0d429ad406c8763aaccea8da87a981a1361995d1257d
Instruction ID: 3b522717075449515f348323b82d2e4cf0ce8f28c62135e3bdb3632404bec4c1
Opcode Fuzzy Hash: 879ec6c616592f56b64c0d429ad406c8763aaccea8da87a981a1361995d1257d
Instruction Fuzzy Hash: 3F41D475B00314AFEB10AF24DC86FAE77A9DF09714F448058FA5AEB3D2CA749D0097A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D355FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D3564C
IsWindowEnabled.USER32 ref: 00D3565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00D35667
IsIconic.USER32 ref: 00D35675
IsZoomed.USER32 ref: 00D35683

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0fd790d4bf46198896e2e40beea692618cde61d33818a9f1cdf4ae2fe469b90d
Instruction ID: 6572a5204bf8e1f22f56ecff66008b66dcc04d1a209c81a9f152cc670fc3ed3b
Opcode Fuzzy Hash: 0fd790d4bf46198896e2e40beea692618cde61d33818a9f1cdf4ae2fe469b90d
Instruction Fuzzy Hash: 0511C131B00A156FE7212F26EC46B6FBBA8EF85761F884439F846D7241CB70DD018AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D2C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CF1D88,?), ref: 00D2C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D2C324

Strings

GetSystemWow64DirectoryW, xrefs: 00D2C31E
kernel32.dll, xrefs: 00D2C30D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 9bf85ba6ca028332e9c398a2677f125522ce846c44cd9a1157742fdc79a2e61b
Instruction ID: f08c0ad362de6275adfd10e05cf7dfeb0e58a2786aece214604c2e38a31f9be5
Opcode Fuzzy Hash: 9bf85ba6ca028332e9c398a2677f125522ce846c44cd9a1157742fdc79a2e61b
Instruction Fuzzy Hash: F1E0ECB4A10727DFDB208F65E804A5A76D4EB19759B84983AE895D2660E770DC80CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CC3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 9aaf97fb5ac3a4c155b58b1f45127827512ce2f7074780e77916fd83a865e2d8
Instruction ID: 55df90bff3732f8dc73d284f8b880a50f5ca8070643268610030d85cf4aff0a8
Opcode Fuzzy Hash: 9aaf97fb5ac3a4c155b58b1f45127827512ce2f7074780e77916fd83a865e2d8
Instruction Fuzzy Hash: 732299716083419FC724DF24D881BAFB7E4EF84300F14892DFA9A97291DB71EA45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00D2F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D2F151
Process32FirstW.KERNEL32(00000000,?), ref: 00D2F15F

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Process32NextW.KERNEL32(00000000,?), ref: 00D2F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00D2F22E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: e75c0d7f4f29a5be3298485b3d347189d45b854e13e02c358c693e0f306d386d
Instruction ID: fb4decc63655cee36f3a5506186db83e1a2125b28f0354b9a62dfd412bdfbf9c
Opcode Fuzzy Hash: e75c0d7f4f29a5be3298485b3d347189d45b854e13e02c358c693e0f306d386d
Instruction Fuzzy Hash: E8517C715083109FD310EF20DC81AABBBE8EF95714F54492DF995D72A1EB70E908DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D140B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00D140D1
_memset.LIBCMT ref: 00D140F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00D14144
CloseHandle.KERNEL32(00000000), ref: 00D1414D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 4399c6577d22336f0a198b2a29e48d38457ce650ce085179ccd9dcfe6010a04d
Instruction ID: 0ed0a0c17372a63638fcdf42420b6a7168f1bbef8d72d9751c6d6c08f48aa792
Opcode Fuzzy Hash: 4399c6577d22336f0a198b2a29e48d38457ce650ce085179ccd9dcfe6010a04d
Instruction Fuzzy Hash: 19118675D013287AD7205BA5AC4DFABBA7CEB44760F104196F908D7280D6744E848BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D0EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D0EB19

Strings

(, xrefs: 00D0EB5F
|, xrefs: 00D0EB49

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 5ebf9aed36df9c0b4d45ec610d70ee21f22f7ce449650fc59d7cdf94a907e82f
Instruction ID: e80fe9d0d167034afb9256612e5c78c366663a367713e59309dc98382fe5f6ac
Opcode Fuzzy Hash: 5ebf9aed36df9c0b4d45ec610d70ee21f22f7ce449650fc59d7cdf94a907e82f
Instruction Fuzzy Hash: 57324575A007059FDB28CF19C481A6AB7F0FF48320B15C96EE89ACB7A1E770E941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00D225E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00D226D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00D2270C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 7fbf408ecc335e91d2be930d59b49b77eaf108465b7cd17e8d5f2dc376d3e2de
Instruction ID: 1056c2bf689054d8b94ac67c61e8963624ecc1fc97e12697a2532642967f94b0
Opcode Fuzzy Hash: 7fbf408ecc335e91d2be930d59b49b77eaf108465b7cd17e8d5f2dc376d3e2de
Instruction Fuzzy Hash: 9741F772504319BFEB20DF54EC85EBBB7BCEB50319F14406AF641A7240EA719E419670

Uniqueness

Uniqueness Score: -1.00%

Function 00D1B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D1B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D1B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00D1B655

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 13afb8e6ad04754f3f905acabb0a8ac18f4fc4051e0ecc10bc7048c4c8a03529
Instruction ID: d2147444c08295540974bc37c10e9f5564ca149eb5ae1eee6f4e44ab2c8b6ddc
Opcode Fuzzy Hash: 13afb8e6ad04754f3f905acabb0a8ac18f4fc4051e0ecc10bc7048c4c8a03529
Instruction Fuzzy Hash: 7A217435A00218EFCB00EF55D880EEDBBB8FF49310F1480A9E905EB351DB319955DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D08CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CD0FF6: std::exception::exception.LIBCMT ref: 00CD102C
Part of subcall function 00CD0FF6: __CxxThrowException@8.LIBCMT ref: 00CD1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D08D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D08D3A
GetLastError.KERNEL32 ref: 00D08D47

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 053bdc827b36827ab9eebb012cdcbdd41a22dd20fe8dc0e88f43b9e57fa496bc
Instruction ID: ab56a53b1af12483de27dde748761d9035d5ba9cdb847d30dfd8b8f9b3074d99
Opcode Fuzzy Hash: 053bdc827b36827ab9eebb012cdcbdd41a22dd20fe8dc0e88f43b9e57fa496bc
Instruction Fuzzy Hash: 921182B1914309AFD728EF58EC85E6BB7F8EB44710B24852EF49593251DF30AC409A70

Uniqueness

Uniqueness Score: -1.00%

Function 00D14C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D14C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D14C43
FreeSid.ADVAPI32(?), ref: 00D14C53

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4e224f4851e18fd976a0b290a34d3e315e5f8b016d04ad46ec48e44e45f790e5
Instruction ID: b81b80461b72c22354e6e0071b746df0095eefbd279715a47166887647fa2095
Opcode Fuzzy Hash: 4e224f4851e18fd976a0b290a34d3e315e5f8b016d04ad46ec48e44e45f790e5
Instruction Fuzzy Hash: 2FF04975E1130CBFDF04DFF4DD89AAEBBBCEF08201F0044A9A905E2281E6706A448B60

Uniqueness

Uniqueness Score: -1.00%

Function 00CBE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac1a6c305534128840190cb58e602fc329f017fe7c101da9616750b991c6b92
Instruction ID: 4d8fb1a8105fce180a3e0ba1775026ff4d1cdce2922404c9fde512b96a765ddc
Opcode Fuzzy Hash: cac1a6c305534128840190cb58e602fc329f017fe7c101da9616750b991c6b92
Instruction Fuzzy Hash: BD228F74A00219DFDB24DF58C490AFEB7F0FF04700F248569E966AB351E734AA85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00D1C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D1C966
FindClose.KERNEL32(00000000), ref: 00D1C996

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b5a2bb1acc62e7d59126f0947591d7e123ca43a0a17608ba19e75df44f18df38
Instruction ID: a6ccf6586e4a9632b95c0485bb2c2486cd1a587c1b516a4d24714ca27f03d017
Opcode Fuzzy Hash: b5a2bb1acc62e7d59126f0947591d7e123ca43a0a17608ba19e75df44f18df38
Instruction Fuzzy Hash: 9611A1326102049FDB10EF29D845A6AF7E9FF85320F04851EF9A9D73A1DB30AC00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D1A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D2977D,?,00D3FB84,?), ref: 00D1A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D2977D,?,00D3FB84,?), ref: 00D1A314

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2dceac3aebd29df38c77a985bc4cdfb470e082c1ee6021ff53ce4334fe47779c
Instruction ID: 44f6663d9da5e33e26d2ed19e1fa7dba1a43e6385e0256a53f3e5762cb581ea4
Opcode Fuzzy Hash: 2dceac3aebd29df38c77a985bc4cdfb470e082c1ee6021ff53ce4334fe47779c
Instruction Fuzzy Hash: 5AF0BE3550522DBBDB109FE48C48FEA736CAF08361F004265F818D2280DA309940CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D08713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D08851), ref: 00D08728
CloseHandle.KERNEL32(?,?,00D08851), ref: 00D0873A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 706b83367a342bd90d53384520be05d6091619d151383841e0ff1c90b5560864
Instruction ID: 43295ec73c9b0ba9393dba66f6799f457c431037a3294d107d87f9a31274161c
Opcode Fuzzy Hash: 706b83367a342bd90d53384520be05d6091619d151383841e0ff1c90b5560864
Instruction Fuzzy Hash: 34E0B676010610EFE7253B64FD09E777BA9EB04350728882AF99AC0570DB62AC90EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00CD8F97,?,?,?,00000001), ref: 00CDA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00CDA3A3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 026e8c82a72233bbed1b45debb1094e62f3f688dcc0df442c39264535654711f
Instruction ID: 8f2e3511e3d9bd0346f6094cb4c4d104ed893dd26db49c001e36cf378492b1f6
Opcode Fuzzy Hash: 026e8c82a72233bbed1b45debb1094e62f3f688dcc0df442c39264535654711f
Instruction Fuzzy Hash: F2B0923145430CABCA002B91EC09B8A3F68EB45AA2F404020F60DC5260CB6254508AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CDF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e310764fc6586d77d91edcdbe78fd528e223236e7eb3ef07d4bf0bd4bc96870f
Instruction ID: 86f4083d53d2c9d1b2b8af1035c8cec7deee23e7a612c922ee0db411ba531e76
Opcode Fuzzy Hash: e310764fc6586d77d91edcdbe78fd528e223236e7eb3ef07d4bf0bd4bc96870f
Instruction Fuzzy Hash: 0D320625D69F414ED7235A34D8723366249EFB73C4F15D73BE82AB5BA6DB28C5834100

Uniqueness

Uniqueness Score: -1.00%

Function 00CE267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220a779014b32c70d0ac744188f9a9b2f857b7b7c730fe742b13889bd887b238
Instruction ID: 4882ed3d1f67c0f796977fb71cb384706c9037795d2a100169086c4239641495
Opcode Fuzzy Hash: 220a779014b32c70d0ac744188f9a9b2f857b7b7c730fe742b13889bd887b238
Instruction Fuzzy Hash: 0BB1F024D6AF414ED6239A398835336B64CAFBB2D5F51D71BFC2AB4E22EB2185834141

Uniqueness

Uniqueness Score: -1.00%

Function 00D18B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00D18B25

Part of subcall function 00CD543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00D191F8,00000000,?,?,?,?,00D193A9,00000000,?), ref: 00CD5443
Part of subcall function 00CD543A: __aulldiv.LIBCMT ref: 00CD5463

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 427367c392934344b259917261e51fd5b2f2c18c5af261b5e569cb31b96f558a
Instruction ID: 0b68d287e134a9c122ff9c8144b5e8d1c4588dc57381de4b484f7c1fd6a1a58c
Opcode Fuzzy Hash: 427367c392934344b259917261e51fd5b2f2c18c5af261b5e569cb31b96f558a
Instruction Fuzzy Hash: 9521E772639610CBC329CF25D441A52B3E1EFA4311B288E6CD0E9CB2D0DE34B945DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D241FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D24218

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e596eaa10cd6a26a5583321210bf48db7e38a6d91836f56f5426dcbbc5947c9b
Instruction ID: fc7c332fdb090d8b009302939c3b5a5d5643ef6dccc7fc01ec8e39573e9bcd37
Opcode Fuzzy Hash: e596eaa10cd6a26a5583321210bf48db7e38a6d91836f56f5426dcbbc5947c9b
Instruction Fuzzy Hash: 91E04F312402149FC710EF5AE845A9AFBE8EFA4760F008026FD4AD7352DA70E8409BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D14EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00D14EEC

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8be1f736d57aa6e278aafd9dfed35ec1b933118994bd357069f1efea502c7d41
Instruction ID: 038201a83dc5d4dacb20344d5827cdbc55edba393f08a29737333b99c11b3f47
Opcode Fuzzy Hash: 8be1f736d57aa6e278aafd9dfed35ec1b933118994bd357069f1efea502c7d41
Instruction Fuzzy Hash: 2DD09E991A070979ED584B24BC5FFF71109F300795FD8555AB542D91C1DCD0ACD55031

Uniqueness

Uniqueness Score: -1.00%

Function 00D08C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D088D1), ref: 00D08CB3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: bf8a84c8b5be27fe4c8027b941e50447998bafe00cd4d513422f361d3d8e7f56
Instruction ID: 5199f6d7af724e2bd2ba0e4f67c7ba562a84346db5f13a0670af1adf5ccb7069
Opcode Fuzzy Hash: bf8a84c8b5be27fe4c8027b941e50447998bafe00cd4d513422f361d3d8e7f56
Instruction Fuzzy Hash: B5D09E3226460EABEF019FA8DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00CF2242

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3f47eba9b66745dc56f1916137d9d7e04fea0a5bd90ff062b49dfb2997ea088c
Instruction ID: bd469a8b63825cea3be4480f8650bfbcec9e945af5549ed11cf1b3e760bb599d
Opcode Fuzzy Hash: 3f47eba9b66745dc56f1916137d9d7e04fea0a5bd90ff062b49dfb2997ea088c
Instruction Fuzzy Hash: 39C04CF1C0410DDBDB09DB90D988DFE77BCAB04304F144055A541F2100D7749B448E71

Uniqueness

Uniqueness Score: -1.00%

Function 00CDA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00CDA36A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 477add4b95d8f5df7334815d9530d4de2e17ce4ed236c66755341a0c7bbe8bbd
Instruction ID: 3b61aad67401f4966ff9768efe835a63eb13b7c4656747aec50c9dc7ca3063f9
Opcode Fuzzy Hash: 477add4b95d8f5df7334815d9530d4de2e17ce4ed236c66755341a0c7bbe8bbd
Instruction Fuzzy Hash: FDA0123000020CA78A001B41EC044457F5CD6011907004020F40C81121873254104590

Uniqueness

Uniqueness Score: -1.00%

Function 00CC8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c261eff028db807e18642ae9ebd0f864f03de543aa9455adb130580053260be4
Instruction ID: aae6d6c1e17511f13b85acf46a2f20c5416383341f097edaee47230c3c750ba8
Opcode Fuzzy Hash: c261eff028db807e18642ae9ebd0f864f03de543aa9455adb130580053260be4
Instruction Fuzzy Hash: 8D22F330901626DBDF288B28D4D4B7F77A1EB41304F68846ED85A8B2D5DB30DE89DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CD2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 4fd0dd2a96489e189c18253f4ee3f1d41d53d4b76b81ff2513e768eaf97cf55c
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 58C1713220519309DB2D467AD47453EFAE15EA27B131E0B5FE9B2CB6D4EF20D624E620

Uniqueness

Uniqueness Score: -1.00%

Function 00CD283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 78401c1410f1e0badce1c0b468a772f83a873949f5fee05b78670f22390d0cc9
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 72C185322051930ADB2D463A947413EBBE15BA27B131E1B5FE9B3DB6D4EF10D624E620

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: f6adf1b9b7b9301ba82f1df2d87183a1e55d79e2526120af211f6ba7f163969e
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 50C1623220519319DB2D477A947413EBBE25AA27B131E0B5FEDB2CB6D4EF20D624D610

Uniqueness

Uniqueness Score: -1.00%

Function 00D27B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D27B70
DeleteObject.GDI32(00000000), ref: 00D27B82
DestroyWindow.USER32 ref: 00D27B90
GetDesktopWindow.USER32 ref: 00D27BAA
GetWindowRect.USER32(00000000), ref: 00D27BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00D27CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00D27D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27D4A
GetClientRect.USER32(00000000,?), ref: 00D27D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D27D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27DF8
GlobalFree.KERNEL32(00000000), ref: 00D27E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00D42CAC,00000000), ref: 00D27E2B
GlobalFree.KERNEL32(00000000), ref: 00D27E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00D27E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00D27E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D27EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D2808F

Strings

, xrefs: 00D28015
AutoIt v3, xrefs: 00D27D42
static, xrefs: 00D27D8A, 00D27EE1
DISPLAY, xrefs: 00D27EF2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 22bc3cab42c8465de0809dcf356495a85bd6c48dd5c2ebc55d9f94b61e525608
Instruction ID: abc1b7469edf9467a0a6226d1e2e439c319c5eced4c003bb7a5b5b4e23a2b131
Opcode Fuzzy Hash: 22bc3cab42c8465de0809dcf356495a85bd6c48dd5c2ebc55d9f94b61e525608
Instruction Fuzzy Hash: 9F026971900219EFDB14DFA8DD89EAE7BB9EB48314F148158F905EB2A1DB70AD40DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D337F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00D3F910), ref: 00D338AF
IsWindowVisible.USER32(?), ref: 00D338D3

Strings

SETCURRENTSELECTION, xrefs: 00D33A3E
GETCURRENTLINE, xrefs: 00D33B75
ISVISIBLE, xrefs: 00D338BF
GETCURRENTSELECTION, xrefs: 00D33A6B
UNCHECK, xrefs: 00D33B0B
SHOWDROPDOWN, xrefs: 00D33968
GETLINECOUNT, xrefs: 00D33B4E
GETLINE, xrefs: 00D33C23
TABRIGHT, xrefs: 00D33925
FINDSTRING, xrefs: 00D339FE
HIDEDROPDOWN, xrefs: 00D33988
GETCURRENTCOL, xrefs: 00D33BB0
SELECTSTRING, xrefs: 00D33A8E
ISCHECKED, xrefs: 00D33AC1
DELSTRING, xrefs: 00D339D1
SENDCOMMANDID, xrefs: 00D33C62
ADDSTRING, xrefs: 00D3399E
CHECK, xrefs: 00D33AF5
CURRENTTAB, xrefs: 00D33945
EDITPASTE, xrefs: 00D33BE7
GETSELECTED, xrefs: 00D33B2B
TABLEFT, xrefs: 00D3390F
ISENABLED, xrefs: 00D338F3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 032bbd9b7e9b7bc6ffa0881f634932448c3b7949d543e2b30eea82eaa16b83ea
Instruction ID: 48bee13612feed0c64d680cf3cd262ed41ec6452b2787e27fdacaed35cba06de
Opcode Fuzzy Hash: 032bbd9b7e9b7bc6ffa0881f634932448c3b7949d543e2b30eea82eaa16b83ea
Instruction Fuzzy Hash: 87D11F30204305DBCB14EF24C551BAAB7A6EF94354F14445AB986AB3E3CB31EE4ADB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D3A89F
GetSysColorBrush.USER32(0000000F), ref: 00D3A8D0
GetSysColor.USER32(0000000F), ref: 00D3A8DC
SetBkColor.GDI32(?,000000FF), ref: 00D3A8F6
SelectObject.GDI32(?,?), ref: 00D3A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00D3A930
GetSysColor.USER32(00000010), ref: 00D3A938
CreateSolidBrush.GDI32(00000000), ref: 00D3A93F
FrameRect.USER32(?,?,00000000), ref: 00D3A94E
DeleteObject.GDI32(00000000), ref: 00D3A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00D3A9A0
FillRect.USER32(?,?,?), ref: 00D3A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00D3A9FD

Part of subcall function 00D3AB60: GetSysColor.USER32(00000012), ref: 00D3AB99
Part of subcall function 00D3AB60: SetTextColor.GDI32(?,?), ref: 00D3AB9D
Part of subcall function 00D3AB60: GetSysColorBrush.USER32(0000000F), ref: 00D3ABB3
Part of subcall function 00D3AB60: GetSysColor.USER32(0000000F), ref: 00D3ABBE
Part of subcall function 00D3AB60: GetSysColor.USER32(00000011), ref: 00D3ABDB
Part of subcall function 00D3AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D3ABE9
Part of subcall function 00D3AB60: SelectObject.GDI32(?,00000000), ref: 00D3ABFA
Part of subcall function 00D3AB60: SetBkColor.GDI32(?,00000000), ref: 00D3AC03
Part of subcall function 00D3AB60: SelectObject.GDI32(?,?), ref: 00D3AC10
Part of subcall function 00D3AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00D3AC2F
Part of subcall function 00D3AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D3AC46
Part of subcall function 00D3AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00D3AC5B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: dbce14715ff660db77fc1533834be32157191224c39390909f097dc279209690
Instruction ID: 328033a0e3ddf60e099a5fe0d6d13fb6ea84f8eeeae12f905c7f4f481b97beee
Opcode Fuzzy Hash: dbce14715ff660db77fc1533834be32157191224c39390909f097dc279209690
Instruction Fuzzy Hash: DCA18072508305BFD7109F68DC08E5BBBA9FF88321F144A29F9A2D62E1D771D944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D277BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D277F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D278B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00D278EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00D27900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00D27946
GetClientRect.USER32(00000000,?), ref: 00D27952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00D27996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D279A5
GetStockObject.GDI32(00000011), ref: 00D279B5
SelectObject.GDI32(00000000,00000000), ref: 00D279B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00D279C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D279D2
DeleteDC.GDI32(00000000), ref: 00D279DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D27A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D27A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00D27A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D27A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D27A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00D27AAE
GetStockObject.GDI32(00000011), ref: 00D27AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D27AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00D27ACE

Strings

AutoIt v3, xrefs: 00D2793E
static, xrefs: 00D27990, 00D27AA8
DISPLAY, xrefs: 00D2799B
msctls_progress32, xrefs: 00D27A4F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: d90f760d02257f2ed8e5b7e900ecb1dbcefae9eca7dce0398d75b42cb51c8568
Instruction ID: ec0fa8d8e2aeaeed854e570cd669b31ab0e5e5ee3fa3fa48cd8cfa2b5ceee164
Opcode Fuzzy Hash: d90f760d02257f2ed8e5b7e900ecb1dbcefae9eca7dce0398d75b42cb51c8568
Instruction Fuzzy Hash: 47A15FB1A40719BFEB149BA4DC4AFAEBBA9EB44714F004114FA15E72E1DB70AD40CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D1AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D1AF89
GetDriveTypeW.KERNEL32(?,00D3FAC0,?,\\.\,00D3F910), ref: 00D1B066
SetErrorMode.KERNEL32(00000000,00D3FAC0,?,\\.\,00D3F910), ref: 00D1B1C4

Strings

1394, xrefs: 00D1B146
CDROM, xrefs: 00D1B09A
SATA, xrefs: 00D1B177
Virtual, xrefs: 00D1B18C
Fibre, xrefs: 00D1B154
RAMDisk, xrefs: 00D1B090
ATAPI, xrefs: 00D1B138
FileBackedVirtual, xrefs: 00D1B193
Unknown, xrefs: 00D1B086, 00D1B12A
\\.\, xrefs: 00D1AFDB
RAID, xrefs: 00D1B162
SCSI, xrefs: 00D1B131
Fixed, xrefs: 00D1B0AE
iSCSI, xrefs: 00D1B169
MMC, xrefs: 00D1B185
SSD, xrefs: 00D1B0F1
USB, xrefs: 00D1B15B
Removable, xrefs: 00D1B0B8
SAS, xrefs: 00D1B170
Network, xrefs: 00D1B0A4
PhysicalDrive, xrefs: 00D1B012
SSA, xrefs: 00D1B14D
ATA, xrefs: 00D1B13F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 94884a53fb7fc747d694a555013ad81097470d13899dfc9e2163dc57e636eab4
Instruction ID: 7bdb25f835ae92c0930e8740630d80410f0b776a23aaf50007fb3b83e08838a2
Opcode Fuzzy Hash: 94884a53fb7fc747d694a555013ad81097470d13899dfc9e2163dc57e636eab4
Instruction Fuzzy Hash: 86517D30684305FF8B00DF14E9929F973B1EB55361B254016E88AB7290CF75EDC9AA72

Uniqueness

Uniqueness Score: -1.00%

Function 00CB6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00CB6A91
__wcsnicmp.LIBCMT ref: 00CB6AA9
__wcsnicmp.LIBCMT ref: 00CB6AC1
__wcsnicmp.LIBCMT ref: 00CB6AD9
__wcsnicmp.LIBCMT ref: 00CB6AF1
__wcsnicmp.LIBCMT ref: 00CB6B09
__wcsnicmp.LIBCMT ref: 00CB6B21
__wcsnicmp.LIBCMT ref: 00CB6B35
__wcsnicmp.LIBCMT ref: 00CB6B76
__wcsnicmp.LIBCMT ref: 00CB6B8A
__wcsnicmp.LIBCMT ref: 00CB6B9E
__wcsnicmp.LIBCMT ref: 00CB6BB2

Strings

Unterminated group of comments, xrefs: 00CEE82C
#include-once, xrefs: 00CB6AEB
#comments-start, xrefs: 00CB6B1B, 00CB6B70
Bad directive syntax error, xrefs: 00CEE743
#pragma compile, xrefs: 00CB6A8B
#include, xrefs: 00CB6B03
#notrayicon, xrefs: 00CB6AA3
#comments-end, xrefs: 00CB6B98
Cannot parse #include, xrefs: 00CEE819
#requireadmin, xrefs: 00CB6ABB
#OnAutoItStartRegister, xrefs: 00CB6AD3
#ce, xrefs: 00CB6BAC
#cs, xrefs: 00CB6B2F, 00CB6B84

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 831d2c2a016dafb5e94b8b6a848fea5abc4044d47e592c5ee046137201353fa2
Instruction ID: 48719529a811cbc602fa412a640e9cf910ac2ef76a6b67bdaa2eb582a8c1e483
Opcode Fuzzy Hash: 831d2c2a016dafb5e94b8b6a848fea5abc4044d47e592c5ee046137201353fa2
Instruction Fuzzy Hash: 7E811870700295BBCB20BB65CC82FFE7768AF14740F044026FE45AA2D6EB64EB45F661

Uniqueness

Uniqueness Score: -1.00%

Function 00D3AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D3AB99
SetTextColor.GDI32(?,?), ref: 00D3AB9D
GetSysColorBrush.USER32(0000000F), ref: 00D3ABB3
GetSysColor.USER32(0000000F), ref: 00D3ABBE
CreateSolidBrush.GDI32(?), ref: 00D3ABC3
GetSysColor.USER32(00000011), ref: 00D3ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D3ABE9
SelectObject.GDI32(?,00000000), ref: 00D3ABFA
SetBkColor.GDI32(?,00000000), ref: 00D3AC03
SelectObject.GDI32(?,?), ref: 00D3AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00D3AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D3AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00D3AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D3ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D3ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00D3ACEC
DrawFocusRect.USER32(?,?), ref: 00D3ACF7
GetSysColor.USER32(00000011), ref: 00D3AD05
SetTextColor.GDI32(?,00000000), ref: 00D3AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00D3AD21
SelectObject.GDI32(?,00D3A869), ref: 00D3AD38
DeleteObject.GDI32(?), ref: 00D3AD43
SelectObject.GDI32(?,?), ref: 00D3AD49
DeleteObject.GDI32(?), ref: 00D3AD4E
SetTextColor.GDI32(?,?), ref: 00D3AD54
SetBkColor.GDI32(?,?), ref: 00D3AD5E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4335fade3802aa98021255d0f20833ab4699a8e9e5250792c111661115aab1d4
Instruction ID: 149383c78aa2cc87ac24e3c8b384ba13f678b1bcee264ad1a70e1162ab1c00de
Opcode Fuzzy Hash: 4335fade3802aa98021255d0f20833ab4699a8e9e5250792c111661115aab1d4
Instruction Fuzzy Hash: 9D612E71D00218FFDB119FA8DC49EAEBB79EB08320F144525F915EB2A1D6759D40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D38C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D38D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D38D45
CharNextW.USER32(0000014E), ref: 00D38D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D38DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D38DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D38DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00D38DF9
SetWindowTextW.USER32(?,0000014E), ref: 00D38E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00D38E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D38E8C
_memset.LIBCMT ref: 00D38EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00D38EFA
_memset.LIBCMT ref: 00D38F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D38F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D38FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00D39088
InvalidateRect.USER32(?,00000000,00000001), ref: 00D390AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D390F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D39121
DrawMenuBar.USER32(?), ref: 00D39130
SetWindowTextW.USER32(?,0000014E), ref: 00D39158

Strings

0, xrefs: 00D390C2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 052c4988d4d969c6b135130174e1113066f237c196bcc3ce1f98001fe130af32
Instruction ID: fedfc3e5e3cccdf226a0134d211e884a0cd5f8c265e602f639ea1bad67eed2c2
Opcode Fuzzy Hash: 052c4988d4d969c6b135130174e1113066f237c196bcc3ce1f98001fe130af32
Instruction Fuzzy Hash: BDE19270900309AFDF209F60CC89EEEBBB9EF05710F148156F955AA290DB709A85EF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D34B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D34C51
GetDesktopWindow.USER32 ref: 00D34C66
GetWindowRect.USER32(00000000), ref: 00D34C6D
GetWindowLongW.USER32(?,000000F0), ref: 00D34CCF
DestroyWindow.USER32(?), ref: 00D34CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D34D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D34D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00D34D68
SendMessageW.USER32(?,00000421,?,?), ref: 00D34D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00D34D90
IsWindowVisible.USER32(?), ref: 00D34DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00D34DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00D34DDF
GetWindowRect.USER32(?,?), ref: 00D34DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00D34E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00D34E37
CopyRect.USER32(?,?), ref: 00D34E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00D34EB9

Strings

tooltips_class32, xrefs: 00D34D1D
0, xrefs: 00D34BFC
(, xrefs: 00D34E2A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6787215581fc2c19e32fcc372631aff1735439e8bfdeaac69cd9f4574462dbf1
Instruction ID: 61c5d36bb08426503102aea674a532e7d693ee3619a17f426fda6b5813cbbe0f
Opcode Fuzzy Hash: 6787215581fc2c19e32fcc372631aff1735439e8bfdeaac69cd9f4574462dbf1
Instruction Fuzzy Hash: 61B19C71608340AFDB44DF24C849B6ABBE4FF88710F04891CF599AB2A1DB74EC04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D146D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D146E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D1470E
_wcscpy.LIBCMT ref: 00D1473C
_wcscmp.LIBCMT ref: 00D14747
_wcscat.LIBCMT ref: 00D1475D
_wcsstr.LIBCMT ref: 00D14768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D14784
_wcscat.LIBCMT ref: 00D147CD
_wcscat.LIBCMT ref: 00D147D4
_wcsncpy.LIBCMT ref: 00D147FF

Strings

StringFileInfo\, xrefs: 00D14757
\VarFileInfo\Translation, xrefs: 00D1477C
DefaultLangCodepage, xrefs: 00D147E7
%u.%u.%u.%u, xrefs: 00D14862
04090000, xrefs: 00D147BA

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 7733709d4b1dfebe6d719bdb9f78de1989098eef5ab1b2cbf50719c13d489dfc
Instruction ID: e7734aa8e5484b0dfe9ee5fbdcb0120ea8216d6cfaf9a77e822cd6856a6121b9
Opcode Fuzzy Hash: 7733709d4b1dfebe6d719bdb9f78de1989098eef5ab1b2cbf50719c13d489dfc
Instruction Fuzzy Hash: F541F571A002147BDB10BB64AC42EBF77ACDF45710F14006BFA45E6282EF71EA45B6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00CB27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CB28BC
GetSystemMetrics.USER32(00000007), ref: 00CB28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CB28EF
GetSystemMetrics.USER32(00000008), ref: 00CB28F7
GetSystemMetrics.USER32(00000004), ref: 00CB291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CB2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CB2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CB297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CB2990
GetClientRect.USER32(00000000,000000FF), ref: 00CB29AE
GetStockObject.GDI32(00000011), ref: 00CB29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB29D5

Part of subcall function 00CB2344: GetCursorPos.USER32(?), ref: 00CB2357
Part of subcall function 00CB2344: ScreenToClient.USER32(00D767B0,?), ref: 00CB2374
Part of subcall function 00CB2344: GetAsyncKeyState.USER32(00000001), ref: 00CB2399
Part of subcall function 00CB2344: GetAsyncKeyState.USER32(00000002), ref: 00CB23A7

SetTimer.USER32(00000000,00000000,00000028,00CB1256), ref: 00CB29FC

Strings

AutoIt v3 GUI, xrefs: 00CB2974

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e0f0fd8f9c55a790f055df53e0dbea325177c5c9abdac896caeab266d3572aad
Instruction ID: 699b3e2dd24186c4b8c071aacdc76aa86e98b0189d21276bb1fa1395d41014f9
Opcode Fuzzy Hash: e0f0fd8f9c55a790f055df53e0dbea325177c5c9abdac896caeab266d3572aad
Instruction Fuzzy Hash: CAB15E71A002099FDB14DFA9DC85BEE7BA4FB08311F108129FA25E72E0DB74D941DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D34069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D340F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D341B6

Strings

SELECT, xrefs: 00D34250
GETTEXT, xrefs: 00D3415F
DESELECT, xrefs: 00D342A4
GETSUBITEMCOUNT, xrefs: 00D34141
SELECTINVERT, xrefs: 00D34286
GETITEMCOUNT, xrefs: 00D34128
FINDITEM, xrefs: 00D34329
SELECTALL, xrefs: 00D3421D
GETSELECTEDCOUNT, xrefs: 00D34199
ISSELECTED, xrefs: 00D341C1
SELECTCLEAR, xrefs: 00D34235
VIEWCHANGE, xrefs: 00D34375
GETSELECTED, xrefs: 00D342E4

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 191f10b757c42e8104623a712a97394832f4378e116cb01bef4913b0622c07c0
Instruction ID: 6d282ff91c1cd6d7e91055323baf14df283fadd12dc9c7dba1dfb1f7eedc3da6
Opcode Fuzzy Hash: 191f10b757c42e8104623a712a97394832f4378e116cb01bef4913b0622c07c0
Instruction Fuzzy Hash: B5A17E302543019BCB14EF24C951BAAB7A5EF84314F14496EB99AAB3D2DB34FC05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D252F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00D25309
LoadCursorW.USER32(00000000,00007F8A), ref: 00D25314
LoadCursorW.USER32(00000000,00007F00), ref: 00D2531F
LoadCursorW.USER32(00000000,00007F03), ref: 00D2532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00D25335
LoadCursorW.USER32(00000000,00007F01), ref: 00D25340
LoadCursorW.USER32(00000000,00007F81), ref: 00D2534B
LoadCursorW.USER32(00000000,00007F88), ref: 00D25356
LoadCursorW.USER32(00000000,00007F80), ref: 00D25361
LoadCursorW.USER32(00000000,00007F86), ref: 00D2536C
LoadCursorW.USER32(00000000,00007F83), ref: 00D25377
LoadCursorW.USER32(00000000,00007F85), ref: 00D25382
LoadCursorW.USER32(00000000,00007F82), ref: 00D2538D
LoadCursorW.USER32(00000000,00007F84), ref: 00D25398
LoadCursorW.USER32(00000000,00007F04), ref: 00D253A3
LoadCursorW.USER32(00000000,00007F02), ref: 00D253AE
GetCursorInfo.USER32(?), ref: 00D253BE
GetLastError.KERNEL32(00000001,00000000), ref: 00D253E9

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 00eb88f90f3e506042baf6c6756db5d11455cbccdb03e2625ff0bca85b6ffc16
Instruction ID: 9aa942e390a48fae9d46f34be119846d6e789da37b43cacb8fe6757d46c90a43
Opcode Fuzzy Hash: 00eb88f90f3e506042baf6c6756db5d11455cbccdb03e2625ff0bca85b6ffc16
Instruction Fuzzy Hash: 32417370E043296ADB109FBA9C49D6EFFF8EF51B50B10452FE509E7290DAB895018E61

Uniqueness

Uniqueness Score: -1.00%

Function 00D0AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D0AAA5
__swprintf.LIBCMT ref: 00D0AB46
_wcscmp.LIBCMT ref: 00D0AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D0ABAE
_wcscmp.LIBCMT ref: 00D0ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00D0AC21
GetDlgCtrlID.USER32(?), ref: 00D0AC73
GetWindowRect.USER32(?,?), ref: 00D0ACA9
GetParent.USER32(?), ref: 00D0ACC7
ScreenToClient.USER32(00000000), ref: 00D0ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00D0AD48
_wcscmp.LIBCMT ref: 00D0AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00D0AD82
_wcscmp.LIBCMT ref: 00D0AD96

Part of subcall function 00CD386C: _iswctype.LIBCMT ref: 00CD3874

Strings

%s%u, xrefs: 00D0AB40

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: d59913083593c1fbd3352f1f0698f7f5e0b08a289b7450abe1503872418f768c
Instruction ID: cdc0e280029938eb5c6600f73b9813ba9df04178dbc7dc4b8ae5d603a80ff36d
Opcode Fuzzy Hash: d59913083593c1fbd3352f1f0698f7f5e0b08a289b7450abe1503872418f768c
Instruction Fuzzy Hash: 07A1AE71604706AFD714DF28C884BEAB7A8FF04315F14462AF99DD2190EB30E945CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D0B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00D0B3DB
_wcscmp.LIBCMT ref: 00D0B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00D0B414
CharUpperBuffW.USER32(?,00000000), ref: 00D0B431
_wcscmp.LIBCMT ref: 00D0B44F
_wcsstr.LIBCMT ref: 00D0B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00D0B498
_wcscmp.LIBCMT ref: 00D0B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00D0B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00D0B518
_wcscmp.LIBCMT ref: 00D0B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00D0B550
GetWindowRect.USER32(00000004,?), ref: 00D0B5B9

Strings

@, xrefs: 00D0B3BC
ThumbnailClass, xrefs: 00D0B4A3, 00D0B523

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f1e3d2d687012c5c63ceb0a9e12af0b034416c51f3437d0674ef331943fc96d5
Instruction ID: 7a7274a095a1391d93c784d8b2a23965ce8707726dfcc3e7913821a4c9489430
Opcode Fuzzy Hash: f1e3d2d687012c5c63ceb0a9e12af0b034416c51f3437d0674ef331943fc96d5
Instruction Fuzzy Hash: CF818F710083499BDB14DF10C985FAABBE8EF44724F1885AAFD899A1D2DB30DE45CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D0B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D0B23F

Strings

REGEXP=, xrefs: 00D0B254
[ALL, xrefs: 00D0B2E5
ALL, xrefs: 00D0B2D3
[CLASS:, xrefs: 00D0B28F
LAST, xrefs: 00D0B204
[REGEXPTITLE:, xrefs: 00D0B267
[LAST, xrefs: 00D0B2EC
[ACTIVE, xrefs: 00D0B22C
[HANDLE:, xrefs: 00D0B24B
ACTIVE, xrefs: 00D0B21A
CLASSNAME=, xrefs: 00D0B27C
HANDLE=, xrefs: 00D0B238

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 7a7e7ddbc437c618baff05397cc8a8da7435a4c6aa894dae8b591c295418bae7
Instruction ID: 420789b5d21617db3b2b7063949da477477c4461f66cd2e4d5cbdfdea85123b0
Opcode Fuzzy Hash: 7a7e7ddbc437c618baff05397cc8a8da7435a4c6aa894dae8b591c295418bae7
Instruction Fuzzy Hash: C7318231A48305ABDB14FAB0CD53FEEB7689F20760F60012AF855720D5EF61AE08E575

Uniqueness

Uniqueness Score: -1.00%

Function 00D0C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D0C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D0C4E6
SetWindowTextW.USER32(?,?), ref: 00D0C4FD
GetDlgItem.USER32(?,000003EA), ref: 00D0C512
SetWindowTextW.USER32(00000000,?), ref: 00D0C518
GetDlgItem.USER32(?,000003E9), ref: 00D0C528
SetWindowTextW.USER32(00000000,?), ref: 00D0C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D0C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D0C569
GetWindowRect.USER32(?,?), ref: 00D0C572
SetWindowTextW.USER32(?,?), ref: 00D0C5DD
GetDesktopWindow.USER32 ref: 00D0C5E3
GetWindowRect.USER32(00000000), ref: 00D0C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00D0C636
GetClientRect.USER32(?,?), ref: 00D0C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00D0C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D0C693

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 3b45d09eb7094de56d6ad4889d42fae14e460bcbffeb32dab0ad2f92eb6cc4eb
Instruction ID: 7ce6d6ecae8275829257f43657e14bd8222e394de21fe2ec730ef401b2123be8
Opcode Fuzzy Hash: 3b45d09eb7094de56d6ad4889d42fae14e460bcbffeb32dab0ad2f92eb6cc4eb
Instruction Fuzzy Hash: 92512171900709AFDB20DFA8DD89B6FBBB5FF04705F044628E686A26A0D775F944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D3A4C8
DestroyWindow.USER32(?,?), ref: 00D3A542

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D3A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D3A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D3A5F1
DestroyWindow.USER32(00000000), ref: 00D3A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CB0000,00000000), ref: 00D3A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D3A663
GetDesktopWindow.USER32 ref: 00D3A67C
GetWindowRect.USER32(00000000), ref: 00D3A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D3A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D3A6B3

Part of subcall function 00CB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CB25EC

Strings

0, xrefs: 00D3A4DE
tooltips_class32, xrefs: 00D3A5B5, 00D3A643

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 4a145ebb215fb72c736c0d2d30c49da967016059e4d1cdfb7c27a9e3f1c0fbab
Instruction ID: ca6c2e9259c38bb12496dc49b69d612ec2e964a01ecad177a4a2597605bcca5b
Opcode Fuzzy Hash: 4a145ebb215fb72c736c0d2d30c49da967016059e4d1cdfb7c27a9e3f1c0fbab
Instruction Fuzzy Hash: 21718B71640705AFD724CF28CC4AF6A7BE5EB88304F08452DF985873A0D7B0E946DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

DragQueryPoint.SHELL32(?,?), ref: 00D3C917

Part of subcall function 00D3ADF1: ClientToScreen.USER32(?,?), ref: 00D3AE1A
Part of subcall function 00D3ADF1: GetWindowRect.USER32(?,?), ref: 00D3AE90
Part of subcall function 00D3ADF1: PtInRect.USER32(?,?,00D3C304), ref: 00D3AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00D3C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D3C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D3C9AE
_wcscat.LIBCMT ref: 00D3C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D3C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00D3CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D3CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00D3CA47
DragFinish.SHELL32(?), ref: 00D3CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D3CB41

Strings

@GUI_DRAGFILE, xrefs: 00D3CAF0
@GUI_DRAGID, xrefs: 00D3CAB9
@GUI_DROPID, xrefs: 00D3CA6E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 8486bdf003c3d09605ab94a667ed59de5bfa32aca8323ecfc1db36cab12fbd45
Instruction ID: 6cfafe0a85d9716184ce446bbca296002fb48f7552a5fb5a1a896d10905bde20
Opcode Fuzzy Hash: 8486bdf003c3d09605ab94a667ed59de5bfa32aca8323ecfc1db36cab12fbd45
Instruction Fuzzy Hash: 90615C71508304AFC701EF64DC85D9FBBE8EF89710F040A2EF595972A1EB709A49DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D34619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D346AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D346F6

Strings

EXISTS, xrefs: 00D3475F
COLLAPSE, xrefs: 00D3473C
SELECT, xrefs: 00D348A7
GETTEXT, xrefs: 00D34849
CHECK, xrefs: 00D34716
EXPAND, xrefs: 00D347A8
UNCHECK, xrefs: 00D348D2
GETTOTALCOUNT, xrefs: 00D346DD
GETSELECTED, xrefs: 00D34806
GETITEMCOUNT, xrefs: 00D347D8
ISCHECKED, xrefs: 00D34879

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: eff13fad1a96b1ca9a396f3a17948fb6221e6f56f518ea10d2bb33d49e2be33f
Instruction ID: 5c5db757aca83a033710eab35e263c2b5e185c2a64d7796e50371fa9f0d3bc0a
Opcode Fuzzy Hash: eff13fad1a96b1ca9a396f3a17948fb6221e6f56f518ea10d2bb33d49e2be33f
Instruction Fuzzy Hash: 35918F746043019FCB14EF24C451BAAB7A2EF85314F14446DF99A9B3A2CB34FD4ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D3BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00D39431), ref: 00D3BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D3BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D3BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D3BC7D
FreeLibrary.KERNEL32(?), ref: 00D3BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D3BC99
DestroyIcon.USER32(?,?,?,?,?,00D39431), ref: 00D3BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D3BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D3BCD1

Part of subcall function 00CD313D: __wcsicmp_l.LIBCMT ref: 00CD31C6

Strings

.exe, xrefs: 00D3BB04
.dll, xrefs: 00D3BB27
.icl, xrefs: 00D3BAE4

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 88d88ad7895bae5d6d98a80c0ccb039cc53de82aefb5de0adcf00496a855b067
Instruction ID: e8782d186313c301688f3f7955d12cdf8f76ae3d9b104fb06274b24ba5093816
Opcode Fuzzy Hash: 88d88ad7895bae5d6d98a80c0ccb039cc53de82aefb5de0adcf00496a855b067
Instruction Fuzzy Hash: 5561BF71A00219BEEB24DF74CC46FBE77A8EB08721F10411AFA15D62D0DB74A990DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D1A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

CharLowerBuffW.USER32(?,?), ref: 00D1A636
GetDriveTypeW.KERNEL32 ref: 00D1A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1A730

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

Strings

type cdaudio alias cd wait, xrefs: 00D1A6AE
open , xrefs: 00D1A692
closed, xrefs: 00D1A64A, 00D1A653
close cd wait, xrefs: 00D1A71B
close, xrefs: 00D1A63C
set cd door , xrefs: 00D1A6D1
wait, xrefs: 00D1A6ED
open, xrefs: 00D1A65D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: b515db519caab91423a4f78458e9a565f72ffd01993b79af8cbd34915ad10098
Instruction ID: a47cde6091560472d2f6ac9790341022ba36a9c8da7f0bc0c4aaa563f6e27137
Opcode Fuzzy Hash: b515db519caab91423a4f78458e9a565f72ffd01993b79af8cbd34915ad10098
Instruction Fuzzy Hash: 9F516C711047059FC700EF24D8819AAB7F8FF84718F14496DF896A72A1DB31EE0ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D1A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D1A47A
__swprintf.LIBCMT ref: 00D1A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D1A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D1A4FE
_memset.LIBCMT ref: 00D1A51D
_wcsncpy.LIBCMT ref: 00D1A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D1A58E
CloseHandle.KERNEL32(00000000), ref: 00D1A599
RemoveDirectoryW.KERNEL32(?), ref: 00D1A5A2
CloseHandle.KERNEL32(00000000), ref: 00D1A5AC

Strings

:, xrefs: 00D1A4BD
\, xrefs: 00D1A4B2
\??\%s, xrefs: 00D1A496

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 56ff541713068864100e47659444c2f5a16c9e1906067b39a3ac99274d7b17bd
Instruction ID: a8c9e28a88a2a46cc0ca670b38715dc9990f8c85871179215f688074e3b273f6
Opcode Fuzzy Hash: 56ff541713068864100e47659444c2f5a16c9e1906067b39a3ac99274d7b17bd
Instruction Fuzzy Hash: 17319375904209BBDB219FA4DC49FEB73BDEF88701F1441B6FA08D2150EB7096848B35

Uniqueness

Uniqueness Score: -1.00%

Function 00D1DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00D1DC7B
_wcscat.LIBCMT ref: 00D1DC93
_wcscat.LIBCMT ref: 00D1DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D1DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D1DCCE
GetFileAttributesW.KERNEL32(?), ref: 00D1DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D1DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00D1DD12

Strings

*.*, xrefs: 00D1DD51

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 0476485df63b3baab44fc216bc230d5c1ff720ece49dcf3a3223a8c48521ea4a
Instruction ID: 448e571987d2844c1900f8024916db25426b7f3d7a535615232dd55af3a6a7f1
Opcode Fuzzy Hash: 0476485df63b3baab44fc216bc230d5c1ff720ece49dcf3a3223a8c48521ea4a
Instruction Fuzzy Hash: 71818471508341AFC724DF64D5859EAB7E6FB88310F198C2EF88AC7251EB30D984DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D3C4EC
GetFocus.USER32 ref: 00D3C4FC
GetDlgCtrlID.USER32(00000000), ref: 00D3C507
_memset.LIBCMT ref: 00D3C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D3C65D
GetMenuItemCount.USER32(?), ref: 00D3C67D
GetMenuItemID.USER32(?,00000000), ref: 00D3C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D3C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D3C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D3C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00D3C779

Strings

0, xrefs: 00D3C62A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: e241edbf82da3f0af7d7f406de81c6c6362a2eca7feaa2e2b24effb21c792335
Instruction ID: b28be014f3b2ac517217e076da686b0051a0e954a062933c980ea6bee087407e
Opcode Fuzzy Hash: e241edbf82da3f0af7d7f406de81c6c6362a2eca7feaa2e2b24effb21c792335
Instruction Fuzzy Hash: 1081AEB06183019FD710DF24C985A6BBBE8FB88354F04552DF999E32A1D770E905CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D083F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D08766
Part of subcall function 00D0874A: GetLastError.KERNEL32(?,00D0822A,?,?,?), ref: 00D08770
Part of subcall function 00D0874A: GetProcessHeap.KERNEL32(00000008,?,?,00D0822A,?,?,?), ref: 00D0877F
Part of subcall function 00D0874A: HeapAlloc.KERNEL32(00000000,?,00D0822A,?,?,?), ref: 00D08786
Part of subcall function 00D0874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0879D

Part of subcall function 00D087E7: GetProcessHeap.KERNEL32(00000008,00D08240,00000000,00000000,?,00D08240,?), ref: 00D087F3
Part of subcall function 00D087E7: HeapAlloc.KERNEL32(00000000,?,00D08240,?), ref: 00D087FA
Part of subcall function 00D087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D08240,?), ref: 00D0880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D08458
_memset.LIBCMT ref: 00D0846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D0848C
GetLengthSid.ADVAPI32(?), ref: 00D0849D
GetAce.ADVAPI32(?,00000000,?), ref: 00D084DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D084F6
GetLengthSid.ADVAPI32(?), ref: 00D08513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D08522
HeapAlloc.KERNEL32(00000000), ref: 00D08529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D0854A
CopySid.ADVAPI32(00000000), ref: 00D08551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D08582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D085A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D085BC

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: adbdd87dd41fb43643e16f2025be2b4743bacf032d404c209bf3b0269d57e3b1
Instruction ID: 9c11155271c28e96d1c7a36d40c759b3404c8d3d640e9dfcaaa130a7cc2f4fac
Opcode Fuzzy Hash: adbdd87dd41fb43643e16f2025be2b4743bacf032d404c209bf3b0269d57e3b1
Instruction Fuzzy Hash: 5C61157190020AAFDF149FA4DC49BAEBBB9FF04300F148169E959E7291DB319A15DF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D2762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D276A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00D276AE
CreateCompatibleDC.GDI32(?), ref: 00D276BA
SelectObject.GDI32(00000000,?), ref: 00D276C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00D2771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00D27757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00D2777B
SelectObject.GDI32(00000006,?), ref: 00D27783
DeleteObject.GDI32(?), ref: 00D2778C
DeleteDC.GDI32(00000006), ref: 00D27793
ReleaseDC.USER32(00000000,?), ref: 00D2779E

Strings

(, xrefs: 00D27723

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 39b4962f196633a096a85222a06c90a9004f7794402fc354feb7b992d67ef5e5
Instruction ID: abaa1299cd082ace683c70b994bf71643df3cc49c4a3769db5974be5cb50ec6d
Opcode Fuzzy Hash: 39b4962f196633a096a85222a06c90a9004f7794402fc354feb7b992d67ef5e5
Instruction Fuzzy Hash: 60514775904719EFCB25CFA8DC85EAEBBB9EF48310F14842DF95A97310D731A8408B60

Uniqueness

Uniqueness Score: -1.00%

Function 00D1A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00D3FB78), ref: 00D1A0FC

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00D1A11E
__swprintf.LIBCMT ref: 00D1A177
__swprintf.LIBCMT ref: 00D1A190
_wprintf.LIBCMT ref: 00D1A246
_wprintf.LIBCMT ref: 00D1A264

Strings

"%s" (%d) : ==> %s:, xrefs: 00D1A25F
"%s" (%d) : ==> %s:%s%s, xrefs: 00D1A241
Line %d (File "%s"):, xrefs: 00D1A171, 00D1A18A
^ ERROR, xrefs: 00D1A1E8
Error: , xrefs: 00D1A20E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 4b996d26f61f1cf63135dbc4b7197a019346af81464e6a1ae286db20c31b2398
Instruction ID: 2a64293fccfb00bb910eb8f78bc5636278114945f5bf442707414eaf069848e1
Opcode Fuzzy Hash: 4b996d26f61f1cf63135dbc4b7197a019346af81464e6a1ae286db20c31b2398
Instruction Fuzzy Hash: B1513C71901209BBCF15EBE4DD86EEEB779AF44300F140265F905721A2EB316F98EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CB6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00CD0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00CB6C6C,?,00008000), ref: 00CD0BB7

Part of subcall function 00CB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB48A1,?,?,00CB37C0,?), ref: 00CB48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00CB6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00CB6E5A

Part of subcall function 00CB59CD: _wcscpy.LIBCMT ref: 00CB5A05

Part of subcall function 00CD387D: _iswctype.LIBCMT ref: 00CD3885

Strings

Unterminated string, xrefs: 00CEEC0D
AU3!, xrefs: 00CB6CC1
EA06, xrefs: 00CEE87B
>>>AUTOIT SCRIPT<<<, xrefs: 00CEE8BF
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00CEE84A
Error opening the file, xrefs: 00CEE866, 00CEE8E1
Bad directive syntax error, xrefs: 00CEEBC6

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 91c40249df2a555828a0cf58f399339c37da15f457d0ef9a21e87ad4af7fc4c8
Instruction ID: 5f2dcc7a00fb4c39f61561e406ee8f8321caab4d15097a2cf27ac4ad9d998f7a
Opcode Fuzzy Hash: 91c40249df2a555828a0cf58f399339c37da15f457d0ef9a21e87ad4af7fc4c8
Instruction Fuzzy Hash: 71029D301083819FC724EF25C891AAFBBE5FF98354F14091DF49A972A1DB30DA49EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CB45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB45F9
GetMenuItemCount.USER32(00D76890), ref: 00CED7CD
GetMenuItemCount.USER32(00D76890), ref: 00CED87D
GetCursorPos.USER32(?), ref: 00CED8C1
SetForegroundWindow.USER32(00000000), ref: 00CED8CA
TrackPopupMenuEx.USER32(00D76890,00000000,?,00000000,00000000,00000000), ref: 00CED8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CED8E9

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: cd50415a4bb5247d830de2b463442343e663279ed7617342f5361e85d937a5e5
Instruction ID: 2a6f6422683ccc40591ec537ea150fc46b1e5ca1cd07e13989121aecbbee5ff1
Opcode Fuzzy Hash: cd50415a4bb5247d830de2b463442343e663279ed7617342f5361e85d937a5e5
Instruction Fuzzy Hash: 07712670A04349BEEB208F16DC85FEABF65FF05364F200216F525A61E1CBB16D60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D310A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D30038,?,?), ref: 00D310BC

Strings

HKCU, xrefs: 00D311AC
HKEY_USERS, xrefs: 00D311BD
HKEY_CURRENT_CONFIG, xrefs: 00D31179
HKEY_CURRENT_USER, xrefs: 00D3119B
HKEY_LOCAL_MACHINE, xrefs: 00D31125
HKEY_CLASSES_ROOT, xrefs: 00D3114F
HKU, xrefs: 00D311CE
HKCC, xrefs: 00D3118A
HKCR, xrefs: 00D31164
HKLM, xrefs: 00D3113A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 6e646e1678a085ca36f687f341cc5c16b2add9cd9cb14450c981e590ec933806
Instruction ID: 86fa903789b4a2e10f0d62593c48ba0659416937b06d208bbbcbce7eefacf656
Opcode Fuzzy Hash: 6e646e1678a085ca36f687f341cc5c16b2add9cd9cb14450c981e590ec933806
Instruction Fuzzy Hash: 4041593810034B9BCF10EFA4D891AEB3725BF22350F144566FD919B392DB30A95ADB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D15569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

Part of subcall function 00CB7A84: _memmove.LIBCMT ref: 00CB7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D155D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D155E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D155F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D1560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D1561C

Strings

status PlayMe mode, xrefs: 00D155CD
open , xrefs: 00D15581
close PlayMe, xrefs: 00D155E3, 00D15610
play PlayMe wait, xrefs: 00D15606
play PlayMe, xrefs: 00D15617
alias PlayMe, xrefs: 00D155AB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: f72453657872ff1768195648ed5d8fb81b11dd4c6602bee0824e200857cbf5cf
Instruction ID: 2b019a203022ad2374a87116cecd0b98afe95e108dd1792be8e2d14247a2c089
Opcode Fuzzy Hash: f72453657872ff1768195648ed5d8fb81b11dd4c6602bee0824e200857cbf5cf
Instruction Fuzzy Hash: AA11E260990169BED720B7A5EC8ADFFBB7CEFD1B00F400529B841A20D1DEA05D49C9B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D148F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D1490E
gethostname.WSOCK32(?,00000100), ref: 00D14928
gethostbyname.WSOCK32(?), ref: 00D14935
_wcscpy.LIBCMT ref: 00D1495D
_memmove.LIBCMT ref: 00D14970
inet_ntoa.WSOCK32(?), ref: 00D1497B
_strcat.LIBCMT ref: 00D14989
_wcscpy.LIBCMT ref: 00D149A0
WSACleanup.WSOCK32 ref: 00D149AE
_wcscpy.LIBCMT ref: 00D149BC

Strings

0.0.0.0, xrefs: 00D14957

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 145b25a8a1dd1794e9b177965d7fe21d0f0fe22d374cf6baa31d8a003804149f
Instruction ID: 5139835dbe9d104ce199190d584dc2de73799ccdfa7cf172a5654a66590c4824
Opcode Fuzzy Hash: 145b25a8a1dd1794e9b177965d7fe21d0f0fe22d374cf6baa31d8a003804149f
Instruction Fuzzy Hash: E111C371904219BBCB24AB64AD06EDA77ACDB40720F08017AF548D6291EF749AC59AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D15217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D1521C

Part of subcall function 00CD0719: timeGetTime.WINMM(?,7694B400,00CC0FF9), ref: 00CD071D

Sleep.KERNEL32(0000000A), ref: 00D15248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00D1526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D1528E
SetActiveWindow.USER32 ref: 00D152AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D152BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D152DA
Sleep.KERNEL32(000000FA), ref: 00D152E5
IsWindow.USER32 ref: 00D152F1
EndDialog.USER32(00000000), ref: 00D15302

Strings

BUTTON, xrefs: 00D15280

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e61214781927912b2c91c00ca2bb077b98f2fe04f3668a8d6db2f4df0a7f44c8
Instruction ID: b6bb6dd38757436481c79fdf9fe9c2181c6e457b120d2fde69ab731cc570ba60
Opcode Fuzzy Hash: e61214781927912b2c91c00ca2bb077b98f2fe04f3668a8d6db2f4df0a7f44c8
Instruction Fuzzy Hash: D2215E72604708FFE7015F60FD89AA63B69EB95386B141828F109C23B1FEB59CC49A35

Uniqueness

Uniqueness Score: -1.00%

Function 00D1D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

CoInitialize.OLE32(00000000), ref: 00D1D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D1D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00D1D8FC
CoCreateInstance.OLE32(00D42D7C,00000000,00000001,00D6A89C,?), ref: 00D1D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D1D9B7
CoTaskMemFree.OLE32(?,?), ref: 00D1DA0F
_memset.LIBCMT ref: 00D1DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00D1DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D1DAAB
CoTaskMemFree.OLE32(00000000), ref: 00D1DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00D1DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00D1DAEB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 86731ee6586b1cf71feb93f22c4b449364f1dbf20f5d16d57623f9d7bb7a1a60
Instruction ID: c9d22f05269f1dd24d46399ebb9565c6706abba4292da895f71667f1747cd432
Opcode Fuzzy Hash: 86731ee6586b1cf71feb93f22c4b449364f1dbf20f5d16d57623f9d7bb7a1a60
Instruction Fuzzy Hash: EDB1DC75A00219AFDB14DF64D884EAEBBF9EF48314F148469F50AEB261DB30ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D1052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D105A7
SetKeyboardState.USER32(?), ref: 00D10612
GetAsyncKeyState.USER32(000000A0), ref: 00D10632
GetKeyState.USER32(000000A0), ref: 00D10649
GetAsyncKeyState.USER32(000000A1), ref: 00D10678
GetKeyState.USER32(000000A1), ref: 00D10689
GetAsyncKeyState.USER32(00000011), ref: 00D106B5
GetKeyState.USER32(00000011), ref: 00D106C3
GetAsyncKeyState.USER32(00000012), ref: 00D106EC
GetKeyState.USER32(00000012), ref: 00D106FA
GetAsyncKeyState.USER32(0000005B), ref: 00D10723
GetKeyState.USER32(0000005B), ref: 00D10731

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 831957ecbef99c04859f66e778dbde59320c205ab53e61ecef361cef947f139b
Instruction ID: 98027f1b85503f15dd9ec2887a63812a2d18ac2d090bc0e6c3e6d06e5f723a07
Opcode Fuzzy Hash: 831957ecbef99c04859f66e778dbde59320c205ab53e61ecef361cef947f139b
Instruction Fuzzy Hash: 0051ED24A047883AFB34FBA0A4547EABFB59F01340F0C859AD5C2561C2DED49ACCCB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D0C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D0C746
GetWindowRect.USER32(00000000,?), ref: 00D0C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D0C7B6
GetDlgItem.USER32(?,00000002), ref: 00D0C7C1
GetWindowRect.USER32(00000000,?), ref: 00D0C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D0C827
GetDlgItem.USER32(?,000003E9), ref: 00D0C835
GetWindowRect.USER32(00000000,?), ref: 00D0C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D0C889
GetDlgItem.USER32(?,000003EA), ref: 00D0C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D0C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00D0C8C1

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9375ad40a97c916eab013ae4f2b350540f6602882ac0057f181377a04c679dca
Instruction ID: 5bc00bc953ba3635c43e172794f7b460a04517d3230e060326a6f8e4e80bb007
Opcode Fuzzy Hash: 9375ad40a97c916eab013ae4f2b350540f6602882ac0057f181377a04c679dca
Instruction Fuzzy Hash: 15512171B10209ABDB18CF69DD95BAEBBB6EB88311F14822DF519D62D0D7709D00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CB2036,?,00000000,?,?,?,?,00CB16CB,00000000,?), ref: 00CB1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00CB20D3
KillTimer.USER32(-00000001,?,?,?,?,00CB16CB,00000000,?,?,00CB1AE2,?,?), ref: 00CB216E
DestroyAcceleratorTable.USER32(00000000), ref: 00CEBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CB16CB,00000000,?,?,00CB1AE2,?,?), ref: 00CEBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CB16CB,00000000,?,?,00CB1AE2,?,?), ref: 00CEBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00CB16CB,00000000,?,?,00CB1AE2,?,?), ref: 00CEBF5A
DeleteObject.GDI32(00000000), ref: 00CEBF6C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4c962ceca15d11697c5905f482530c84515c8223b8174bdcd3c28fa5226378f2
Instruction ID: 6c02ef0efd2cb599f4fa1ead151c3042beabb68426a76fa5ecac34cf3aedd126
Opcode Fuzzy Hash: 4c962ceca15d11697c5905f482530c84515c8223b8174bdcd3c28fa5226378f2
Instruction Fuzzy Hash: AE619934500B50DFCB29AF5ADD48B6AB7F1FB40312F10852DE46686AA0E771AD81DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00CB25DB: GetWindowLongW.USER32(?,000000EB), ref: 00CB25EC

GetSysColor.USER32(0000000F), ref: 00CB21D3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a973088d4344a0e63fc9740a19cd61b420dfd53f2711e2c8c3a90dd3020bcf9d
Instruction ID: 6b6ab457302fef34babbeb97853dd350bed0e91caf480c3387c5dc725edd55e0
Opcode Fuzzy Hash: a973088d4344a0e63fc9740a19cd61b420dfd53f2711e2c8c3a90dd3020bcf9d
Instruction Fuzzy Hash: 1541A031400248AFDB255F28EC88BF93B65EB06331F184265FD75CA2E6C7318D42DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00D1AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00D3F910), ref: 00D1AB76
GetDriveTypeW.KERNEL32(00000061,00D6A620,00000061), ref: 00D1AC40
_wcscpy.LIBCMT ref: 00D1AC6A

Strings

network, xrefs: 00D1ABD4
unknown, xrefs: 00D1AC01
cdrom, xrefs: 00D1AB92
ramdisk, xrefs: 00D1ABEA
fixed, xrefs: 00D1ABBE
removable, xrefs: 00D1ABA8
all, xrefs: 00D1AB7C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 461d4fed0439904529ad8beb9c52bc70144f9eb67cc143f36579c9851fd17573
Instruction ID: 6099c42a61d7b93c95751a37b7ea225a0a25e0810dc9a7aeeb4afb738b76bb7f
Opcode Fuzzy Hash: 461d4fed0439904529ad8beb9c52bc70144f9eb67cc143f36579c9851fd17573
Instruction Fuzzy Hash: 3551A130108341AFC710EF18E991AEEB7A6EF84700F54482EF596572A2DB31DD49DB63

Uniqueness

Uniqueness Score: -1.00%

Function 00CB9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00CB99C2
__swprintf.LIBCMT ref: 00CB9A0C
__i64tow.LIBCMT ref: 00CEFA0F

Strings

True, xrefs: 00CEF9D0
False, xrefs: 00CEF9D7
0x%p, xrefs: 00CEF9F1
%.15g, xrefs: 00CB9A06

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a8aa86e11be184acd4072f92a35ad701ca4c13dbb46ba1601e4681ae282e0cd2
Instruction ID: bd881c9700d238b88759f831950a6924832ffb4d0de50979f1c1bc8a4767f035
Opcode Fuzzy Hash: a8aa86e11be184acd4072f92a35ad701ca4c13dbb46ba1601e4681ae282e0cd2
Instruction Fuzzy Hash: 6941E471A04205AFDB24AF79DC42FBA77F8EB44300F24446FE68DD7292EA319942DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00D373C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D373D9
CreateMenu.USER32 ref: 00D373F4
SetMenu.USER32(?,00000000), ref: 00D37403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D37490
IsMenu.USER32(?), ref: 00D374A6
CreatePopupMenu.USER32 ref: 00D374B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D374DD
DrawMenuBar.USER32 ref: 00D374E5

Strings

F, xrefs: 00D374D1
0, xrefs: 00D373CF

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 9ec0f9f100a18e6f87814ca66e2571970de5374941a330b21e90b92d1e23be93
Instruction ID: 0c25e2168156d9a0063dca331587cc09e9234d852c20777ce995777ad2d73e9a
Opcode Fuzzy Hash: 9ec0f9f100a18e6f87814ca66e2571970de5374941a330b21e90b92d1e23be93
Instruction Fuzzy Hash: B84136B5A05709EFDB20DF64D884E9ABBB9FF49310F184029F95597360D731A914CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D3772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D377CD
CreateCompatibleDC.GDI32(00000000), ref: 00D377D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D377E7
SelectObject.GDI32(00000000,00000000), ref: 00D377EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D377FA
DeleteDC.GDI32(00000000), ref: 00D37803
GetWindowLongW.USER32(?,000000EC), ref: 00D3780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00D37821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D3782D

Strings

static, xrefs: 00D37765

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 19236c2a5d2f86ae7bf73ec3fa4f737d901932fb907ca61d59d2f4e13ced359f
Instruction ID: 3a9ab670e657576f427efa17a2fe9b628ecf8b1b8abdee0e36414ef14bed9180
Opcode Fuzzy Hash: 19236c2a5d2f86ae7bf73ec3fa4f737d901932fb907ca61d59d2f4e13ced359f
Instruction Fuzzy Hash: 1631A8B2500219ABDF229FA4DC09FDA3B69EF09361F140225FA15E22A0C731D821DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CD707B

Part of subcall function 00CD8D68: __getptd_noexit.LIBCMT ref: 00CD8D68

__gmtime64_s.LIBCMT ref: 00CD7114
__gmtime64_s.LIBCMT ref: 00CD714A
__gmtime64_s.LIBCMT ref: 00CD7167
__allrem.LIBCMT ref: 00CD71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD71D9
__allrem.LIBCMT ref: 00CD71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD720E
__allrem.LIBCMT ref: 00CD7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CD7243
__invoke_watson.LIBCMT ref: 00CD72B4

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 613d82cad01760a9e057f149417ff3a3607eb5d2269fbaf328f2698f39d7c94e
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 8D71C671A04756ABD714AE79CC82B6EB3A8AF14320F14432BF624D77C1F774EA409790

Uniqueness

Uniqueness Score: -1.00%

Function 00D12A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D12A31
GetMenuItemInfoW.USER32(00D76890,000000FF,00000000,00000030), ref: 00D12A92
SetMenuItemInfoW.USER32(00D76890,00000004,00000000,00000030), ref: 00D12AC8
Sleep.KERNEL32(000001F4), ref: 00D12ADA
GetMenuItemCount.USER32(?), ref: 00D12B1E
GetMenuItemID.USER32(?,00000000), ref: 00D12B3A
GetMenuItemID.USER32(?,-00000001), ref: 00D12B64
GetMenuItemID.USER32(?,?), ref: 00D12BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D12BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D12C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D12C24

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 374ac916083875d3d621ba15844a57a403f142b7d38edf9ec6e77a4dfb4081c2
Instruction ID: a130bb3c6601a5bed205beeb8e38dedb1c06f2e6c8f596baecc0efa0abd68f93
Opcode Fuzzy Hash: 374ac916083875d3d621ba15844a57a403f142b7d38edf9ec6e77a4dfb4081c2
Instruction Fuzzy Hash: 25617DB0904349BFDB11CF64E988EFE7BB9EB01304F180459E94197251EB32ADA5DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D37192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D37214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D37217
GetWindowLongW.USER32(?,000000F0), ref: 00D3723B
_memset.LIBCMT ref: 00D3724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D3725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D372D6

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3a2e784979ac51faad931bca6ca1844ddb3210fdd56faa55b879b45cedd038de
Instruction ID: b9c261a291b329c1072e5fd5f19ce46661139bf9dfbaf9efdcbd4add3a38cdca
Opcode Fuzzy Hash: 3a2e784979ac51faad931bca6ca1844ddb3210fdd56faa55b879b45cedd038de
Instruction Fuzzy Hash: 1E6159B5A00648AFDB20DFA4CC81EEE77B8EB09710F14415AFA14E73A1D770AD45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D0710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D07135
SafeArrayAllocData.OLEAUT32(?), ref: 00D0718E
VariantInit.OLEAUT32(?), ref: 00D071A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D071C0
VariantCopy.OLEAUT32(?,?), ref: 00D07213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D07227
VariantClear.OLEAUT32(?), ref: 00D0723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00D07249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D07252
VariantClear.OLEAUT32(?), ref: 00D07264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D0726F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: cfb6d67f56f102df5449c79d4d5be1ac23b9cbfd1e4714eba9f711b9cc636a2f
Instruction ID: bb0b9da6ee1566b29ddce5ef04a7de32e192f42bbfbbf67f72efc8b66f827fcc
Opcode Fuzzy Hash: cfb6d67f56f102df5449c79d4d5be1ac23b9cbfd1e4714eba9f711b9cc636a2f
Instruction Fuzzy Hash: EB410175D04219AFCB00DFA4D844AAEBBB9EF48354F008065F955EB361DB30E945CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D25A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D25AA6
inet_addr.WSOCK32(?,?,?), ref: 00D25AEB
gethostbyname.WSOCK32(?), ref: 00D25AF7
IcmpCreateFile.IPHLPAPI ref: 00D25B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D25B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D25B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00D25C00
WSACleanup.WSOCK32 ref: 00D25C06

Strings

Ping, xrefs: 00D25B29

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1a1ada6d4059b3381c8ffa30e38d10808fd8b3490c486a5a76f5ebd53590a90d
Instruction ID: f4ff02718c1b4ae6105f99ba2db042f7586c0920b01b6ddff768dd5a113c2d19
Opcode Fuzzy Hash: 1a1ada6d4059b3381c8ffa30e38d10808fd8b3490c486a5a76f5ebd53590a90d
Instruction Fuzzy Hash: 725181316047109FDB11AF24EC45F6ABBE4EF58714F188929F59ADB2A1DB70EC00DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D1B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D1B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D1B7B1
GetLastError.KERNEL32 ref: 00D1B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00D1B828

Strings

NOTREADY, xrefs: 00D1B7E7
UNKNOWN, xrefs: 00D1B7E0
READONLY, xrefs: 00D1B7F3
INVALID, xrefs: 00D1B7FA
READY, xrefs: 00D1B801

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d46f136b61fbe37bfd8f0cd89b71e1f7014c5a4ca572e522d47b3be7cd57b5c2
Instruction ID: 1ea32db5971fb0d349bfa974eb4529ac9cbebd2b995eedc3622d292196fdfbeb
Opcode Fuzzy Hash: d46f136b61fbe37bfd8f0cd89b71e1f7014c5a4ca572e522d47b3be7cd57b5c2
Instruction Fuzzy Hash: 3B316535A00309BFDB10EF68E885AFE77B4EF84720F14402AE545D72D1DB719985DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D09471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00D0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D0B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D094F6
GetDlgCtrlID.USER32 ref: 00D09501
GetParent.USER32 ref: 00D0951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D09520
GetDlgCtrlID.USER32(?), ref: 00D09529
GetParent.USER32(?), ref: 00D09545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D09548

Strings

ListBox, xrefs: 00D094B3
ComboBox, xrefs: 00D0947E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3d4ed80a34e1b0098b91b75d750701eb54f7fb7852c5ec406aac30fb83ae7ab2
Instruction ID: 7b6bb776b28ae7ada224ac048dfb258ac1eeabd29e9edb26256f7fb1cae2a53d
Opcode Fuzzy Hash: 3d4ed80a34e1b0098b91b75d750701eb54f7fb7852c5ec406aac30fb83ae7ab2
Instruction Fuzzy Hash: 73219274D00208ABCF05AF65CCA6EFEBB68EF45310F104155F962972E2DB7599199A30

Uniqueness

Uniqueness Score: -1.00%

Function 00D0955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00D0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D0B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D095DF
GetDlgCtrlID.USER32 ref: 00D095EA
GetParent.USER32 ref: 00D09606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D09609
GetDlgCtrlID.USER32(?), ref: 00D09612
GetParent.USER32(?), ref: 00D0962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D09631

Strings

ListBox, xrefs: 00D0959E
ComboBox, xrefs: 00D09569

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 20fa9055ef7d646ea5ccba5ef1264d1770e21e28475d7e8fe0d734a5062ef33c
Instruction ID: 1fd71dd9e5cc97e37379cdba96418b1a25e694c7b2cd8a591e91c930be888ec1
Opcode Fuzzy Hash: 20fa9055ef7d646ea5ccba5ef1264d1770e21e28475d7e8fe0d734a5062ef33c
Instruction Fuzzy Hash: 43218374D00208BBDF05ABA0CC96EFEBB78EF49300F144555F951972E2DB7599199A30

Uniqueness

Uniqueness Score: -1.00%

Function 00D09645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D09651
GetClassNameW.USER32(00000000,?,00000100), ref: 00D09666
_wcscmp.LIBCMT ref: 00D09678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D096F3

Strings

smallicons, xrefs: 00D096BB
SHELLDLL_DefView, xrefs: 00D09672
largeicons, xrefs: 00D09687
list, xrefs: 00D096D5
details, xrefs: 00D096A1

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2f162650ff5add865fb3db1ea4b1aca5f4fb730150dec3b277d0bb9932255f52
Instruction ID: 7e960292249a05f378b38b2c784b02b1a6d9a474343276dd117db4ebbc2e6c7a
Opcode Fuzzy Hash: 2f162650ff5add865fb3db1ea4b1aca5f4fb730150dec3b277d0bb9932255f52
Instruction Fuzzy Hash: EE112976648347BFFA012620DC37EAAF79C8B05360F200027FA05E51E2FEA3A9555979

Uniqueness

Uniqueness Score: -1.00%

Function 00D28BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D28BEC
CoInitialize.OLE32(00000000), ref: 00D28C19
CoUninitialize.OLE32 ref: 00D28C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00D28D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D28E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00D42C0C), ref: 00D28E84
CoGetObject.OLE32(?,00000000,00D42C0C,?), ref: 00D28EA7
SetErrorMode.KERNEL32(00000000), ref: 00D28EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D28F3A
VariantClear.OLEAUT32(?), ref: 00D28F4A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 8e98f3749b9623379ee6f49f75b4b7393dd353d1edc017a171eef7469ae19516
Instruction ID: 8b9e7bb0eb262eba86a360abc64cd3fcb3153fac22687f320616a5907f162edb
Opcode Fuzzy Hash: 8e98f3749b9623379ee6f49f75b4b7393dd353d1edc017a171eef7469ae19516
Instruction Fuzzy Hash: 38C133B1608315AFC700DF64D884A2AB7E9FF98348F04496DF58ADB261DB31ED05DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D14189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00D1419D
__swprintf.LIBCMT ref: 00D141AA

Part of subcall function 00CD38D8: __woutput_l.LIBCMT ref: 00CD3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00D141D4
LoadResource.KERNEL32(?,00000000), ref: 00D141E0
LockResource.KERNEL32(00000000), ref: 00D141ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00D1420D
LoadResource.KERNEL32(?,00000000), ref: 00D1421F
SizeofResource.KERNEL32(?,00000000), ref: 00D1422E
LockResource.KERNEL32(?), ref: 00D1423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00D1429B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 0628f52110bb086b1c8037122e108a53042ae6c7c4e36504e5844b86a0e19417
Instruction ID: 376efe78773472f340e8b920ab2c2471b5d18d8cd16525c96fa36c84251dac0e
Opcode Fuzzy Hash: 0628f52110bb086b1c8037122e108a53042ae6c7c4e36504e5844b86a0e19417
Instruction Fuzzy Hash: 7F318D75A0521ABBDB119F60ED44EFF7BA8EF04301F044526F905D6250EB70DA91DBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00CBFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CBFC06
OleUninitialize.OLE32(?,00000000), ref: 00CBFCA5
UnregisterHotKey.USER32(?), ref: 00CBFDFC
DestroyWindow.USER32(?), ref: 00CF4A00
FreeLibrary.KERNEL32(?), ref: 00CF4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CF4A92

Strings

close all, xrefs: 00CBFC01

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 08b8973d6d2de46a56e7b22c822e7b39ca808ca9f12b8474ac5b2e1d5d7ea1b9
Instruction ID: d96228d10a5fc99acfd615300617e8d2bbf4e2bffce5f1d797ca332675744a45
Opcode Fuzzy Hash: 08b8973d6d2de46a56e7b22c822e7b39ca808ca9f12b8474ac5b2e1d5d7ea1b9
Instruction Fuzzy Hash: 8AA16C347012168FCB28EF15C895BBAF764AF04700F1442ADE91AAB362DB30EE56DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00D0A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00D0AA64), ref: 00D0A9A2

Strings

CLASS, xrefs: 00D0A721
CLASSNN, xrefs: 00D0A744
NAME, xrefs: 00D0A7D4
REGEXPCLASS, xrefs: 00D0A767
TEXT, xrefs: 00D0A8D9
INSTANCE, xrefs: 00D0A8B0

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 406a140aa6e612c05654caf192b6f42172ab018bd3e58d8346009fe167a36f7e
Instruction ID: 2f7548338d3be1d4b103ec8b26cd347f3b0ef8f8638a8ee2806076f61c8b9976
Opcode Fuzzy Hash: 406a140aa6e612c05654caf192b6f42172ab018bd3e58d8346009fe167a36f7e
Instruction Fuzzy Hash: CD916330A007069BDB18DFA8C481BE9FB75BF04304F55811AD99EA7291DF30AA59DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00CB2EAE

Part of subcall function 00CB1DB3: GetClientRect.USER32(?,?), ref: 00CB1DDC
Part of subcall function 00CB1DB3: GetWindowRect.USER32(?,?), ref: 00CB1E1D
Part of subcall function 00CB1DB3: ScreenToClient.USER32(?,?), ref: 00CB1E45

GetDC.USER32 ref: 00CECF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CECF95
SelectObject.GDI32(00000000,00000000), ref: 00CECFA3
SelectObject.GDI32(00000000,00000000), ref: 00CECFB8
ReleaseDC.USER32(?,00000000), ref: 00CECFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CED04B

Strings

U, xrefs: 00CECF20

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 43fa013fef8614509c946be1daae54806952a8d08da6b1e1f6343c2d53dc4ed5
Instruction ID: 3bcb2f0e26118a990c229468884fd32e81d2507c7f247268a5b5fca2496a1737
Opcode Fuzzy Hash: 43fa013fef8614509c946be1daae54806952a8d08da6b1e1f6343c2d53dc4ed5
Instruction Fuzzy Hash: 6471F731400285DFCF218F66C881AEA3BB5FF49351F184269FD669A2A6D731CD42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

Part of subcall function 00CB2344: GetCursorPos.USER32(?), ref: 00CB2357
Part of subcall function 00CB2344: ScreenToClient.USER32(00D767B0,?), ref: 00CB2374
Part of subcall function 00CB2344: GetAsyncKeyState.USER32(00000001), ref: 00CB2399
Part of subcall function 00CB2344: GetAsyncKeyState.USER32(00000002), ref: 00CB23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00D3C2E4
ImageList_EndDrag.COMCTL32 ref: 00D3C2EA
ReleaseCapture.USER32 ref: 00D3C2F0
SetWindowTextW.USER32(?,00000000), ref: 00D3C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D3C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00D3C48F

Strings

@GUI_DRAGFILE, xrefs: 00D3C424
@GUI_DROPID, xrefs: 00D3C3E1

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 845c18e95c7540ead3ecfef585acdf5b765dcd8507b5ad86fc131a686c8b09db
Instruction ID: 48773beea62f2b44c3939cab475a12293cc0a6623b426308aaf640375ea9d7c9
Opcode Fuzzy Hash: 845c18e95c7540ead3ecfef585acdf5b765dcd8507b5ad86fc131a686c8b09db
Instruction Fuzzy Hash: 4E519171204304AFD704EF24CC56FAA77E5EB88310F04852DF595972E1EB71E958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D28F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D3F910), ref: 00D2903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D3F910), ref: 00D29071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D291EB
SysFreeString.OLEAUT32(?), ref: 00D29215

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 819430b1731d7dd323408af735b3eca990f9241d80abe957a97852b8104de00c
Instruction ID: 311703126fc04f49d7f3d73579105200af8bee315f81cc8c9c9b0964fb4c6a9a
Opcode Fuzzy Hash: 819430b1731d7dd323408af735b3eca990f9241d80abe957a97852b8104de00c
Instruction Fuzzy Hash: 80F14C71A00219EFCF04DF94D898EAEB7B9FF59318F148099F515AB250CB31AD45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D2F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D2F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D2FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D2FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D2FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D2FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D2FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00D2FD90
CloseHandle.KERNEL32(?), ref: 00D2FDBF
CloseHandle.KERNEL32(?), ref: 00D2FE36

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 06abdd64dde004be50089958f433b9d892acda322e2ce976fb684ee1a119b0d7
Instruction ID: 3ea8d91c54eac01c3b4789f21d9b8ec6a3da649e4789a3c121506848b063fc9c
Opcode Fuzzy Hash: 06abdd64dde004be50089958f433b9d892acda322e2ce976fb684ee1a119b0d7
Instruction Fuzzy Hash: 97E18D316042119FCB14EF24D491B6ABBF1EF94314F18896DF99A8B3A2CB31DC45DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D14F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D138D3,?), ref: 00D148C7

Part of subcall function 00D148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D138D3,?), ref: 00D148E0

Part of subcall function 00D14CD3: GetFileAttributesW.KERNEL32(?,00D13947), ref: 00D14CD4

lstrcmpiW.KERNEL32(?,?), ref: 00D14FE2
_wcscmp.LIBCMT ref: 00D14FFC
MoveFileW.KERNEL32(?,?), ref: 00D15017

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 1939108044312dfb69b398535334d0e8d4a3911bdd4ed1d1b8d0d8821308d93f
Instruction ID: 07d6de9f465f66ea1e12decd4af79d193a9a4b9b379e0fb0d3084bf5798b67fc
Opcode Fuzzy Hash: 1939108044312dfb69b398535334d0e8d4a3911bdd4ed1d1b8d0d8821308d93f
Instruction Fuzzy Hash: 675175B2408785ABC724DB90E8819DFB3ECEF84341F14092EB689D3151EF74A5889776

Uniqueness

Uniqueness Score: -1.00%

Function 00D388B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D3896E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 18f36b2697962be4ec84f5464c4355cd6e0fa74a0bc6a8130f40c9d15350f1fc
Instruction ID: 2a8802d03cc67c0b497b8663ca66a37af99dcc71b6008825ec4edd6efaa102de
Opcode Fuzzy Hash: 18f36b2697962be4ec84f5464c4355cd6e0fa74a0bc6a8130f40c9d15350f1fc
Instruction Fuzzy Hash: 75519F30A00308BFEF249F28DC85BA97B65FB05360F644126F555E62A1DF71E984EBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00CEC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CEC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CEC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00CEC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CEC5C0
DestroyIcon.USER32(00000000), ref: 00CEC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CEC5EC
DestroyIcon.USER32(?), ref: 00CEC5FB

Part of subcall function 00D3A71E: DeleteObject.GDI32(00000000), ref: 00D3A757

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 27df76a84963d299c0929742a717994810df9e8518c18a97744c38f0c016f41e
Instruction ID: 5bb6f5b3b79b8c8a474cd2c2e24799a3368a057a4bef8b5ad96b84b156fce91a
Opcode Fuzzy Hash: 27df76a84963d299c0929742a717994810df9e8518c18a97744c38f0c016f41e
Instruction Fuzzy Hash: 5B516D70A00709AFDB24DF25CC85FAA7BB5EB58350F104528F956D72A0DB70ED91EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D09B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D0AE77
Part of subcall function 00D0AE57: GetCurrentThreadId.KERNEL32 ref: 00D0AE7E
Part of subcall function 00D0AE57: AttachThreadInput.USER32(00000000,?,00D09B65,?,00000001), ref: 00D0AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D09B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D09B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00D09B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D09B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D09BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D09BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D09BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D09BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D09BDD

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a1623100b7b89d2438d750c016598df8473ce94071d227cc137f6564686b682c
Instruction ID: 5b5555fd16b008a6f55205be82f5ed057888d2fce1efa24c2ff212f304dc42f4
Opcode Fuzzy Hash: a1623100b7b89d2438d750c016598df8473ce94071d227cc137f6564686b682c
Instruction Fuzzy Hash: D911E171A50718BEF6106B64EC8AF6A7B2DEB4C761F100425F248EB1E0C9F25C10DAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D08E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D08A84,00000B00,?,?), ref: 00D08E0C
HeapAlloc.KERNEL32(00000000,?,00D08A84,00000B00,?,?), ref: 00D08E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D08A84,00000B00,?,?), ref: 00D08E28
GetCurrentProcess.KERNEL32(?,00000000,?,00D08A84,00000B00,?,?), ref: 00D08E30
DuplicateHandle.KERNEL32(00000000,?,00D08A84,00000B00,?,?), ref: 00D08E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D08A84,00000B00,?,?), ref: 00D08E43
GetCurrentProcess.KERNEL32(00D08A84,00000000,?,00D08A84,00000B00,?,?), ref: 00D08E4B
DuplicateHandle.KERNEL32(00000000,?,00D08A84,00000B00,?,?), ref: 00D08E4E
CreateThread.KERNEL32(00000000,00000000,00D08E74,00000000,00000000,00000000), ref: 00D08E68

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 708ddee46274bf2d0f237f41d2f23c5ae383204a9359e20a08bf42388e97f97d
Instruction ID: 6271b5b451312f5faaa730e5f9a2936da2a87234bccdf02c568c08a195fde2a4
Opcode Fuzzy Hash: 708ddee46274bf2d0f237f41d2f23c5ae383204a9359e20a08bf42388e97f97d
Instruction Fuzzy Hash: 8F01BBB5640308FFE710ABA5EC4DF6B3BACEB89711F004421FA05DB2A1CA719804DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00D29428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D2947C
VariantInit.OLEAUT32(?), ref: 00D2954D
VariantInit.OLEAUT32(?), ref: 00D2964E
VariantClear.OLEAUT32(?), ref: 00D29658
VariantClear.OLEAUT32(?), ref: 00D296B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D29631
Null Object assignment in FOR..IN loop, xrefs: 00D294DD, 00D2960B, 00D296C3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: b8ff3a1e66fa2947a4a1abfb6925ae8d3726b315d5f066c77c5225e7d913af01
Instruction ID: 028bb0e806731a94f8b26be0a345a01e95ad723c6e45c110236da41c67a476a5
Opcode Fuzzy Hash: b8ff3a1e66fa2947a4a1abfb6925ae8d3726b315d5f066c77c5225e7d913af01
Instruction Fuzzy Hash: 6491CF70A00229AFDF20DFA5E868FAEB7B8EF55319F148159F515AB280D7709905CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D29A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00D07652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?,?,?,00D0799D), ref: 00D0766F
Part of subcall function 00D07652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?,?), ref: 00D0768A
Part of subcall function 00D07652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?,?), ref: 00D07698
Part of subcall function 00D07652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?), ref: 00D076A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00D29B1B
_memset.LIBCMT ref: 00D29B28
_memset.LIBCMT ref: 00D29C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00D29C97
CoTaskMemFree.OLE32(?), ref: 00D29CA2

Strings

NULL Pointer assignment, xrefs: 00D29CF0

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 6b6251f78db8dab34820f200747dd22e0ba348dabe37047410c59b3e2fd0a509
Instruction ID: 46261ddaa9555ab3402605c42702b12396b13fa3fffbb7588b9bfa114d0044a8
Opcode Fuzzy Hash: 6b6251f78db8dab34820f200747dd22e0ba348dabe37047410c59b3e2fd0a509
Instruction Fuzzy Hash: 3D913971D00229EBDB10DFA4DC90ADEBBB9FF58710F20415AF519A7281DB719A44DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D36FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D37093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00D370A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D370C1
_wcscat.LIBCMT ref: 00D3711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D37133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D37161

Strings

SysListView32, xrefs: 00D37065

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 585cefaaaa11684f3d9a0ef4dbfe2b1dd46d55b5d0b2445b74144724f6ac9ba8
Instruction ID: 512753f4f6430e2f0150ce9a67ca9b930df8bd4a6fd7a66e021c7a7f7c9be0fd
Opcode Fuzzy Hash: 585cefaaaa11684f3d9a0ef4dbfe2b1dd46d55b5d0b2445b74144724f6ac9ba8
Instruction Fuzzy Hash: 194172B1A04308AFDB359FA4CC85BEE77B8EF08350F14456AF984E7291D6719D849B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D2EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00D13E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00D13EB6
Part of subcall function 00D13E91: Process32FirstW.KERNEL32(00000000,?), ref: 00D13EC4
Part of subcall function 00D13E91: CloseHandle.KERNEL32(00000000), ref: 00D13F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D2ECB8
GetLastError.KERNEL32 ref: 00D2ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D2ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D2ED77
GetLastError.KERNEL32(00000000), ref: 00D2ED82
CloseHandle.KERNEL32(00000000), ref: 00D2EDB7

Strings

SeDebugPrivilege, xrefs: 00D2ECD6

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c4b4e3d1854a1d3f34a763816e6f9b36a4b8d236f63f31c0ff7db65b4859300b
Instruction ID: c1f701c29fd46ea8d10eb23e4ddcf8c3be6491c7f703ff8323932af0f882d765
Opcode Fuzzy Hash: c4b4e3d1854a1d3f34a763816e6f9b36a4b8d236f63f31c0ff7db65b4859300b
Instruction Fuzzy Hash: D841AA316002109FDB10EF24D895FAEB7A1EF90714F08805DF9469B3D2CB75E804DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D13226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D132C5

Strings

blank, xrefs: 00D13247
warning, xrefs: 00D132AE
question, xrefs: 00D1327E
info, xrefs: 00D13266
stop, xrefs: 00D13296

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5f0b9ed5497d4d80caf581fa9785d5442ad6707b87d07a599608f94373731245
Instruction ID: be11aa6f36d0c8bc2f503437cd31aa889aa8246f66129f5703767f3bb76cefda
Opcode Fuzzy Hash: 5f0b9ed5497d4d80caf581fa9785d5442ad6707b87d07a599608f94373731245
Instruction Fuzzy Hash: 9811D8316493967FA7016B58FC52DEEB79CDF19370F10002AF540A6281DA769F805AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00D14534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D1454E
LoadStringW.USER32(00000000), ref: 00D14555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D1456B
LoadStringW.USER32(00000000), ref: 00D14572
_wprintf.LIBCMT ref: 00D14598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D145B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D14593

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 329b01546e3eabfe0f6cea827134cbe9c6d125f65877f376d8fd665add929a47
Instruction ID: 9d7d921fce082c887d2d3abc72d9be33c468984c51a3545a66947234cbb2915f
Opcode Fuzzy Hash: 329b01546e3eabfe0f6cea827134cbe9c6d125f65877f376d8fd665add929a47
Instruction Fuzzy Hash: 2E0162F290430CBFE750A7A1DD89EEB776CD708301F0005A5BB45D2151EA749E858B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

GetSystemMetrics.USER32(0000000F), ref: 00D3D78A
GetSystemMetrics.USER32(0000000F), ref: 00D3D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D3D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D3DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D3DA24
ShowWindow.USER32(00000003,00000000), ref: 00D3DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00D3DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D3DA8B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: aa66fb603d53a8fb45e53e927a6e231851b3c87fe146efd659395ea380552fc6
Instruction ID: d1e3cc7e17789b5317828b01144d3556da72d5621aeb604fef7bba2e6d0b96f1
Opcode Fuzzy Hash: aa66fb603d53a8fb45e53e927a6e231851b3c87fe146efd659395ea380552fc6
Instruction Fuzzy Hash: EFB16971A00219EFDF14CF69DA857BD7BB2FF44701F088169EC499A295D734A950CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00CEC417,00000004,00000000,00000000,00000000), ref: 00CB2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00CEC417,00000004,00000000,00000000,00000000,000000FF), ref: 00CB2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00CEC417,00000004,00000000,00000000,00000000), ref: 00CEC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00CEC417,00000004,00000000,00000000,00000000), ref: 00CEC4D6

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6ddac4f5dfc29b9d8b5efb953f6b253cba8c15cf253744f3643711873492973f
Instruction ID: b856db88745eee1cb7003b79419059b64750f0ea11f10d41eac25ef06364c09c
Opcode Fuzzy Hash: 6ddac4f5dfc29b9d8b5efb953f6b253cba8c15cf253744f3643711873492973f
Instruction Fuzzy Hash: 2B4120316047C09BC7399B2ACCDCBFB7B96AB55310F24881DE067C66E1C675A942F721

Uniqueness

Uniqueness Score: -1.00%

Function 00D17368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D1737F

Part of subcall function 00CD0FF6: std::exception::exception.LIBCMT ref: 00CD102C
Part of subcall function 00CD0FF6: __CxxThrowException@8.LIBCMT ref: 00CD1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00D173B6
EnterCriticalSection.KERNEL32(?), ref: 00D173D2
_memmove.LIBCMT ref: 00D17420
_memmove.LIBCMT ref: 00D1743D
LeaveCriticalSection.KERNEL32(?), ref: 00D1744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00D17461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D17480

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d7c9984ba07b585df4e90ef836edad0ba3d517de24da214887fcb71018b6e409
Instruction ID: 72eb75b8660818a21fbca2ab1148c925bc697914e9ec5ce5f1b4d15aaf46c6a1
Opcode Fuzzy Hash: d7c9984ba07b585df4e90ef836edad0ba3d517de24da214887fcb71018b6e409
Instruction Fuzzy Hash: 56316E35904205EBCB10EF94DC85AABBBB8EF44710B2441A6F904DB356DB709A54DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D36442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D3645A
GetDC.USER32(00000000), ref: 00D36462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D3646D
ReleaseDC.USER32(00000000,00000000), ref: 00D36479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D364B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D364C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D39299,?,?,000000FF,00000000,?,000000FF,?), ref: 00D36500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D36520

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: af9e6874612590af8cddd35a962b0d24352497749cbc818d7a731c05cc9b9961
Instruction ID: 3f54b157b9307043bf8dafb58e04442dce3a0b74fadd9ff50c2091889ce642d1
Opcode Fuzzy Hash: af9e6874612590af8cddd35a962b0d24352497749cbc818d7a731c05cc9b9961
Instruction Fuzzy Hash: 9A316972601214BFEB118F54DC8AFEA3FA9EF09761F084065FE08DA2A5D7759841CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D0C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00D0C087
_memcmp.LIBCMT ref: 00D0C0A9
_memcmp.LIBCMT ref: 00D0C0C1
_memcmp.LIBCMT ref: 00D0C0D4
_memcmp.LIBCMT ref: 00D0C0EE
_memcmp.LIBCMT ref: 00D0C101
_memcmp.LIBCMT ref: 00D0C119
_memcmp.LIBCMT ref: 00D0C134

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a65d2eaa770e98f5c9ef54cd69a266537084ac18a8a993af690b7c419f45636e
Instruction ID: 6627ccbc1a1cb7beab9bbcadd01f8f17cd019716eaeaf2cc2ec0e1542426eae1
Opcode Fuzzy Hash: a65d2eaa770e98f5c9ef54cd69a266537084ac18a8a993af690b7c419f45636e
Instruction Fuzzy Hash: D521CF71A10205BBD210AB218C82FBB279DEF203A4B4C1121FE0D963C3E791DE16D2B6

Uniqueness

Uniqueness Score: -1.00%

Function 00D1ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

Part of subcall function 00CCFEC6: _wcscpy.LIBCMT ref: 00CCFEE9

_wcstok.LIBCMT ref: 00D1EEFF
_wcscpy.LIBCMT ref: 00D1EF8E
_memset.LIBCMT ref: 00D1EFC1

Strings

X, xrefs: 00D1EFFE

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: bcc4581a363dd68c05fc7d648f1754b986f5637f1bf3ba95c91a082119e85016
Instruction ID: 54c1cbf46daba7898ba5535607faa57c630d04e72e9b974efb84d39e7bde35a7
Opcode Fuzzy Hash: bcc4581a363dd68c05fc7d648f1754b986f5637f1bf3ba95c91a082119e85016
Instruction Fuzzy Hash: 6AC15175508340AFC724EF24D885A9AB7E4FF84310F04496DF999972A2DF30ED85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00D26E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D26F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D26F35
WSAGetLastError.WSOCK32(00000000), ref: 00D26F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00D26FFE
inet_ntoa.WSOCK32(?), ref: 00D26FBB

Part of subcall function 00D0AE14: _strlen.LIBCMT ref: 00D0AE1E
Part of subcall function 00D0AE14: _memmove.LIBCMT ref: 00D0AE40

_strlen.LIBCMT ref: 00D27058
_memmove.LIBCMT ref: 00D270C1

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 614bf3b070f3fd5158bd6e36201fe8c8a2e4b817ae109b3af27b38c6436d1a23
Instruction ID: 2eee54e7aa175867f36ae82130065107f4cfc1a0628c53c14fd94e6a4cb9a1cd
Opcode Fuzzy Hash: 614bf3b070f3fd5158bd6e36201fe8c8a2e4b817ae109b3af27b38c6436d1a23
Instruction Fuzzy Hash: E681C071508310ABD720EF24DC81FABB7A9EF94718F148519F5559B2A2DA70ED04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3a5fb3a33fe702718ad6160435998357fe208311a6b07eec7d4891cac5e686
Instruction ID: 454dc9bff8be0d654cbf7094a1eacb12d7539811bbf77678f85cf70e03d0649a
Opcode Fuzzy Hash: 9f3a5fb3a33fe702718ad6160435998357fe208311a6b07eec7d4891cac5e686
Instruction Fuzzy Hash: 3A716B30900209EFCB148F99CC99AFFBBB9FF85310F588159F915AA251C734AA51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F24C70), ref: 00D3B6A5
IsWindowEnabled.USER32(00F24C70), ref: 00D3B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00D3B795
SendMessageW.USER32(00F24C70,000000B0,?,?), ref: 00D3B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00D3B809
GetWindowLongW.USER32(00F24C70,000000EC), ref: 00D3B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D3B843

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4d7d8aa7363fc84922ab6ed689b4d9b4dfb18739fa97551652e9df70119aa047
Instruction ID: 5a68a074abf13a53b5bd14ea57862c2c57102d7cf1593daaa9f34d6a5c7430ec
Opcode Fuzzy Hash: 4d7d8aa7363fc84922ab6ed689b4d9b4dfb18739fa97551652e9df70119aa047
Instruction Fuzzy Hash: B871A274600304AFDB249F64C895FBA7BB9FF49360F18445AEA459B3A2D731AD41CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D2F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D2F75C
_memset.LIBCMT ref: 00D2F825
ShellExecuteExW.SHELL32(?), ref: 00D2F86A

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

Part of subcall function 00CCFEC6: _wcscpy.LIBCMT ref: 00CCFEE9

GetProcessId.KERNEL32(00000000), ref: 00D2F8E1
CloseHandle.KERNEL32(00000000), ref: 00D2F910

Strings

@, xrefs: 00D2F839

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: dcb6e51124ed80639a962b5e19503fdc1632dfec7e99eceb3fc175de3d4806f0
Instruction ID: 0be2d137989ffeeeb8319c3ddc595fd0f73184ef391c9b78e36ce67a55fda9cd
Opcode Fuzzy Hash: dcb6e51124ed80639a962b5e19503fdc1632dfec7e99eceb3fc175de3d4806f0
Instruction Fuzzy Hash: 9F617DB5A006299FCB14EF54D580AAEFBF5FF48314F148469E84AAB351CB30AD41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D1145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D1149C
GetKeyboardState.USER32(?), ref: 00D114B1
SetKeyboardState.USER32(?), ref: 00D11512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D11540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D1155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D115A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D115C8

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6df95259652e6ce343b3f91ec5a463eafd496c4ca1f5c4e2b6bad836cce6c1aa
Instruction ID: ebb7001b5ae02803b0bbdd3b35194068817402a7b82c96977ab637cdd0cb17b3
Opcode Fuzzy Hash: 6df95259652e6ce343b3f91ec5a463eafd496c4ca1f5c4e2b6bad836cce6c1aa
Instruction Fuzzy Hash: 255103A4A047D53EFB324274AC05BFABEAA6B46304F0C4489E2D5858C3CAD9DCC8D770

Uniqueness

Uniqueness Score: -1.00%

Function 00D11276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D112B5
GetKeyboardState.USER32(?), ref: 00D112CA
SetKeyboardState.USER32(?), ref: 00D1132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D11357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D11374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D113B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D113D9

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bebd3e914a1370366361a2eb0f7eb7cd21b56ba801ee93a43756a58878e5c8e8
Instruction ID: ecf1807098c91434633f8d7df34e45799bb1b27e1ec098c31bf636546fd4ff0a
Opcode Fuzzy Hash: bebd3e914a1370366361a2eb0f7eb7cd21b56ba801ee93a43756a58878e5c8e8
Instruction Fuzzy Hash: EB51F5A49047D57DFB324324AC45BFABFA95B06300F0C4589E2E486CC2DB95ACD8D771

Uniqueness

Uniqueness Score: -1.00%

Function 00D1589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D158AC
_wcsncpy.LIBCMT ref: 00D158E1
_wcsncpy.LIBCMT ref: 00D15913
_wcsncpy.LIBCMT ref: 00D15946
_wcsncpy.LIBCMT ref: 00D15988
_wcsncpy.LIBCMT ref: 00D159C2
_wcsncpy.LIBCMT ref: 00D159F1

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b5bfe04172e5e9c4e74c5ee668aac912e15fc5e4389e4c489e19951edf8a8d9f
Instruction ID: 1fcc3e6bf679c863365f0745db0ffc601752ca23bdf1cca0c7184100545131e1
Opcode Fuzzy Hash: b5bfe04172e5e9c4e74c5ee668aac912e15fc5e4389e4c489e19951edf8a8d9f
Instruction Fuzzy Hash: 7F41A4A5C20518B6CB10EBB498869CFB3A89F44311F518563FA18E3321EB34E754D7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00D138AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D138D3,?), ref: 00D148C7

Part of subcall function 00D148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D138D3,?), ref: 00D148E0

lstrcmpiW.KERNEL32(?,?), ref: 00D138F3
_wcscmp.LIBCMT ref: 00D1390F
MoveFileW.KERNEL32(?,?), ref: 00D13927
_wcscat.LIBCMT ref: 00D1396F
SHFileOperationW.SHELL32(?), ref: 00D139DB

Strings

\*.*, xrefs: 00D13969

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: d0247fb952f3a42d39aa665a59813fd05accdaad1b886228db14a61e60f3d3bd
Instruction ID: 731860a7c7a079bfa7c4fbbe7565fbc6251aa360a5cdb0fb1c8284ddd8f039b7
Opcode Fuzzy Hash: d0247fb952f3a42d39aa665a59813fd05accdaad1b886228db14a61e60f3d3bd
Instruction Fuzzy Hash: 314152B1509384AEC755EF64D4819EFB7E8EF88340F54092EB489D3251EA74D788CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D37500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D37519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D375C0
IsMenu.USER32(?), ref: 00D375D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D37620
DrawMenuBar.USER32 ref: 00D37633

Strings

0, xrefs: 00D3750D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: b007506da1c6efac2d1c2eb65ad0e4dc2894c0f70ed8cbb1dfd7225faedc94c6
Instruction ID: 20acbb4650a1aadccccab75938673c35d30eb8cb44dc14d93b72fc752c9fed68
Opcode Fuzzy Hash: b007506da1c6efac2d1c2eb65ad0e4dc2894c0f70ed8cbb1dfd7225faedc94c6
Instruction Fuzzy Hash: AC4129B5A05A09EFDB20DF54D895E9ABBF8FB04310F088129E955A73A1D730ED50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00D3125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D31286
FreeLibrary.KERNEL32(00000000), ref: 00D3133D

Part of subcall function 00D3122D: RegCloseKey.ADVAPI32(?), ref: 00D312A3
Part of subcall function 00D3122D: FreeLibrary.KERNEL32(?), ref: 00D312F5
Part of subcall function 00D3122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00D31318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D312E0

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: b132000310359ce88c2adc1143f95d942d7a9fa67279477de582c09d50f9271a
Instruction ID: 492452eca94a87aaec4861415d526cc537d3446bea63e241b1feb0bea388df51
Opcode Fuzzy Hash: b132000310359ce88c2adc1143f95d942d7a9fa67279477de582c09d50f9271a
Instruction Fuzzy Hash: 4F312BB9D0121ABFDB149F94DC8AAFFB7BCEF08340F440169E501E2251EA749E459AB4

Uniqueness

Uniqueness Score: -1.00%

Function 00D3653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D3655B
GetWindowLongW.USER32(00F24C70,000000F0), ref: 00D3658E
GetWindowLongW.USER32(00F24C70,000000F0), ref: 00D365C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D365F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D3661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00D36630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D3664A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6ffbca5ee23ae3d7223a2f063bff0ebb0383a9d8d4f8fc15f05523efc6baeee4
Instruction ID: 0d652e64fd0bcd77185d2cbd76aad8d2ec1d5b4bea674021517a32d2cd4ef096
Opcode Fuzzy Hash: 6ffbca5ee23ae3d7223a2f063bff0ebb0383a9d8d4f8fc15f05523efc6baeee4
Instruction Fuzzy Hash: 53310030A04254AFDB21CF28DC86F553BE1FB4A750F1881A8F505CB2F6DB61E884DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D26486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D280CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D264D9
WSAGetLastError.WSOCK32(00000000), ref: 00D264E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D26521
connect.WSOCK32(00000000,?,00000010), ref: 00D2652A
WSAGetLastError.WSOCK32 ref: 00D26534
closesocket.WSOCK32(00000000), ref: 00D2655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D26576

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 2d8db0cd08a6334368a7969af232dcb0c343a3f747b991f799c6f7505c4adac4
Instruction ID: 8a868e213a03997778ace2822ed9850e98fe32278691e6a846149c20d6fba37b
Opcode Fuzzy Hash: 2d8db0cd08a6334368a7969af232dcb0c343a3f747b991f799c6f7505c4adac4
Instruction Fuzzy Hash: 1B31C171600328ABDB10AF24DC85BBE7BA8EF54718F044029FA49E7291CB74ED04DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D0E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D0E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D0E120
SysAllocString.OLEAUT32(00000000), ref: 00D0E123
SysAllocString.OLEAUT32 ref: 00D0E144
SysFreeString.OLEAUT32 ref: 00D0E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00D0E167
SysAllocString.OLEAUT32(?), ref: 00D0E175

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5c566478deacfedf5c40de3a388f980809d6e97b1842b51133368c17cca33599
Instruction ID: 72d92d72df37e2641b2b2442cef248b5140b3c9bfa5258221c04ad251747e21e
Opcode Fuzzy Hash: 5c566478deacfedf5c40de3a388f980809d6e97b1842b51133368c17cca33599
Instruction Fuzzy Hash: E7217135604318AFDB10AFA8DC88DAB77ECEF09760B148525F959CB2A0DA70DC418B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D0FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D0FB81
__wcsnicmp.LIBCMT ref: 00D0FBA2
__wcsnicmp.LIBCMT ref: 00D0FBBC

Strings

#notrayicon, xrefs: 00D0FB79
#requireadmin, xrefs: 00D0FB9C
#OnAutoItStartRegister, xrefs: 00D0FBB6

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 0b13f5810c17dea83018ad68c26f240a969e324f8cd39b2a5c0930c2e332eb3f
Instruction ID: ac05213427fd1f9e129870edf4a0684adc3a41befba26157e91c76a4f4811e67
Opcode Fuzzy Hash: 0b13f5810c17dea83018ad68c26f240a969e324f8cd39b2a5c0930c2e332eb3f
Instruction Fuzzy Hash: 2E2128322041516AE330F724DC52FA77398EF51340F684036FD8D87AC1E791A981A2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00D3783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CB1D73
Part of subcall function 00CB1D35: GetStockObject.GDI32(00000011), ref: 00CB1D87
Part of subcall function 00CB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D378A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D378AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D378B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D378C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D378D4

Strings

Msctls_Progress32, xrefs: 00D37872

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7cd076e60e05c008488ecb4517b8d5142794696e7116e75a7b284d9cc4dc727e
Instruction ID: 37da9944f9498e12feaa410028855140b401accc7a8b765c2401d0b21773d264
Opcode Fuzzy Hash: 7cd076e60e05c008488ecb4517b8d5142794696e7116e75a7b284d9cc4dc727e
Instruction Fuzzy Hash: 01118EB2510219BFEF159F60CC85EE77F6DEF087A8F054115BA08A2090C7729C21DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00CD4292,?), ref: 00CD41E3
GetProcAddress.KERNEL32(00000000), ref: 00CD41EA
EncodePointer.KERNEL32(00000000), ref: 00CD41F6
DecodePointer.KERNEL32(00000001,00CD4292,?), ref: 00CD4213

Strings

combase.dll, xrefs: 00CD41DE
RoInitialize, xrefs: 00CD41D2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 210bbdc2826254a87e7ebe3486f9f55df279b80d133e9730b46c69aacf4f91b5
Instruction ID: d4d1ab31c1bc4bfddfe6dec5d215a18e1706b4bbe3f9307019ef6fa007aa7785
Opcode Fuzzy Hash: 210bbdc2826254a87e7ebe3486f9f55df279b80d133e9730b46c69aacf4f91b5
Instruction Fuzzy Hash: C3E01AB4E90304AFEB216BB0EC49B143AA4B720702F904424FA25D57B0EBB540D5CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00CD429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00CD41B8), ref: 00CD42B8
GetProcAddress.KERNEL32(00000000), ref: 00CD42BF
EncodePointer.KERNEL32(00000000), ref: 00CD42CA
DecodePointer.KERNEL32(00CD41B8), ref: 00CD42E5

Strings

combase.dll, xrefs: 00CD42B3
RoUninitialize, xrefs: 00CD42A7

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 9999964d7a5c3a7dbe92ad329df31649b8809dfa0d690a75ced76f26ae1eb093
Instruction ID: 6951e6c2aad42dd646ae1efe0878f1d57fe944cd012567d1c3629bab9b1fc771
Opcode Fuzzy Hash: 9999964d7a5c3a7dbe92ad329df31649b8809dfa0d690a75ced76f26ae1eb093
Instruction Fuzzy Hash: 68E0B67CA81314EFEB11AB70EC4DB163AA4B724743F904039F615E13B0EBB48584CA74

Uniqueness

Uniqueness Score: -1.00%

Function 00D1675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D168AD
_memmove.LIBCMT ref: 00D167E8

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

_memmove.LIBCMT ref: 00D1685B
_memmove.LIBCMT ref: 00D16942
_memmove.LIBCMT ref: 00D1695B
_memmove.LIBCMT ref: 00D16977

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
Instruction ID: b2296a80d1523b17bccb402bdd8615508128e74e8172afa967fb4a14fd0fa4ea
Opcode Fuzzy Hash: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
Instruction Fuzzy Hash: C5617C3050065AABCF11FF60D881EFE77A4EF44308F084559FA5A5B292DF34E985EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D3046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00D310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D30038,?,?), ref: 00D310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D30548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D30588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00D305AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D305D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D30617
RegCloseKey.ADVAPI32(00000000), ref: 00D30624

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: ff6b784b418f322b3f7fbc8c81f7bf7f515ffeceff4b555509b124e8594e7784
Instruction ID: aa016f06f138a987b9d40cc45c26fbb068e1cf7dc73ae559a0a57f6c8351dc21
Opcode Fuzzy Hash: ff6b784b418f322b3f7fbc8c81f7bf7f515ffeceff4b555509b124e8594e7784
Instruction Fuzzy Hash: 96513931608204AFCB14EF64C895EAEBBE8FF88314F04491DF585972A1DB31E915DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D35A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D35A82
GetMenuItemCount.USER32(00000000), ref: 00D35AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D35AE1
GetMenuItemID.USER32(?,?), ref: 00D35B50
GetSubMenu.USER32(?,?), ref: 00D35B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00D35BAF

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 2d8804b4298957eb7e5de517c87efef6ec4c0b78f367137d1ff307ed4a929087
Instruction ID: f80c9ae6f6a838a510fb228c85e26fa1f103be27dd5c427572d6de7e5fe5ee8b
Opcode Fuzzy Hash: 2d8804b4298957eb7e5de517c87efef6ec4c0b78f367137d1ff307ed4a929087
Instruction Fuzzy Hash: 99517E31E00619EFCF11EFA4D845AAEB7B4EF48310F1444AAE945B7351CB70AE41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D0F3F7
VariantClear.OLEAUT32(00000013), ref: 00D0F469
VariantClear.OLEAUT32(00000000), ref: 00D0F4C4
_memmove.LIBCMT ref: 00D0F4EE
VariantClear.OLEAUT32(?), ref: 00D0F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D0F569

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: db51cb4633cd96b8a566604c63928610ec90b68563d224d4a0ee3a33b6467a12
Instruction ID: 3027d6d10b79a060f5f7019d4876e62da10e1c7fbe520fbb386db8deb9543f7e
Opcode Fuzzy Hash: db51cb4633cd96b8a566604c63928610ec90b68563d224d4a0ee3a33b6467a12
Instruction Fuzzy Hash: B15149B5A00209EFCB24CF58D884AAAB7B8FF4C354B258569ED59DB350D730E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D126F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D12747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D12792
IsMenu.USER32(00000000), ref: 00D127B2
CreatePopupMenu.USER32 ref: 00D127E6
GetMenuItemCount.USER32(000000FF), ref: 00D12844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00D12875

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 73aaf7c53002ce7bc0c37fa8a5ba1a77998f85c4e58777115113fa45397a6ff9
Instruction ID: 25cb92429b383f09a0f3851a47d9cf8d48979ade5948acf70f4354fda2a739e8
Opcode Fuzzy Hash: 73aaf7c53002ce7bc0c37fa8a5ba1a77998f85c4e58777115113fa45397a6ff9
Instruction Fuzzy Hash: 11519C70A00349EBDF24CF68E888AFEBBF5AF44314F144169E4519B291DB7289A4CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00CB179A
GetWindowRect.USER32(?,?), ref: 00CB17FE
ScreenToClient.USER32(?,?), ref: 00CB181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CB182C
EndPaint.USER32(?,?), ref: 00CB1876

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 349cf1c965d05a5a4647625137ae374ed160599cfb28fab95964475aba5d1092
Instruction ID: f3b099ebec7ebfa99b04d633b4e84134445329b4383ff6622db94777af05229a
Opcode Fuzzy Hash: 349cf1c965d05a5a4647625137ae374ed160599cfb28fab95964475aba5d1092
Instruction Fuzzy Hash: 60418E70500700AFD710DF25CC94BB67BE8FB45724F180629FAA8C62E1E7319D45EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00D767B0,00000000,00F24C70,?,?,00D767B0,?,00D3B862,?,?), ref: 00D3B9CC
EnableWindow.USER32(00000000,00000000), ref: 00D3B9F0
ShowWindow.USER32(00D767B0,00000000,00F24C70,?,?,00D767B0,?,00D3B862,?,?), ref: 00D3BA50
ShowWindow.USER32(00000000,00000004,?,00D3B862,?,?), ref: 00D3BA62
EnableWindow.USER32(00000000,00000001), ref: 00D3BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00D3BAA9

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d1f482d5390c04fb04663d6aae3ff7ebb76b4119074fe7c89806077c50823522
Instruction ID: 68a7e5d01d0560652695755eedcf88ca88773506f41fdd462f2edd808b062d26
Opcode Fuzzy Hash: d1f482d5390c04fb04663d6aae3ff7ebb76b4119074fe7c89806077c50823522
Instruction Fuzzy Hash: A2412B35600645AFDB26CF28C489B957FE1BB05325F1C42AAEB48CF6A2C771A845CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D273B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00D25134,?,?,00000000,00000001), ref: 00D273BF

Part of subcall function 00D23C94: GetWindowRect.USER32(?,?), ref: 00D23CA7

GetDesktopWindow.USER32 ref: 00D273E9
GetWindowRect.USER32(00000000), ref: 00D273F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00D27422

Part of subcall function 00D154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D1555E

GetCursorPos.USER32(?), ref: 00D2744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D274AC

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 97b4ce206917502690e2169c77fc26049f1e6671c04f2032a56a98d6d61bc73f
Instruction ID: 44dd714735967f7db3bf2660328892e1e820d11660a406a9e739c99306b267cf
Opcode Fuzzy Hash: 97b4ce206917502690e2169c77fc26049f1e6671c04f2032a56a98d6d61bc73f
Instruction Fuzzy Hash: 1E31E672508319ABD720DF14E849F9BBBE9FF98314F000919F588D7191CB34E949CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D08D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D085F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D08608
Part of subcall function 00D085F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D08612
Part of subcall function 00D085F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D08621
Part of subcall function 00D085F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D08628
Part of subcall function 00D085F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D0863E

GetLengthSid.ADVAPI32(?,00000000,00D08977), ref: 00D08DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D08DB8
HeapAlloc.KERNEL32(00000000), ref: 00D08DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D08DD8
GetProcessHeap.KERNEL32(00000000,00000000,00D08977), ref: 00D08DEC
HeapFree.KERNEL32(00000000), ref: 00D08DF3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5fafad9ed2aa9995947ece6364862421e6c6c2ed6f2a991ec56e846b7df0ccc5
Instruction ID: 05e915c2831154a45500c0936e143469633e60d1f258ab6f36c9097a9dc0e5a8
Opcode Fuzzy Hash: 5fafad9ed2aa9995947ece6364862421e6c6c2ed6f2a991ec56e846b7df0ccc5
Instruction Fuzzy Hash: 4011BE31900709FFDB149FA8DC09BAE7BA9EF55315F144229E8C9D7290DB369904EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D08AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D08B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00D08B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D08B40
CloseHandle.KERNEL32(00000004), ref: 00D08B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D08B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D08B8E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ca32626be7b02933d2011d1c2a411af82d19a13b83fd1f49e12fa0d9f78cd737
Instruction ID: ccdee8fca0eea58256a8514dadf749c53bb8ce326aa96a1040554ffcc8994b55
Opcode Fuzzy Hash: ca32626be7b02933d2011d1c2a411af82d19a13b83fd1f49e12fa0d9f78cd737
Instruction Fuzzy Hash: C3111AB250120DEBDF118FA8DD49FDA7BA9EB08305F084065FA48A21A0C7759D65AB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00CB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB134D
Part of subcall function 00CB12F3: SelectObject.GDI32(?,00000000), ref: 00CB135C
Part of subcall function 00CB12F3: BeginPath.GDI32(?), ref: 00CB1373
Part of subcall function 00CB12F3: SelectObject.GDI32(?,00000000), ref: 00CB139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00D3C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00D3C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D3C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00D3C1F6
EndPath.GDI32(00000000), ref: 00D3C206
StrokePath.GDI32(00000000), ref: 00D3C216

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ee23171074c6a8e6fdb42705ec55db5b9b2b96b405a9cd39bf70a22213b9eab0
Instruction ID: a1d92abd51c9b43384bb5833145b28a077ca4f487b4be5fa708e7e75066c9f82
Opcode Fuzzy Hash: ee23171074c6a8e6fdb42705ec55db5b9b2b96b405a9cd39bf70a22213b9eab0
Instruction Fuzzy Hash: D411C97640024DBFDF119F94DC88FEA7FADEB08354F048021BA199A2A1D7719E95DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CD03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CD03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CD03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CD03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CD03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CD0401

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fec7121605e89b1361a20e5a12f79c528afab8fc5bb81bfa38ca5933bb457cf2
Instruction ID: b2ad9904997c5f047b6dcd24f95bd10fdc91d08102010f3e21987b3c4c1543e1
Opcode Fuzzy Hash: fec7121605e89b1361a20e5a12f79c528afab8fc5bb81bfa38ca5933bb457cf2
Instruction Fuzzy Hash: 5F0148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15887A41C7B5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00D1568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D1569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D156B1
GetWindowThreadProcessId.USER32(?,?), ref: 00D156C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D156CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D156D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D156E0

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e83794451d806ccb3a3eb84a597dd6862bea3e594c600ea5f67ed6cc91332ab3
Instruction ID: 8c95beb46fba28cceea3cce54a68555c8477c30d7d69dbceb386a52a668d799a
Opcode Fuzzy Hash: e83794451d806ccb3a3eb84a597dd6862bea3e594c600ea5f67ed6cc91332ab3
Instruction Fuzzy Hash: E2F03032A4165CBBE7215BA2EC0EEEF7B7CEFC6B11F040169FA05D1160DBA11A0186B5

Uniqueness

Uniqueness Score: -1.00%

Function 00D174D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00D174E5
EnterCriticalSection.KERNEL32(?,?,00CC1044,?,?), ref: 00D174F6
TerminateThread.KERNEL32(00000000,000001F6,?,00CC1044,?,?), ref: 00D17503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00CC1044,?,?), ref: 00D17510

Part of subcall function 00D16ED7: CloseHandle.KERNEL32(00000000,?,00D1751D,?,00CC1044,?,?), ref: 00D16EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00D17523
LeaveCriticalSection.KERNEL32(?,?,00CC1044,?,?), ref: 00D1752A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 48ba503133f61b80f2e6bbba0e568d4f7a937b7da06377f6a3c6fea19d65e05b
Instruction ID: 0ebac95dcd542d420ace14cdeb57cb0a0e92763398dad91d7af904f427fbd975
Opcode Fuzzy Hash: 48ba503133f61b80f2e6bbba0e568d4f7a937b7da06377f6a3c6fea19d65e05b
Instruction Fuzzy Hash: ADF03A3A940716EBEB111B64FD889EB773AEF45302B040531F642D11B1CBB55845CA74

Uniqueness

Uniqueness Score: -1.00%

Function 00D08E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D08E7F
UnloadUserProfile.USERENV(?,?), ref: 00D08E8B
CloseHandle.KERNEL32(?), ref: 00D08E94
CloseHandle.KERNEL32(?), ref: 00D08E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D08EA5
HeapFree.KERNEL32(00000000), ref: 00D08EAC

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 938892cb75afb0a2fc4e3a8cbad01a192f3b0ab540de5fa14864455248949d57
Instruction ID: 45058917793409f01fb16e20957244f611e7c371fefb7a05e6e589075bea50a2
Opcode Fuzzy Hash: 938892cb75afb0a2fc4e3a8cbad01a192f3b0ab540de5fa14864455248949d57
Instruction Fuzzy Hash: 92E0C276404209FBDA011FE2EC0CD0ABB69FB99322B108230F219C1270CB32A425DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D28902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D28928
CharUpperBuffW.USER32(?,?), ref: 00D28A37
VariantClear.OLEAUT32(?), ref: 00D28BAF

Part of subcall function 00D17804: VariantInit.OLEAUT32(00000000), ref: 00D17844
Part of subcall function 00D17804: VariantCopy.OLEAUT32(00000000,?), ref: 00D1784D
Part of subcall function 00D17804: VariantClear.OLEAUT32(00000000), ref: 00D17859

Strings

Incorrect Parameter format, xrefs: 00D28960, 00D28B22
AUTOIT.ERROR, xrefs: 00D28A3D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: d70707e2a6c53ac80a79b263bf0723a5d2e12b9631666c352b6ea9a9ae5be17e
Instruction ID: ba282cb2956bcc429757ae16be4f5775abc37331555ff21eab87b6f5e91f6b94
Opcode Fuzzy Hash: d70707e2a6c53ac80a79b263bf0723a5d2e12b9631666c352b6ea9a9ae5be17e
Instruction Fuzzy Hash: 64918F716083019FC710DF28D48496BBBF4EF99314F14896EF89A8B361DB31E945DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D12F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CCFEC6: _wcscpy.LIBCMT ref: 00CCFEE9

_memset.LIBCMT ref: 00D13077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D130A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D13159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D13187

Strings

0, xrefs: 00D13063

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: f04a00e99c47b65e81654384e9060a0a67e58390407ccf4692e2178d735edc9e
Instruction ID: e4b61a08282e424d3b3725f06e19ffa973cbf131246ea56b122f5da76c509efc
Opcode Fuzzy Hash: f04a00e99c47b65e81654384e9060a0a67e58390407ccf4692e2178d735edc9e
Instruction Fuzzy Hash: 1F519171608300BBD7159F28E845AABBBE4EF55360F08492DF895D2291DF70DAC49772

Uniqueness

Uniqueness Score: -1.00%

Function 00D0DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D0DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D0DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D0DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D0DB8E

Strings

DllGetClassObject, xrefs: 00D0DB01

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 957b4c5559e41e034b2ac28221906ec51d12e377fb84a187059d0e9345bffbc1
Instruction ID: 2d0e80d3d8c8aaaa8082265289ce33249aaa56e4716e6b94f924026cf53ad201
Opcode Fuzzy Hash: 957b4c5559e41e034b2ac28221906ec51d12e377fb84a187059d0e9345bffbc1
Instruction Fuzzy Hash: 414151B1600308DFDB15CF94C884B9ABBBAEF48350F1580AAAD09DF285D7B1D944DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D12C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D12CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D12CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00D12D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D76890,00000000), ref: 00D12D5A

Strings

0, xrefs: 00D12CA4

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: ed5850df044f47128fba7544350e5adc40ead42fe26e2634cacba1e6062f9797
Instruction ID: 13b8ca0428a61f219191c19d85c61d75b358ec30abb67617421f525629e31032
Opcode Fuzzy Hash: ed5850df044f47128fba7544350e5adc40ead42fe26e2634cacba1e6062f9797
Instruction Fuzzy Hash: 8641C230204341AFD720DF24E844BAAB7E4EF85320F08461DF9A5972E1DB71E954CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D2DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D2DAD9

Part of subcall function 00CB79AB: _memmove.LIBCMT ref: 00CB79F9

Strings

winapi, xrefs: 00D2DB4A
none, xrefs: 00D2DBB4
cdecl, xrefs: 00D2DB30
stdcall, xrefs: 00D2DB5B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 5dac9f5a4736862f8adae1b9ad82fe585faabdfe41dfd40e24cbdbde5b83390e
Instruction ID: 6918afd7e42577eeb926fc6d115c4f2594a32d561427b0222d815fd5420f3beb
Opcode Fuzzy Hash: 5dac9f5a4736862f8adae1b9ad82fe585faabdfe41dfd40e24cbdbde5b83390e
Instruction Fuzzy Hash: 3231A171500219AFCF10EFA4C8919FEB7B5FF15314F10862AE865A77D1CB31A905DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D09372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00D0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D0B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D093F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D09409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D09439

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

Strings

ListBox, xrefs: 00D093B5
ComboBox, xrefs: 00D09380

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ce0c792f837d7096f4e68c7c4806d496db06baa72534bfa0a85ca4ee85464e2e
Instruction ID: 9b99bfdf3390d771da245fd2c7fe02e67bb932d9c234ee213b151599214a31d2
Opcode Fuzzy Hash: ce0c792f837d7096f4e68c7c4806d496db06baa72534bfa0a85ca4ee85464e2e
Instruction Fuzzy Hash: 8D21E471904108BFDB14ABB4DC96AFFB76CDF45360F144219F929972E2DB35490AA630

Uniqueness

Uniqueness Score: -1.00%

Function 00D21B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D21B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D21B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D21B96
InternetCloseHandle.WININET(00000000), ref: 00D21BDD

Part of subcall function 00D22777: GetLastError.KERNEL32(?,?,00D21B0B,00000000,00000000,00000001), ref: 00D2278C
Part of subcall function 00D22777: SetEvent.KERNEL32(?,?,00D21B0B,00000000,00000000,00000001), ref: 00D227A1

Strings

, xrefs: 00D21B87

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d67a484a95887c7396423712c5a53a721c604d66d6fd94fedd5a509d9330a9fb
Instruction ID: 96f2872e572b5ee2497f77bba0e4921d2d699e9444bfbd7220aee1d27ee0f9a3
Opcode Fuzzy Hash: d67a484a95887c7396423712c5a53a721c604d66d6fd94fedd5a509d9330a9fb
Instruction Fuzzy Hash: 5221CFB5500318BFEB119F20AC85EBF76FCEB6A748F10812AF545E3240EA309D049771

Uniqueness

Uniqueness Score: -1.00%

Function 00D36656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CB1D73
Part of subcall function 00CB1D35: GetStockObject.GDI32(00000011), ref: 00CB1D87
Part of subcall function 00CB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D366D0
LoadLibraryW.KERNEL32(?), ref: 00D366D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D366EC
DestroyWindow.USER32(?), ref: 00D366F4

Strings

SysAnimate32, xrefs: 00D366AB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ca721ba64619ab72a96fee93a285b4866dffdd6ac7896bf42079c7b6c65bc12b
Instruction ID: 74ef5b79b17e14f74f9eca459e9d0e924287191b9bd6205554b45b0fbe65cb07
Opcode Fuzzy Hash: ca721ba64619ab72a96fee93a285b4866dffdd6ac7896bf42079c7b6c65bc12b
Instruction Fuzzy Hash: 2C218EB1200209BBEF104F74EC82EAB37ADEB597A8F548629F950D6190D771CC519770

Uniqueness

Uniqueness Score: -1.00%

Function 00D1703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D1705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D17091
GetStdHandle.KERNEL32(0000000C), ref: 00D170A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00D170DD

Strings

nul, xrefs: 00D170D8

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8cf8b2e8aad63c25176d24bb77a0f79930e1eada5c6cb54e91b715672a477625
Instruction ID: d3d966f6bb074cc6358bc2e193334042ca104735d533bff360da0222e58f257c
Opcode Fuzzy Hash: 8cf8b2e8aad63c25176d24bb77a0f79930e1eada5c6cb54e91b715672a477625
Instruction Fuzzy Hash: 62214F74504309BBDB209F68EC05ADA77B8BF48720F244619F8A1D72E0DB71D9908B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D1710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D1712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D1715D
GetStdHandle.KERNEL32(000000F6), ref: 00D1716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00D171A8

Strings

nul, xrefs: 00D171A3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 0a05993883290ac2d7e9ab971431cfb4ef7e3477758a3a45505c7b004b5d8201
Instruction ID: fcf421683b41d345ccb4d731a29de7daeee170f380d79cc58e88425091428793
Opcode Fuzzy Hash: 0a05993883290ac2d7e9ab971431cfb4ef7e3477758a3a45505c7b004b5d8201
Instruction Fuzzy Hash: AA213575504305BBDB209F68AC04ADA77B8AF55730F240619F9E1D72E0DB70D8C18775

Uniqueness

Uniqueness Score: -1.00%

Function 00D1AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D1AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D1AF13
__swprintf.LIBCMT ref: 00D1AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00D3F910), ref: 00D1AF6A

Strings

%lu, xrefs: 00D1AF26

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a853b9819d5db3d62fb52074a0f6b8b751c2dbb3417608f82f521433560af226
Instruction ID: aa30008496b33e49cb0d8a6adf664cc7c92ab0376ff336cfd6396d1231cf1e61
Opcode Fuzzy Hash: a853b9819d5db3d62fb52074a0f6b8b751c2dbb3417608f82f521433560af226
Instruction Fuzzy Hash: 18216D31A00209AFCB10EF65D885EEE7BB8EF89704B004069F909EB251DB31EA45DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00D0A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

Part of subcall function 00D0A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D0A399
Part of subcall function 00D0A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D0A3AC
Part of subcall function 00D0A37C: GetCurrentThreadId.KERNEL32 ref: 00D0A3B3
Part of subcall function 00D0A37C: AttachThreadInput.USER32(00000000), ref: 00D0A3BA

GetFocus.USER32 ref: 00D0A554

Part of subcall function 00D0A3C5: GetParent.USER32(?), ref: 00D0A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00D0A59D
EnumChildWindows.USER32(?,00D0A615), ref: 00D0A5C5
__swprintf.LIBCMT ref: 00D0A5DF

Strings

%s%d, xrefs: 00D0A5D9

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 6fe53f2cdab90fa264569c4f351608f58d73af14e4267c5ca177f3512d183dbe
Instruction ID: 8df139f73df6aa99964bf7befcd6f94d94166c4ac88d8693453dd50470baddb1
Opcode Fuzzy Hash: 6fe53f2cdab90fa264569c4f351608f58d73af14e4267c5ca177f3512d183dbe
Instruction Fuzzy Hash: 72115C71600309ABDF11BBA8DC86FEE7778EF89700F044075B90CAA192DA7159459B75

Uniqueness

Uniqueness Score: -1.00%

Function 00D12017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D12048

Strings

EXISTS, xrefs: 00D12070
REMOVE, xrefs: 00D1204E
APPEND, xrefs: 00D12081
KEYS, xrefs: 00D1205F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 9ab4a2aba519b89e77500e4beace4f7216ca106614fe6d0cbe81c6b2859a8fb6
Instruction ID: 7535eacbb3e23911990cc86b9c11eb4cfea66a2f5882f0e9e17b6948411105f7
Opcode Fuzzy Hash: 9ab4a2aba519b89e77500e4beace4f7216ca106614fe6d0cbe81c6b2859a8fb6
Instruction Fuzzy Hash: CC1139309002099FCF00EFA8D9415FEB7B5BF1A304F10856AD896A7352EB32691ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D2EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D2EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D2EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00D2F07E
CloseHandle.KERNEL32(?), ref: 00D2F0FF

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 5c51464f0deba3ff9036bb62f92aa67061525b81984530bba26247f63a78258b
Instruction ID: 4b50614d4b60a29ebd6ad427497553c8f95b4d3abfda5b8d5d8f2bc8a793d668
Opcode Fuzzy Hash: 5c51464f0deba3ff9036bb62f92aa67061525b81984530bba26247f63a78258b
Instruction Fuzzy Hash: AB816E716043109FD720EF28D886F6AB7E5EF58714F04882DFA99DB292DB70EC449B52

Uniqueness

Uniqueness Score: -1.00%

Function 00D302C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00D310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D30038,?,?), ref: 00D310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D30388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D303C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D3040E
RegCloseKey.ADVAPI32(?,?), ref: 00D3043A
RegCloseKey.ADVAPI32(00000000), ref: 00D30447

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 8675b14457acbe9b98467d13ea02e9d0cb4b11eda2a8cdfa04fd434f912c62d1
Instruction ID: 18b013da5066477a01d4df37541dc6ca15dbc1df368be827c9cc61535afe1bef
Opcode Fuzzy Hash: 8675b14457acbe9b98467d13ea02e9d0cb4b11eda2a8cdfa04fd434f912c62d1
Instruction Fuzzy Hash: 85513C31208204AFD704EF64D891FAEBBE8FF84704F44892DF596972A1DB30E905DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D2DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D2DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00D2DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D2DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00D2DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D2DD35

Part of subcall function 00CB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D17B20,?,?,00000000), ref: 00CB5B8C
Part of subcall function 00CB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D17B20,?,?,00000000,?,?), ref: 00CB5BB0

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: a4fac8fb247e97accad3a01017ab50ebb41f081acaf50a427aa8088a20024215
Instruction ID: 18ec3fa1265a0cf971c7e96f5d7e52104bd8e51af9bd3b8d201804a57e07acc2
Opcode Fuzzy Hash: a4fac8fb247e97accad3a01017ab50ebb41f081acaf50a427aa8088a20024215
Instruction Fuzzy Hash: 4D513735A00619DFCB01EF68D4849ADB7F5FF58314B188069E919AB362DB30ED45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D1E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D1E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00D1E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D1E8F2

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D1E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D1E91F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ff075cca366bd99c3cb2d2c6559cf31857bcb76ddf438db133f24261e58579ed
Instruction ID: 3ba97156bc60d1a108b89fdb569caed0ccb69bba4f21aabc9103bdf74506f37e
Opcode Fuzzy Hash: ff075cca366bd99c3cb2d2c6559cf31857bcb76ddf438db133f24261e58579ed
Instruction Fuzzy Hash: E4510C35A00205EFCF01EF64C981AAEBBF5EF49310F148099E949AB362CB31ED51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45eca47e78e432c23a44a89f2c776fa5bc1827725b553382fdde3d03dd70d74
Instruction ID: 52717e5e0a149e31529493792be26b5a758df70e48fd362afc6b1851844a9211
Opcode Fuzzy Hash: f45eca47e78e432c23a44a89f2c776fa5bc1827725b553382fdde3d03dd70d74
Instruction Fuzzy Hash: 4041A335A00218AFD714DFACCC48FA9BBA8EB09310F194165F999E72E1D770ED41DA71

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CB2357
ScreenToClient.USER32(00D767B0,?), ref: 00CB2374
GetAsyncKeyState.USER32(00000001), ref: 00CB2399
GetAsyncKeyState.USER32(00000002), ref: 00CB23A7

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d545f5a2087a5f3a37c07dca23359df8d7e06675513048b2183048d6cb1031a5
Instruction ID: 90515a8fa00797bf107c9dc0ca1f58dbaf8613a1e3bd24c1cd8329fc75462656
Opcode Fuzzy Hash: d545f5a2087a5f3a37c07dca23359df8d7e06675513048b2183048d6cb1031a5
Instruction Fuzzy Hash: 3341A335904259FBDF159FA5C884AEDBBB4FF05320F104319F939922A0C7359E94DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D06920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D0695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00D069A9
TranslateMessage.USER32(?), ref: 00D069D2
DispatchMessageW.USER32(?), ref: 00D069DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D069EB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 6f47931a4291c1c001645c861399d54897dae1f1bf388dc123d2e8678d28ebc0
Instruction ID: c464f65a4e801791d8ea1c86910fc1e73f732bd596aa69a06c6ca491022d91ad
Opcode Fuzzy Hash: 6f47931a4291c1c001645c861399d54897dae1f1bf388dc123d2e8678d28ebc0
Instruction Fuzzy Hash: 6B31C431A00756AADB64DF74EC44FBA7BACAB01304F184169E42DD26E1F734D8A5DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D08F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D08F12
PostMessageW.USER32(?,00000201,00000001), ref: 00D08FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D08FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00D08FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D08FDA

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4aef6b013d717f0b50442aaf1a99286602f8c78c7185031ca7b847b37a246490
Instruction ID: 99bff900c3cf1ea00d36efdcbd64825390a0bd341c513281d26664f22d66bb6e
Opcode Fuzzy Hash: 4aef6b013d717f0b50442aaf1a99286602f8c78c7185031ca7b847b37a246490
Instruction Fuzzy Hash: 9831AD7190021AEBDB14CF78D949B9E7BB6EF44315F104229F9A9E62D0C7B09914EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D0B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D0B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D0B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D0B742
_wcsstr.LIBCMT ref: 00D0B74C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: fdeb26e43f2de9b6411d698fd308d1e5bd8ef93f8f0849a934d430815d659c89
Instruction ID: aa57e3bab4294c9494db6fbb644425a8f3e35363cfe2b4a2a6d334e6a377bb4a
Opcode Fuzzy Hash: fdeb26e43f2de9b6411d698fd308d1e5bd8ef93f8f0849a934d430815d659c89
Instruction Fuzzy Hash: 9321D731608344BBEB255B799C49F7B7B98DF85720F14402BFD09CA2A1EB61DC409670

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

GetWindowLongW.USER32(?,000000F0), ref: 00D3B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00D3B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D3B489
GetSystemMetrics.USER32(00000004), ref: 00D3B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00D21184,00000000), ref: 00D3B4D0

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b7a57c1b676bc59c7f6a839292b69fab878a6425f9cac73f7acbacadeef2cd25
Instruction ID: d6e6187a0e7e94393f7055c720116fd7e8938b00ab5eab58cea4e8ed634b05e3
Opcode Fuzzy Hash: b7a57c1b676bc59c7f6a839292b69fab878a6425f9cac73f7acbacadeef2cd25
Instruction Fuzzy Hash: 8421A331910615AFCB149F38DC04A6A37A4FB05739F14473AFA26C72E2E730D850DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00D097E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D09802

Part of subcall function 00CB7D2C: _memmove.LIBCMT ref: 00CB7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D09834
__itow.LIBCMT ref: 00D0984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D09874
__itow.LIBCMT ref: 00D09885

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: c849d633b4bcf97a4dc9bd8c5ac89691784463926d62119526bb942748b95107
Instruction ID: 28104f5496bb1d2c9aa391bf7224ab5e48ad71b98d7d1c7c70f72744fe477824
Opcode Fuzzy Hash: c849d633b4bcf97a4dc9bd8c5ac89691784463926d62119526bb942748b95107
Instruction Fuzzy Hash: AE218671A00248ABDB109B658D9AFEEBBA9DF49710F084029FD09DB392D6708D4597F1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB134D
SelectObject.GDI32(?,00000000), ref: 00CB135C
BeginPath.GDI32(?), ref: 00CB1373
SelectObject.GDI32(?,00000000), ref: 00CB139C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c30cbcff2e47d26b283f44e51867717c2a05d8f0b9a891684c391a17b8ec34a9
Instruction ID: 9eee6248a6f95419041b87b2ffe0c095058fbe4001677e9ecea31cfa99a7a471
Opcode Fuzzy Hash: c30cbcff2e47d26b283f44e51867717c2a05d8f0b9a891684c391a17b8ec34a9
Instruction Fuzzy Hash: 93215E70800708EBDB108F69DC447A97BF8EB00361F584226F828D62F1F371D995DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D0C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00D0C176
_memcmp.LIBCMT ref: 00D0C194
_memcmp.LIBCMT ref: 00D0C1A7
_memcmp.LIBCMT ref: 00D0C1BF
_memcmp.LIBCMT ref: 00D0C1D7

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 701cac73797e042a1b870b04a13134848bf46d0bf136b5651c2394c0539e92d2
Instruction ID: 454cc42b578ed11c09605a2707f8788405d417e13af061129d827cafa44ffde2
Opcode Fuzzy Hash: 701cac73797e042a1b870b04a13134848bf46d0bf136b5651c2394c0539e92d2
Instruction Fuzzy Hash: FA01B5B16143067BE214AB205C42FBB775DDF21394F484221FE08963C3E760DE1A92F2

Uniqueness

Uniqueness Score: -1.00%

Function 00D14D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D14D5C
__beginthreadex.LIBCMT ref: 00D14D7A
MessageBoxW.USER32(?,?,?,?), ref: 00D14D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D14DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D14DAC

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: a6efc189195c3cc7e0719b1bc1dcf450b23bbf56b97f095853a53db9c0c161ed
Instruction ID: 532b9d528124869d4b66ea9b74d4c06072beb508c1eba2c8150bb0ab42cb1959
Opcode Fuzzy Hash: a6efc189195c3cc7e0719b1bc1dcf450b23bbf56b97f095853a53db9c0c161ed
Instruction Fuzzy Hash: 3411C8B6D04748BFCB119BA8BC44ADA7FACEB45320F144269F918D3351EA75CD8487B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D08766
GetLastError.KERNEL32(?,00D0822A,?,?,?), ref: 00D08770
GetProcessHeap.KERNEL32(00000008,?,?,00D0822A,?,?,?), ref: 00D0877F
HeapAlloc.KERNEL32(00000000,?,00D0822A,?,?,?), ref: 00D08786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D0879D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 876928231d4e4899148e049abd6e6ec182bd9b657ed7de5dd667f8f1379f8e77
Instruction ID: 9d934a75ec8c491c4c1cd8dd45e5b0ce8b7eb9521ff729cc36082bcf8e03f71e
Opcode Fuzzy Hash: 876928231d4e4899148e049abd6e6ec182bd9b657ed7de5dd667f8f1379f8e77
Instruction Fuzzy Hash: 8B014B71600318EFDB204FA6EC88DAB7BACEFC93557200439F889C2260DA718C00DA70

Uniqueness

Uniqueness Score: -1.00%

Function 00D154E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D15502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D15510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D15518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D15522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D1555E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4af34180ead31c3130cde1551dec1fbdde6b9b7a0071d311838af6cd1dbf072a
Instruction ID: 70bd638111621d0d2f5a1e9c7ba337d16441a6fbb19290372009f46e3f6776ef
Opcode Fuzzy Hash: 4af34180ead31c3130cde1551dec1fbdde6b9b7a0071d311838af6cd1dbf072a
Instruction Fuzzy Hash: 93012735C00A1DEBDF009FE8F8885EDBB7ABB49701F040056E841F2244DB34999487B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D07652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?,?,?,00D0799D), ref: 00D0766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?,?), ref: 00D0768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?,?), ref: 00D07698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?), ref: 00D076A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D0758C,80070057,?,?), ref: 00D076B4

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1bfc6f1fea69b27caaf178fdf984064ff8d26e21b5edd760769bc22a1ad9d889
Instruction ID: 11e423dbf04381281aeebc247ac78037f1917a5f01e6cc01719ecfa16abec563
Opcode Fuzzy Hash: 1bfc6f1fea69b27caaf178fdf984064ff8d26e21b5edd760769bc22a1ad9d889
Instruction Fuzzy Hash: 430184B6E01708BBDB105F58DC44BAA7BADEB44751F540029FD0AD6361E732ED409BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D085F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D08608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D08612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D08621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D08628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D0863E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 41ff23462abd067d0727fd86f4a0b09cb9d99ff47cc3472322f8b8456d117706
Instruction ID: b05c64a4461f55ae68a0a090d3e4ebbce65d310eb9210e6c2c9626666390fd74
Opcode Fuzzy Hash: 41ff23462abd067d0727fd86f4a0b09cb9d99ff47cc3472322f8b8456d117706
Instruction Fuzzy Hash: 68F04F31601308AFEB100FA5EC89F6B3BACEF89764B440425F989C62A0CB61DC45EA70

Uniqueness

Uniqueness Score: -1.00%

Function 00D08652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D08669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D08673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D08682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D08689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0869F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9ff93c4095c65a54b5714a96b7bba22fdef9fa91ffecfceb1087062daaecd169
Instruction ID: e2413757630f4c9625fa3f3ded84274e92d428bcf60a4828f7a55a4b1dd97ec1
Opcode Fuzzy Hash: 9ff93c4095c65a54b5714a96b7bba22fdef9fa91ffecfceb1087062daaecd169
Instruction Fuzzy Hash: 29F04F71600308AFEB111FA5EC89FA73BACEF89754B540025F989C62A0CA61D945EE70

Uniqueness

Uniqueness Score: -1.00%

Function 00D0C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D0C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D0C6D1
MessageBeep.USER32(00000000), ref: 00D0C6E9
KillTimer.USER32(?,0000040A), ref: 00D0C705
EndDialog.USER32(?,00000001), ref: 00D0C71F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 04b245f75e07398260fcd51092fc7adf07de735b99f12add56f12df2e01d7aba
Instruction ID: ada91930353d73f7700d6d731565b276eaca8a9eca0730addb96a6d13a98fab5
Opcode Fuzzy Hash: 04b245f75e07398260fcd51092fc7adf07de735b99f12add56f12df2e01d7aba
Instruction Fuzzy Hash: 4E01AD30810708ABEB305B20DD8EFA677B8FF00701F041669F586E11F0DBE0A9548FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CB13BF
StrokeAndFillPath.GDI32(?,?,00CEBAD8,00000000,?), ref: 00CB13DB
SelectObject.GDI32(?,00000000), ref: 00CB13EE
DeleteObject.GDI32 ref: 00CB1401
StrokePath.GDI32(?), ref: 00CB141C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3e643751a50dd211cd1b242779b30f1819661d5109483542ec426f077627a060
Instruction ID: fed9df532b082ae833322f524fff4acc1cea057ea914cff8ebd8f27e2dbe68d3
Opcode Fuzzy Hash: 3e643751a50dd211cd1b242779b30f1819661d5109483542ec426f077627a060
Instruction Fuzzy Hash: 3AF0C931404B08EBDB155F6AED4C7983FA5A701326F888224F929C92F2E73189A5DF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D1C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D1C69D
CoCreateInstance.OLE32(00D42D6C,00000000,00000001,00D42BDC,?), ref: 00D1C6B5

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

CoUninitialize.OLE32 ref: 00D1C922

Strings

.lnk, xrefs: 00D1C631, 00D1C659, 00D1C663

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 98b61b7a7479cf2d55a06618f2be657d17011d21b2a302cb50dfb030c4f6416d
Instruction ID: 12464b5ddbb84e309d033c48828b3e2695c4e2634d7e33e8e999ac6024d0682e
Opcode Fuzzy Hash: 98b61b7a7479cf2d55a06618f2be657d17011d21b2a302cb50dfb030c4f6416d
Instruction Fuzzy Hash: 3CA13C71108305AFD700EF54C881EABB7ECEF99704F00491CF656972A2DB70EA49DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CC2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00CD0FF6: std::exception::exception.LIBCMT ref: 00CD102C
Part of subcall function 00CD0FF6: __CxxThrowException@8.LIBCMT ref: 00CD1041

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00CB7BB1: _memmove.LIBCMT ref: 00CB7C0B

__swprintf.LIBCMT ref: 00CC302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00CC2EC6

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 075ed57fe9ed8319d5e6088508377fd103e6c0979d29ce1fe959ebf8fc84a137
Instruction ID: c1e5bee86577889a2c05748f95741cebb457e501977eb79cf2f73d092a8cfcf4
Opcode Fuzzy Hash: 075ed57fe9ed8319d5e6088508377fd103e6c0979d29ce1fe959ebf8fc84a137
Instruction Fuzzy Hash: 3D919F321083459FC718EF64D885EBEB7A8EF85740F04491EF9569B2A1DB30EE44EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00D1BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB48A1,?,?,00CB37C0,?), ref: 00CB48CE

CoInitialize.OLE32(00000000), ref: 00D1BC26
CoCreateInstance.OLE32(00D42D6C,00000000,00000001,00D42BDC,?), ref: 00D1BC3F
CoUninitialize.OLE32 ref: 00D1BC5C

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

Strings

.lnk, xrefs: 00D1BC08, 00D1BC16

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 14ea815641d84fb4454ae315c182696bc106aaa3163f37f552b44cf86f63664c
Instruction ID: b7f269e3a8d4adc5204ac9d7e2b26f36145521f030bacbf5a3151b06970e8a25
Opcode Fuzzy Hash: 14ea815641d84fb4454ae315c182696bc106aaa3163f37f552b44cf86f63664c
Instruction Fuzzy Hash: 84A15975604301AFCB04DF14C484DAABBE5FF89324F148999F99A9B3A1CB31ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CD52DD

Part of subcall function 00CE0340: __87except.LIBCMT ref: 00CE037B

Strings

pow, xrefs: 00CD52B5, 00CD52D2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 8af618b2d9c6733b0dfe420eb9743d759ff3ce660d7513c455990478c4536854
Instruction ID: cd545e2e89697bafdf218f6dd75d67c335bd26efc2b610e9a6364782c472101f
Opcode Fuzzy Hash: 8af618b2d9c6733b0dfe420eb9743d759ff3ce660d7513c455990478c4536854
Instruction Fuzzy Hash: 89517C61A0DB4187CB117B16CA4137E2B909B40750F304D5AE2E5823F9EFB4CEC8EAD6

Uniqueness

Uniqueness Score: -1.00%

Function 00CD023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00CD0277
#, xrefs: 00CD0280

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: ce2d7bd50dbdfa12cdce950a7d2bc66bbc37fec6cf6e14a40d57d78c77c4d020
Instruction ID: 81fec798596be9d33c31c7e4734dc733e5a3c45cad089423d1c44d977d46b6d2
Opcode Fuzzy Hash: ce2d7bd50dbdfa12cdce950a7d2bc66bbc37fec6cf6e14a40d57d78c77c4d020
Instruction Fuzzy Hash: F151313450424A8FCF159F28D4887FA7BA4EF56310F28005AEC959B2E0D7309D82CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CC62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CC63A8
_memmove.LIBCMT ref: 00CC6446
_memset.LIBCMT ref: 00CC646A

Strings

ERCP, xrefs: 00CC6313

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 240e56ffacafa212ca2363e4857b3fd49a8df386c57dc7d4c5672fc8a3dd071d
Instruction ID: 239e227a57157471fe4d45939d5829d02d4d734c7fa31ad87d83bd08e0bb56f1
Opcode Fuzzy Hash: 240e56ffacafa212ca2363e4857b3fd49a8df386c57dc7d4c5672fc8a3dd071d
Instruction Fuzzy Hash: 4D51D571900709DFDB28CF65C981BAABBF4EF04314F24856EE95ACB281E771E684CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D09CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D119CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D09778,?,?,00000034,00000800,?,00000034), ref: 00D119F6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D09D21

Part of subcall function 00D11997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D097A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00D119C1

Part of subcall function 00D118EE: GetWindowThreadProcessId.USER32(?,?), ref: 00D11919
Part of subcall function 00D118EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D0973C,00000034,?,?,00001004,00000000,00000000), ref: 00D11929
Part of subcall function 00D118EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D0973C,00000034,?,?,00001004,00000000,00000000), ref: 00D1193F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D09D8E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D09DDB

Strings

@, xrefs: 00D09DF3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 537b5d1bf6e79855072b1a62b44cad45d2e59b1144445492880ef7e06513a1f2
Instruction ID: 856c8cc7e13890372bf1794478f7e3c5cffe6dc05afabb8181050ce412369c0c
Opcode Fuzzy Hash: 537b5d1bf6e79855072b1a62b44cad45d2e59b1144445492880ef7e06513a1f2
Instruction Fuzzy Hash: 8A412B76901218BFDB10DBA4DD51BEEBBB8EB09300F004095FA55B7191DA706E85CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D37BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D3F910,00000000,?,?,?,?), ref: 00D37C4E
GetWindowLongW.USER32 ref: 00D37C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D37C7B

Strings

SysTreeView32, xrefs: 00D37C20

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 79374246365a7e80e15650c630ee32ca2012787b666ca1457aea1e014f5c3f00
Instruction ID: 2980c59c3ec0c84c3eb3842ed2fdc2bed2d80a60dec2bc5f2ecb11db22c745f2
Opcode Fuzzy Hash: 79374246365a7e80e15650c630ee32ca2012787b666ca1457aea1e014f5c3f00
Instruction Fuzzy Hash: 9C318D7160460AABDB218F38DC41BEA77A9EB49324F284725F879D32E0D731E8519B60

Uniqueness

Uniqueness Score: -1.00%

Function 00D37648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D376D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D376E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D37708

Strings

SysMonthCal32, xrefs: 00D3769B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5d193529d6758a629f6d14ce3d3f15348e5d06ca6879823152b34b287b983ef7
Instruction ID: c44a62175a755a828b68b4f75f1aaa422cf88f232f6d451145cbf8f249b7fd12
Opcode Fuzzy Hash: 5d193529d6758a629f6d14ce3d3f15348e5d06ca6879823152b34b287b983ef7
Instruction Fuzzy Hash: 2221D172500619BBDF21CF64DC42FEA3B69EF48724F150214FE15AB1D0DAB1A890DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D36F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D36FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D36FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D36FDF

Strings

Listbox, xrefs: 00D36F77

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 37ab762e31960a83355cd39d4123bd82318f4488bfea469c0e590bcaafcfcc18
Instruction ID: d45b6aada40f1cb8d5e505f7f62c67704f9792e6da3da74256e74d5ef2e52655
Opcode Fuzzy Hash: 37ab762e31960a83355cd39d4123bd82318f4488bfea469c0e590bcaafcfcc18
Instruction Fuzzy Hash: B021A432610218BFDF118F54DC85FAB3BAAEF89764F158124FA149B190CA71EC51CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D3797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D379E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D379F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D37A03

Strings

msctls_trackbar32, xrefs: 00D379B8

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5292582c7a53122829950c9625b6b86c41e85db562199a751c34ec890db964fe
Instruction ID: 60fe5f2517d672a6428c5520f345e7870b291e97782337f4357a12ef41893f44
Opcode Fuzzy Hash: 5292582c7a53122829950c9625b6b86c41e85db562199a751c34ec890db964fe
Instruction Fuzzy Hash: 84110672244208BFEF249F74CC05FEB37A9EF89764F050619FA45A6090D271D851DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CB4C2E), ref: 00CB4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CB4CB5

Strings

GetNativeSystemInfo, xrefs: 00CB4CAF
kernel32.dll, xrefs: 00CB4C9E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4df54948c6318dd249d7ea64adab779245327b0064044e3f398256604dd1f14e
Instruction ID: 60fa7b3c8e9c45aa08e2f7eb74eb7f2a207fd3ce89bdb365a766994a9ca2cfe1
Opcode Fuzzy Hash: 4df54948c6318dd249d7ea64adab779245327b0064044e3f398256604dd1f14e
Instruction Fuzzy Hash: 9BD01271A1072BDFD7205F71D918646B6D5AF05B51F118839D895D6260D770D480C660

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CB4CE1,?), ref: 00CB4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CB4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00CB4DAE
kernel32.dll, xrefs: 00CB4D9D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 9698466a50c1c10d7addef20f96a0ca5eebe928524ef92114ce1a830676beff6
Instruction ID: 566700268e1a3e91d7ead765d36d5309284844c2f92058b49f373e88f0cff370
Opcode Fuzzy Hash: 9698466a50c1c10d7addef20f96a0ca5eebe928524ef92114ce1a830676beff6
Instruction Fuzzy Hash: 16D05E71954717CFDB209F71E808A86B6E4AF05355F11C83ED8E6D6260E770D880CA70

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CB4D2E,?,00CB4F4F,?,00D762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00CB4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CB4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00CB4D7B
kernel32.dll, xrefs: 00CB4D6A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 15be22d54d327b96b4e983025e6240a844ac04e91dee48ebe326d1c07a78a25e
Instruction ID: fdda2b4764f1f47baffe8e6a6e3d897c3f4658f48b1bb49fa4930b22fac7c6ac
Opcode Fuzzy Hash: 15be22d54d327b96b4e983025e6240a844ac04e91dee48ebe326d1c07a78a25e
Instruction Fuzzy Hash: 33D01771914717CFDB209F31E808656B6E8AF15352F11893AD496D6260E670D880CA70

Uniqueness

Uniqueness Score: -1.00%

Function 00D31072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00D312C1), ref: 00D31080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D31092

Strings

advapi32.dll, xrefs: 00D3107B
RegDeleteKeyExW, xrefs: 00D3108C

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: cb9865749404dbcb1c9fc56fbe7eed0e53bd4ff742c9447b3b3371ec9e0dbdde
Instruction ID: 6e2e2e7485f29c9298d17fec73943fdbb6fdfa3bead0f6547752166080f2ad5a
Opcode Fuzzy Hash: cb9865749404dbcb1c9fc56fbe7eed0e53bd4ff742c9447b3b3371ec9e0dbdde
Instruction Fuzzy Hash: 56D01735910713CFD7209F35E828A1B76E4AF09361F158C3AA48ADA260E770C8C0CA70

Uniqueness

Uniqueness Score: -1.00%

Function 00D293F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00D29009,?,00D3F910), ref: 00D29403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D29415

Strings

kernel32.dll, xrefs: 00D293FE
GetModuleHandleExW, xrefs: 00D2940F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: c668f31eacae9ffc8b5758148c996b6fdd4c31fbc078585abeec031eb50f9c5a
Instruction ID: 0fb2bddab586e0127059f2a736ed55db164111557669923c8a0eb6c00bfac2cc
Opcode Fuzzy Hash: c668f31eacae9ffc8b5758148c996b6fdd4c31fbc078585abeec031eb50f9c5a
Instruction Fuzzy Hash: 2DD0C73491032BCFCB20AF30E908A03B2E4AF11341F05C83AA482D2660E6B0C880CA70

Uniqueness

Uniqueness Score: -1.00%

Function 00CF1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CF1B42
__swprintf.LIBCMT ref: 00CF1B73

Strings

WIN_XPe, xrefs: 00CF1BB2
%.3d, xrefs: 00CF1B4D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 8bf2bc098018c28b5bed0d435692420d08f3d39d58af4996393447b641911be2
Instruction ID: e53607697ac8f791bd67c25d5e9cc2f16ee05a59a0140d18f7c483ccfa264482
Opcode Fuzzy Hash: 8bf2bc098018c28b5bed0d435692420d08f3d39d58af4996393447b641911be2
Instruction Fuzzy Hash: FBD0ECA580411CEBCA849A929C448FA737CA704301F580592BE06E1040F2649B84AA26

Uniqueness

Uniqueness Score: -1.00%

Function 00D076C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd1e6b8bb823a8d92a104af43bad3b49ec2ab70a5d067e4f19f8630c0eb7f01
Instruction ID: 1ba7b06cbc2178642a22a0e046433df1c6a0e494def717da382756ef448e8df4
Opcode Fuzzy Hash: 3bd1e6b8bb823a8d92a104af43bad3b49ec2ab70a5d067e4f19f8630c0eb7f01
Instruction Fuzzy Hash: A4C13C75E04216EFCB14CF94C884AAEB7B5FF48714B158599E849EF291D730EE81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D2E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D2E3D2
CharLowerBuffW.USER32(?,?), ref: 00D2E415

Part of subcall function 00D2DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D2DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00D2E615
_memmove.LIBCMT ref: 00D2E628

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 51549a84507c208b46a85979f2993a73cd93cfcf524b00add06256cae1dd6354
Instruction ID: 2a7013cc8f45390bd058951f8cee5f87fc20e5bc4b8006e8baf7300f493e1792
Opcode Fuzzy Hash: 51549a84507c208b46a85979f2993a73cd93cfcf524b00add06256cae1dd6354
Instruction Fuzzy Hash: A8C16C716083119FC714DF28C48096ABBE4FF99318F14896EF9999B351D730E906CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00D283A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D283D8
CoUninitialize.OLE32 ref: 00D283E3

Part of subcall function 00D0DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D0DAC5

VariantInit.OLEAUT32(?), ref: 00D283EE
VariantClear.OLEAUT32(?), ref: 00D286BF

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 8ee214dbf7066a1f3e3282d0f82c011100a64a3e5e74d9650cba145324bfb63e
Instruction ID: 9797ce7599e188cfdf2adb8e060fd8e349790c92896961535703ddf3e671d2ad
Opcode Fuzzy Hash: 8ee214dbf7066a1f3e3282d0f82c011100a64a3e5e74d9650cba145324bfb63e
Instruction Fuzzy Hash: ADA127756047119FCB10DF14D881B5AB7E5FF99318F188449FA9A9B3A2CB30ED04EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D07A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D42C7C,?), ref: 00D07C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D42C7C,?), ref: 00D07C4A
CLSIDFromProgID.OLE32(?,?,00000000,00D3FB80,000000FF,?,00000000,00000800,00000000,?,00D42C7C,?), ref: 00D07C6F
_memcmp.LIBCMT ref: 00D07C90

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: d0f17740fee247db2a9c75f982c3bd143e3264172ca347b263881fcf9c43cd22
Instruction ID: 844e005b0790146573089579100c57cb9fc9339e003b93abb0eccba1642d21d3
Opcode Fuzzy Hash: d0f17740fee247db2a9c75f982c3bd143e3264172ca347b263881fcf9c43cd22
Instruction Fuzzy Hash: 7C81F975E00109EFCB04DF94C984EEEB7B9FF89315F244598E516AB290DB71AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D06DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D06E04
SysAllocString.OLEAUT32(00000000), ref: 00D06EAD
VariantCopy.OLEAUT32 ref: 00D06EDC
VariantClear.OLEAUT32(?), ref: 00D06F03

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1c0df445dc757e7606b9e9f034b4f7a55a61979defdeeeb21d8a2adcf43607ef
Instruction ID: c1b24c35bead18bcdcf9dbc4036201a158a9dd291b71cb8b2ec1c42ea03bc880
Opcode Fuzzy Hash: 1c0df445dc757e7606b9e9f034b4f7a55a61979defdeeeb21d8a2adcf43607ef
Instruction Fuzzy Hash: B0519730B083029ADB20AF65D895B69B7F5EF44310F24881FE69ECB2D1DB70E8549B35

Uniqueness

Uniqueness Score: -1.00%

Function 00D197E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00CB5045: _fseek.LIBCMT ref: 00CB505D

Part of subcall function 00D199BE: _wcscmp.LIBCMT ref: 00D19AAE
Part of subcall function 00D199BE: _wcscmp.LIBCMT ref: 00D19AC1

_free.LIBCMT ref: 00D1992C
_free.LIBCMT ref: 00D19933
_free.LIBCMT ref: 00D1999E

Part of subcall function 00CD2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00CD9C64), ref: 00CD2FA9
Part of subcall function 00CD2F95: GetLastError.KERNEL32(00000000,?,00CD9C64), ref: 00CD2FBB

_free.LIBCMT ref: 00D199A6

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction ID: 8c0d28b2c6ec9749fe465238ceb360ea570a2ed96e96ed26c148509173fd5822
Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction Fuzzy Hash: 62515EB1D04218AFDF249F64DC91ADEBBB9EF48310F1404AEB649A7241DB715A80DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00D39A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F2EC80,?), ref: 00D39AD2
ScreenToClient.USER32(00000002,00000002), ref: 00D39B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00D39B72

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b15d392d654865ca9516f3fa4bbe88b4c5186da0b8c1c455cae6bb0e4f92d282
Instruction ID: 60d652f46a6f8eaadd42514cb7d4e0fccd1dee165407b1d27d3c81ac8df29160
Opcode Fuzzy Hash: b15d392d654865ca9516f3fa4bbe88b4c5186da0b8c1c455cae6bb0e4f92d282
Instruction Fuzzy Hash: 04511D34A00609AFCF14DF68E8919AEBBB5FB55360F188259F855DB290D770ED81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D26CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D26CE4
WSAGetLastError.WSOCK32(00000000), ref: 00D26CF4

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D26D58
WSAGetLastError.WSOCK32(00000000), ref: 00D26D64

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b49e147375ad3a83224f39321162d2fcbff82d18b2428758f548e25bbb099e5a
Instruction ID: 0ca88bda511430bc23929abb8f86a2a0e2b4d8bb38cd1556014eeba0b259dc4a
Opcode Fuzzy Hash: b49e147375ad3a83224f39321162d2fcbff82d18b2428758f548e25bbb099e5a
Instruction Fuzzy Hash: 4B41B174740314AFEB20AF24DC86FBA77E9DF05B14F448418FA59AB2D2DA75DC009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D2672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00D3F910), ref: 00D267BA
_strlen.LIBCMT ref: 00D267EC

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 912d163e99df7354c44bb78adc0bf790fe6af0c6c970082b5947a07ecb64e864
Instruction ID: c197c2ec64dfb97e1008861b0db99197b7d2bc1cf276c016236931d537596a15
Opcode Fuzzy Hash: 912d163e99df7354c44bb78adc0bf790fe6af0c6c970082b5947a07ecb64e864
Instruction Fuzzy Hash: F3418231A00214ABCB14EBA4ECD5FEEB7A9EF58314F148169F91A972D2DB30ED44D760

Uniqueness

Uniqueness Score: -1.00%

Function 00D1BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D1BB09
GetLastError.KERNEL32(?,00000000), ref: 00D1BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D1BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D1BB80

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 01c2193133109f9192463f6eb3b85e37425d9fedcafe2defbd8bb44426b91611
Instruction ID: 181db8123ca249f1f679f1844c33f9e074cfb7e8d3816a1e80611c8678d4fd4e
Opcode Fuzzy Hash: 01c2193133109f9192463f6eb3b85e37425d9fedcafe2defbd8bb44426b91611
Instruction Fuzzy Hash: 62412839600610DFCB11EF15C584A9DBBE1EF49320F098499F94AAB762CB34FD41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D38AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D38B4D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 83c3a7bde57e9ed90165ce0374e3cace37626109ac100c0d017eaf395c3521b8
Instruction ID: 5deaec09cd931bd94ea631d01957bc12f27804fa2c283b52a96f1394fbc40ed4
Opcode Fuzzy Hash: 83c3a7bde57e9ed90165ce0374e3cace37626109ac100c0d017eaf395c3521b8
Instruction Fuzzy Hash: 5131A2B4604309BFEF249F28CC85FA9B7A5EB05350F284516FA95D63A1DE30E940AB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D3AE1A
GetWindowRect.USER32(?,?), ref: 00D3AE90
PtInRect.USER32(?,?,00D3C304), ref: 00D3AEA0
MessageBeep.USER32(00000000), ref: 00D3AF11

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6fd2ea4948d87ce8b1dc1c645cd3f4b369b052dfc6ae64e9cac9bcbccff64a85
Instruction ID: adf091c3fc84361621429aec32d0a972a8a3d5c006dfd3bf0cda73f3cbd29788
Opcode Fuzzy Hash: 6fd2ea4948d87ce8b1dc1c645cd3f4b369b052dfc6ae64e9cac9bcbccff64a85
Instruction Fuzzy Hash: BC413770B002199FCB11CF58C884A69BBF5FF49350F1881A9F898EB351E730E941DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D10FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00D11037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00D11053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00D110B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00D1110B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4f5681566624f196d1c74004ca0289753709e50945ecd57a4dfe28d2e89456bc
Instruction ID: c446c6d3813255953cb17a1c3f1d86628871b7f92e63cf7ef79e730121af5968
Opcode Fuzzy Hash: 4f5681566624f196d1c74004ca0289753709e50945ecd57a4dfe28d2e89456bc
Instruction Fuzzy Hash: 3F312434E44698BEFF308B65AC05BFABBA9AB49310F08425AF680921D1CB7489C49771

Uniqueness

Uniqueness Score: -1.00%

Function 00D11121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00D11176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D11192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D111F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00D11243

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f76ee47f036c814ecd4a34c08245b736f213786df70b931a68a5cbdafbd9ea6b
Instruction ID: ee34558f01111001487630f2a92ac23996e26fa7ddfc4d6285c98f49ac8a6283
Opcode Fuzzy Hash: f76ee47f036c814ecd4a34c08245b736f213786df70b931a68a5cbdafbd9ea6b
Instruction Fuzzy Hash: F9314B34E4071CBAEF318B65AC057FABB6AAB45310F08431AF780925D1DB7489D48775

Uniqueness

Uniqueness Score: -1.00%

Function 00CE6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CE644B
__isleadbyte_l.LIBCMT ref: 00CE6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CE64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CE64DD

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 91ab5c328b60fda691e892da44435ebcd1811c61d19c890ea019b887341ac0d9
Instruction ID: 055a5c19d792924f91cc37d8c07e45d78b846ebb68d98da0db2595596210bb78
Opcode Fuzzy Hash: 91ab5c328b60fda691e892da44435ebcd1811c61d19c890ea019b887341ac0d9
Instruction Fuzzy Hash: CA31C13161028AAFDB21CF76CC45BBA7BA5FF50390F154429F864872D1D731DA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D35175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D35189

Part of subcall function 00D1387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D13897
Part of subcall function 00D1387D: GetCurrentThreadId.KERNEL32 ref: 00D1389E
Part of subcall function 00D1387D: AttachThreadInput.USER32(00000000,?,00D152A7), ref: 00D138A5

GetCaretPos.USER32(?), ref: 00D3519A
ClientToScreen.USER32(00000000,?), ref: 00D351D5
GetForegroundWindow.USER32 ref: 00D351DB

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f7a64d50abddc564a4c5616bf662f0d7c622a277520fda21463444990cebd2c3
Instruction ID: 5219e8ab0a2de5f951bbd9ef7ffb24a98ff79193342a0778aa31af6c337d8a2c
Opcode Fuzzy Hash: f7a64d50abddc564a4c5616bf662f0d7c622a277520fda21463444990cebd2c3
Instruction Fuzzy Hash: A5314D72D00208AFCB00EFA5D8859EFB7F9EF99300F10406AE505E7251EA759E00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

GetCursorPos.USER32(?), ref: 00D3C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CEBBFB,?,?,?,?,?), ref: 00D3C7D7
GetCursorPos.USER32(?), ref: 00D3C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CEBBFB,?,?,?), ref: 00D3C85E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cae9a2960c9f26dd983a438a87caa687072e9c4aace8619d199f92017f586b70
Instruction ID: 71fb3dae4b2a6901999574b81b2f73598062fcff891e17c1c1cf8a1495a3c2a7
Opcode Fuzzy Hash: cae9a2960c9f26dd983a438a87caa687072e9c4aace8619d199f92017f586b70
Instruction Fuzzy Hash: F2319F35600518AFCB25CF58C898EEA7BBAEB49310F084069F9099B2A1D7319E50DFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00CD0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00CD0BF2

Part of subcall function 00CB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D17B20,?,?,00000000), ref: 00CB5B8C
Part of subcall function 00CB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D17B20,?,?,00000000,?,?), ref: 00CB5BB0

_fprintf.LIBCMT ref: 00CD0C29
OutputDebugStringW.KERNEL32(?), ref: 00D06331

Part of subcall function 00CD4CDA: _flsall.LIBCMT ref: 00CD4CF3

__setmode.LIBCMT ref: 00CD0C5E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 1f0eb3a2280dd9e03986ad0776db2d97b3054d3cd7df83e7f61925c7eab93daa
Instruction ID: 38389635614b2375b2db744d266367d9ff4df417550595c341514b2b873f2064
Opcode Fuzzy Hash: 1f0eb3a2280dd9e03986ad0776db2d97b3054d3cd7df83e7f61925c7eab93daa
Instruction Fuzzy Hash: B1110531904604BBCB08B7B5AC42AFE7B69DF41320F14011BF308972D2DF305985A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00D08B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D08652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D08669
Part of subcall function 00D08652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D08673
Part of subcall function 00D08652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D08682
Part of subcall function 00D08652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D08689
Part of subcall function 00D08652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D0869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D08BEB
_memcmp.LIBCMT ref: 00D08C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D08C44
HeapFree.KERNEL32(00000000), ref: 00D08C4B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4f6511ab7cd3278258a3283b85b1456a78f2dff3625cfbb639b5206d6fd6016a
Instruction ID: a2a113ae018730fb35cfb5b0c378de1a33eeb0f634f26765accb3b17bda7f75f
Opcode Fuzzy Hash: 4f6511ab7cd3278258a3283b85b1456a78f2dff3625cfbb639b5206d6fd6016a
Instruction Fuzzy Hash: 7E219C71E01208EFDB10CFA4C944BEEB7B8EF40340F084059E499A7280DB31AA06EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D21A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D21A97

Part of subcall function 00D21B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D21B40
Part of subcall function 00D21B21: InternetCloseHandle.WININET(00000000), ref: 00D21BDD

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 6041de87cf13c8443ca00d166f7e9e4486f249c6f8a48ed0fd3a24a70645445d
Instruction ID: 90f5fc305ce1f591cf36d3f54cc8ba26d1b4024b2fb2c808915e6e39f7e06ca8
Opcode Fuzzy Hash: 6041de87cf13c8443ca00d166f7e9e4486f249c6f8a48ed0fd3a24a70645445d
Instruction Fuzzy Hash: 0C21FF39200715BFDB119F60AC00FBAB7B9FFB5705F14801AFA5196260EB71D8119BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D0E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00D0E1C4,?,?,?,00D0EFB7,00000000,000000EF,00000119,?,?), ref: 00D0F5BC
Part of subcall function 00D0F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00D0F5E2
Part of subcall function 00D0F5AD: lstrcmpiW.KERNEL32(00000000,?,00D0E1C4,?,?,?,00D0EFB7,00000000,000000EF,00000119,?,?), ref: 00D0F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00D0EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D0E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00D0E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D0EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D0E237

Strings

cdecl, xrefs: 00D0E22E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 26a74884c312daa9208ee0d68fb9a6ec2e5f3a5291c433df177a65a34e241149
Instruction ID: 4bda6ff543187b60937e07dc0fcbd96199c49c1022e62cdef098015891ec9218
Opcode Fuzzy Hash: 26a74884c312daa9208ee0d68fb9a6ec2e5f3a5291c433df177a65a34e241149
Instruction Fuzzy Hash: 34118E36200345EFCB25AF74DC49E7A77B8FF85350B54442AE90ACB2A0EB71985197B4

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE5351

Part of subcall function 00CD594C: __FF_MSGBANNER.LIBCMT ref: 00CD5963
Part of subcall function 00CD594C: __NMSG_WRITE.LIBCMT ref: 00CD596A
Part of subcall function 00CD594C: RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000000,?,?,?,00CD1013,?), ref: 00CD598F

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: bdde66cf14ec8a17109ff0bc66f9b02d153319a46d0b6bc28cc6d5960264ce1b
Instruction ID: 9855ba3320ecec194f652f73ed04e880e74e5d426f8362dace7b493a99a4f6bf
Opcode Fuzzy Hash: bdde66cf14ec8a17109ff0bc66f9b02d153319a46d0b6bc28cc6d5960264ce1b
Instruction Fuzzy Hash: 0711E732504B5AAFCB212F72AC0565D37959F103E4F20042BFA15D62F1DF718A40A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB4560

Part of subcall function 00CB410D: _memset.LIBCMT ref: 00CB418D
Part of subcall function 00CB410D: _wcscpy.LIBCMT ref: 00CB41E1
Part of subcall function 00CB410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CB41F1

KillTimer.USER32(?,00000001,?,?), ref: 00CB45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CB45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CED6CE

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 6f5c02611c9c603fea3a70b987af620ea37bd844483dff9f70d8040ddaaf88a7
Instruction ID: bf234ac51ce2bd1932371d509a1bf8927107becc74396e2ceee6a8c0c2785f45
Opcode Fuzzy Hash: 6f5c02611c9c603fea3a70b987af620ea37bd844483dff9f70d8040ddaaf88a7
Instruction Fuzzy Hash: 9221DB709087D4AFEB328B25DC55BEBBBEC9F01304F04049EE69E96242D7745B88DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D2667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D17B20,?,?,00000000), ref: 00CB5B8C
Part of subcall function 00CB5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D17B20,?,?,00000000,?,?), ref: 00CB5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00D266AC
WSAGetLastError.WSOCK32(00000000), ref: 00D266B7
_memmove.LIBCMT ref: 00D266E4
inet_ntoa.WSOCK32(?), ref: 00D266EF

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 878c75d3f5c55875fe0778225b61a8bb9f5b97ac4ad51b09fb127b1864801c86
Instruction ID: 5bf3e90ab4fe155822b0ffb73ad12a04630a9f64bf8da5fa14830187f7b93814
Opcode Fuzzy Hash: 878c75d3f5c55875fe0778225b61a8bb9f5b97ac4ad51b09fb127b1864801c86
Instruction Fuzzy Hash: F4111F75900509AFCB04FBA4D986EEEB7B8EF54314F144065F506A72A1DF30AE14EB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D09023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D09043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D09055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D0906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D09086

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4290230d8b91fa0a96cd9b1a286a3971737880a97f3700a4b3563dbe2d70da3e
Instruction ID: 2536f85e932f7628064dd03da1173e38c464b87c169531d714c92bef34135c09
Opcode Fuzzy Hash: 4290230d8b91fa0a96cd9b1a286a3971737880a97f3700a4b3563dbe2d70da3e
Instruction Fuzzy Hash: 28113A79900218BFDB10DFA5C985F9DFB74FB48310F204095E904B7290D6716E10DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00CB2612: GetWindowLongW.USER32(?,000000EB), ref: 00CB2623

DefDlgProcW.USER32(?,00000020,?), ref: 00CB12D8
GetClientRect.USER32(?,?), ref: 00CEB84B
GetCursorPos.USER32(?), ref: 00CEB855
ScreenToClient.USER32(?,?), ref: 00CEB860

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 65278774fb3370a7e7c3d1715a2d84809385d6512572baa09fe6626b6b37935d
Instruction ID: 4083f8ff766084d363a167df95a4380211c5972ad14ce690434a96f2e780cefc
Opcode Fuzzy Hash: 65278774fb3370a7e7c3d1715a2d84809385d6512572baa09fe6626b6b37935d
Instruction Fuzzy Hash: B5116636A00119AFCB04EFA8D895DFE77B8EB05301F800466F911E3250D730BA519BB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D11652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D101FD,?,00D11250,?,00008000), ref: 00D1166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00D101FD,?,00D11250,?,00008000), ref: 00D11694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D101FD,?,00D11250,?,00008000), ref: 00D1169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00D101FD,?,00D11250,?,00008000), ref: 00D116D1

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 958908ef138907a913dad5f76a3d62ed381c63c34009bf486591d520fbc21e8d
Instruction ID: 1011ce7444e702ca6eb9346d8fd3272bffc63a32888146d92c78d95cc5f8ad64
Opcode Fuzzy Hash: 958908ef138907a913dad5f76a3d62ed381c63c34009bf486591d520fbc21e8d
Instruction Fuzzy Hash: 8B112E35D0061DE7CF009FA5E944AEEBB78FF19751F054055EA80B6240CF7195908BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00CE722B

Part of subcall function 00CE7912: __fltout2.LIBCMT ref: 00CE793B

__cftog_l.LIBCMT ref: 00CE7251
__cftoe_l.LIBCMT ref: 00CE7283

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: f528e3d2f8c4ab028bbaa016d3228dac7836e6fd2019960b382eb9256c972c85
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 6E014C3604818AFBCF125F96DC018EE3F62BF69351B598615FB2858031D237CAB1BB81

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D3B59E
ScreenToClient.USER32(?,?), ref: 00D3B5B6
ScreenToClient.USER32(?,?), ref: 00D3B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D3B5F5

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 26a189b45df7f991f02a379ab23f4a8751a435c7a4cf2ee7c20eada6e8d894d8
Instruction ID: 74e91303668ce3e5278320a4a373d20565d6d42f4a2a16de808195cf3c2977a1
Opcode Fuzzy Hash: 26a189b45df7f991f02a379ab23f4a8751a435c7a4cf2ee7c20eada6e8d894d8
Instruction Fuzzy Hash: 071146B5D0020DEFDB41CF99C8459EEFBB5FB08310F104166E954E3620D735AA558F60

Uniqueness

Uniqueness Score: -1.00%

Function 00D3B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D3B8FE
_memset.LIBCMT ref: 00D3B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D77F20,00D77F64), ref: 00D3B93C
CloseHandle.KERNEL32 ref: 00D3B94E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 2a9bae9e405a98be775f4db2e74702f1ac60ce167e68c5f13044de68fd1e7ead
Instruction ID: 48583c4e637b3621291f2021cd06f51595d26de06dd10e65793314c7a8b53b6f
Opcode Fuzzy Hash: 2a9bae9e405a98be775f4db2e74702f1ac60ce167e68c5f13044de68fd1e7ead
Instruction Fuzzy Hash: 55F05EB2644304BBE2102B61AD06FBBBA5CEF09354F004821FB0CD6392E771590087B9

Uniqueness

Uniqueness Score: -1.00%

Function 00D16E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00D16E88

Part of subcall function 00D1794E: _memset.LIBCMT ref: 00D17983

_memmove.LIBCMT ref: 00D16EAB
_memset.LIBCMT ref: 00D16EB8
LeaveCriticalSection.KERNEL32(?), ref: 00D16EC8

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8b2a0cb104fcede6f79027b007556a5c7d1c6a369f847e14a3cdbcfcb8ab394f
Instruction ID: 7f4cc6a397c50d6f1688558b23cb0c026d86084952c0041140ffd9b5950fb035
Opcode Fuzzy Hash: 8b2a0cb104fcede6f79027b007556a5c7d1c6a369f847e14a3cdbcfcb8ab394f
Instruction Fuzzy Hash: A9F0543A604204BBCF016F55EC85E8ABB29EF45320B04C061FE089E227CB71A951DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CB12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CB134D
Part of subcall function 00CB12F3: SelectObject.GDI32(?,00000000), ref: 00CB135C
Part of subcall function 00CB12F3: BeginPath.GDI32(?), ref: 00CB1373
Part of subcall function 00CB12F3: SelectObject.GDI32(?,00000000), ref: 00CB139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D3C030
LineTo.GDI32(00000000,?,?), ref: 00D3C03D
EndPath.GDI32(00000000), ref: 00D3C04D
StrokePath.GDI32(00000000), ref: 00D3C05B

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 397c079d49a95788dc240a38b25420c3b84c99278adb4a4e369ba71bf22e0d5f
Instruction ID: 5c313762d400812a59ce310080c7d3a269cbc38aa3c32d7e43624492c5df2c06
Opcode Fuzzy Hash: 397c079d49a95788dc240a38b25420c3b84c99278adb4a4e369ba71bf22e0d5f
Instruction Fuzzy Hash: CCF0BE3200135DBBDB122F54AC0AFCE3F59AF05310F084000FA11A12E287755660CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D0A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D0A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D0A3AC
GetCurrentThreadId.KERNEL32 ref: 00D0A3B3
AttachThreadInput.USER32(00000000), ref: 00D0A3BA

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 5a035007e359d17b1ce4f2e4932e8f2b1f25a19bd675e8fab39e18374ada0d74
Instruction ID: 2a5637e8bc76aca6573dd4567f29b93bb8b44cb88eb91064b95a7ba90015fa07
Opcode Fuzzy Hash: 5a035007e359d17b1ce4f2e4932e8f2b1f25a19bd675e8fab39e18374ada0d74
Instruction Fuzzy Hash: 47E0A531945328BADB206BA6DC0DFD77E5CEF267A1F048025F549D51A0C67185409BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00CB2231
SetTextColor.GDI32(?,000000FF), ref: 00CB223B
SetBkMode.GDI32(?,00000001), ref: 00CB2250
GetStockObject.GDI32(00000005), ref: 00CB2258
GetWindowDC.USER32(?,00000000), ref: 00CEC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CEC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00CEC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00CEC112
GetPixel.GDI32(00000000,?,?), ref: 00CEC132
ReleaseDC.USER32(?,00000000), ref: 00CEC13D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 4145e7c3d2b7cc8997a11045888a98941112314d16124955ba41160056d1d563
Instruction ID: e59bf6955a3ce69b2cbaeab6bb1fd0742dbae32b59ff667f39823c037c27a808
Opcode Fuzzy Hash: 4145e7c3d2b7cc8997a11045888a98941112314d16124955ba41160056d1d563
Instruction Fuzzy Hash: CFE06D32900388FADF215F64FC4DBD83B10EB05332F008366FA79881E187714A81DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00D08C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D08C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D0882E), ref: 00D08C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D0882E), ref: 00D08C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D0882E), ref: 00D08C7E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 715031d0c547ec5aec9176db6521800c40954ae9e24d19dbcc535b4576663bc7
Instruction ID: d4025ebda36ba74f6e292cdf189b98e08cbba3fef8cc90023cba9975d685054a
Opcode Fuzzy Hash: 715031d0c547ec5aec9176db6521800c40954ae9e24d19dbcc535b4576663bc7
Instruction Fuzzy Hash: 05E08636A42325DBE7205FB46E0CB573BBCEF50792F084829F289C9090DA348441DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00CF2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CF2187
GetDC.USER32(00000000), ref: 00CF2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CF21B1
ReleaseDC.USER32(?), ref: 00CF21D2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8fcb72239295c2d07ea11143ed0f7857a462c4dc2fbf9f76643a7f52c336c20a
Instruction ID: a0367032697a7780bda43620a49dcc0715b09d9ed56620262570a651c522187a
Opcode Fuzzy Hash: 8fcb72239295c2d07ea11143ed0f7857a462c4dc2fbf9f76643a7f52c336c20a
Instruction Fuzzy Hash: E3E0E575800308EFDB019FA1C809AAD7BB1EB5C350F108425F95AE7320CB388541AF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CF219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CF219B
GetDC.USER32(00000000), ref: 00CF21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CF21B1
ReleaseDC.USER32(?), ref: 00CF21D2

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 790cea3c09c63cb6ff4a51ad234ec169c964cd1e9244af900b3eec49ad59819f
Instruction ID: 73e235b2fe5e987d814e9bbe37a081734fc03f31cdd0de9272c929d59c119b92
Opcode Fuzzy Hash: 790cea3c09c63cb6ff4a51ad234ec169c964cd1e9244af900b3eec49ad59819f
Instruction Fuzzy Hash: 62E012B5C00308AFCB019FB0C809A9DBBF1EB5C350F108029F95AE7320CB389141AF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D0B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00D0B981

Strings

Container, xrefs: 00D0B8FE
AutoIt3GUI, xrefs: 00D0B8F9

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 09b7708c54282417d8540b31b12a0305d2f1c053e060d3a7226949b13bca6236
Instruction ID: 729a54610c91f2d1ef9415f0d7c37d82816eb2abec80eb7be64eaa3adb2e229d
Opcode Fuzzy Hash: 09b7708c54282417d8540b31b12a0305d2f1c053e060d3a7226949b13bca6236
Instruction Fuzzy Hash: 90914C706046019FDB24CF68C894B66BBE9FF48710F24856EF94ACB7A1DB70E844CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D1B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CCFEC6: _wcscpy.LIBCMT ref: 00CCFEE9

Part of subcall function 00CB9997: __itow.LIBCMT ref: 00CB99C2
Part of subcall function 00CB9997: __swprintf.LIBCMT ref: 00CB9A0C

__wcsnicmp.LIBCMT ref: 00D1B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00D1B361

Strings

LPT, xrefs: 00D1B292

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 4b1a86d025562c963661c2ffba9e62d696b2d0377c5c6f5d6b8483f5885e8256
Instruction ID: 1459122db9ed6f7004cd2907c0ab12f19a464fc15cb96ee3f9684a850fd56a86
Opcode Fuzzy Hash: 4b1a86d025562c963661c2ffba9e62d696b2d0377c5c6f5d6b8483f5885e8256
Instruction Fuzzy Hash: 72616375A00215EFCB14EF94D885EEEB7B4EF08320F15405AF556AB391DB70AE84DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CC2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00CC2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CC2AE1

Strings

@, xrefs: 00CC2AD5

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d0ade63fa246f854906e1bf6c935b389ebcb67c3f358aa8a42b0353be7cf7a79
Instruction ID: 7060ecc2673ad5112c2fd23bf7db17d6a34d9ec8490774d741349bfa9130bdd2
Opcode Fuzzy Hash: d0ade63fa246f854906e1bf6c935b389ebcb67c3f358aa8a42b0353be7cf7a79
Instruction Fuzzy Hash: F6513771418744ABD320AF10D886BABBBF8FF85314F42885DF2D9911A1DB308569DB27

Uniqueness

Uniqueness Score: -1.00%

Function 00D199BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00CB506B: __fread_nolock.LIBCMT ref: 00CB5089

_wcscmp.LIBCMT ref: 00D19AAE
_wcscmp.LIBCMT ref: 00D19AC1

Strings

FILE, xrefs: 00D199FA

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: f00aec508de49faa8f3f4c1b49511146488693cc6370cd9c86e3768780909568
Instruction ID: 5d0d4d4cfa4d43bbcd346232b712ac34af35eb20e644067fbe57eb6199dc5978
Opcode Fuzzy Hash: f00aec508de49faa8f3f4c1b49511146488693cc6370cd9c86e3768780909568
Instruction Fuzzy Hash: E141C671A00619BADF20AAA4EC95FEFB7BDDF45710F04007AFA00A71C1DA75AA4497B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D22882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D22892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D228C8

Strings

|, xrefs: 00D22899

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 9a91054ddf6584fe2113112149f64c4e86b6b6f0c1cd1ff1318ff3bd02c07c29
Instruction ID: e8112d8d58fe66609ea1f352c5e89c18c88faa80f1ad0f04eef4d60303c96d1b
Opcode Fuzzy Hash: 9a91054ddf6584fe2113112149f64c4e86b6b6f0c1cd1ff1318ff3bd02c07c29
Instruction Fuzzy Hash: E5313E71800219AFCF11DFA1DC85EEEBFB9FF18300F144125F815A6265DB315956EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D37CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00D37DD0
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D37DE5

Strings

', xrefs: 00D37D39

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e4561956ec678be1cfcdd56b5913aab6e26acf772683299dd4a3d29dea4d65e8
Instruction ID: 9b9769ea8cfca659feee326f6f1eb19e0d7bd2eaf52fc745981b16c59e76eec7
Opcode Fuzzy Hash: e4561956ec678be1cfcdd56b5913aab6e26acf772683299dd4a3d29dea4d65e8
Instruction Fuzzy Hash: 9341F7B4A05609DFDB64CF68D981BEA7BB5FF09300F14016AE909EB351E770A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D36CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D36D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D36DC2

Strings

static, xrefs: 00D36D22

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5f98b8fd5f74ef571b7b1bec3a41da7c6328361011e2508184080fa93030f647
Instruction ID: 53c185e5f111e2adaa7290b7e14845649c7a1c8f74495e849bea32a86067ab5e
Opcode Fuzzy Hash: 5f98b8fd5f74ef571b7b1bec3a41da7c6328361011e2508184080fa93030f647
Instruction Fuzzy Hash: E0316971200608AAEB109F68DC80AFB77A9FF49720F148619F9A997190DA71EC91DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D12D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D12E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D12E3B

Strings

0, xrefs: 00D12DF9

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3d0ac0e58383bd10047d2d1a4d45dddbdbb2ce96582013aafe093902699c8c66
Instruction ID: bd8d9a91d6a8c128c8d01ac561c8e41e0b9b82c7023251f9c1dff2f78af6258f
Opcode Fuzzy Hash: 3d0ac0e58383bd10047d2d1a4d45dddbdbb2ce96582013aafe093902699c8c66
Instruction Fuzzy Hash: 1931D731600309BBEB248F58E845BFEBBB5EF05350F18402AF985961A0EF7199D4DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D23CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00D23D5A

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Strings

AUTOITCALLVARIABLE%d, xrefs: 00D23D4C
, $, xrefs: 00D23D9A

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: e44fe3cf452c4259f75465bcb75b5e220c1bd6c157ea45acf0d594b57925363a
Instruction ID: f0d7eac88245b9de7e109429031a69ce8550125aacddbb91825e9cc4b3d9e902
Opcode Fuzzy Hash: e44fe3cf452c4259f75465bcb75b5e220c1bd6c157ea45acf0d594b57925363a
Instruction Fuzzy Hash: 1F215E31600228AFCF10EF64DC86AEDB7B9BF54704F404495F805A7282DA35EA55DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D36943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D369D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D369DB

Strings

Combobox, xrefs: 00D3699D

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ac208006e547db45a6632e1b99f5e6edacb72771d45c8d8106beb3a245f1948d
Instruction ID: a63c3711655f222ffc023fa9810a4c677ee85eaa65954fc8d090738e1d351637
Opcode Fuzzy Hash: ac208006e547db45a6632e1b99f5e6edacb72771d45c8d8106beb3a245f1948d
Instruction Fuzzy Hash: B511B2716002087FEF119F24CC90FAB3B6AEB893A4F158125F9589B290D671DC918BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D36E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00CB1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00CB1D73
Part of subcall function 00CB1D35: GetStockObject.GDI32(00000011), ref: 00CB1D87
Part of subcall function 00CB1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB1D91

GetWindowRect.USER32(00000000,?), ref: 00D36EE0
GetSysColor.USER32(00000012), ref: 00D36EFA

Strings

static, xrefs: 00D36EBD

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 000be721ee2cca2710e13430425fb45650114ae3416bbc00734c8eb1b33af009
Instruction ID: 02acea3739beb7e1e03f5109b3ab9e8f41a633717c30986c6c998d74121807d7
Opcode Fuzzy Hash: 000be721ee2cca2710e13430425fb45650114ae3416bbc00734c8eb1b33af009
Instruction Fuzzy Hash: E1212C72910209AFDB04DFB8DD45AEA7BB8FB08354F054529FD55D3250E634E861DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D36B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D36C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D36C20

Strings

edit, xrefs: 00D36BF5

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d1d4532589aa6e516a97fbcf9aaad1ccf8199a1c37596612214e556f3777d7dc
Instruction ID: f269369aff2293b82745ac49c10fe245035c0a658ac028446a7a257a479ca578
Opcode Fuzzy Hash: d1d4532589aa6e516a97fbcf9aaad1ccf8199a1c37596612214e556f3777d7dc
Instruction Fuzzy Hash: E611BC71500208BBEB108F64DC41AEB7B69EB04378F248724F9A4D31E0C775DC90AB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D12E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D12F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00D12F30

Strings

0, xrefs: 00D12F07

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: fcf6cbccb0de272b161ac06f5a8fe60c07d74037424b12185ccd2721ccc847e6
Instruction ID: 0aaa992fe20cd51dd77b8e8961405ca2f9ee825e27f59004d96f2b9a5f9f34f4
Opcode Fuzzy Hash: fcf6cbccb0de272b161ac06f5a8fe60c07d74037424b12185ccd2721ccc847e6
Instruction Fuzzy Hash: AB11D335901254BBCB20DB58EC44BF977B9EF01310F0840A1F894E72A1EB71ED9587B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D224CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D22520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D22549

Strings

<local>, xrefs: 00D22511

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a3c2e692040fb87c60b8d79ad78d67ba174b80b17779b58c45f0170170bb6d86
Instruction ID: bbdd7cfa2caf9360a0373e11c38b441328a5a2bef465d6be628b884137fe44e9
Opcode Fuzzy Hash: a3c2e692040fb87c60b8d79ad78d67ba174b80b17779b58c45f0170170bb6d86
Instruction Fuzzy Hash: 151102B0500235BEDB249F51AC99EBBFF68FF26369F10812AF94582140D770A945DAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00D280A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00D280C8,?,00000000,?,?), ref: 00D28322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D280CB
htons.WSOCK32(00000000,?,00000000), ref: 00D28108

Strings

255.255.255.255, xrefs: 00D280E3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 8b3f8e24b43d51b0cc39ea5bb4ae2b95977a5a4a1ae8570dcd2439d240480223
Instruction ID: 7579e098151bae88215c51233dd7371443af5bb6ea1c66161917cc727b8fb3f1
Opcode Fuzzy Hash: 8b3f8e24b43d51b0cc39ea5bb4ae2b95977a5a4a1ae8570dcd2439d240480223
Instruction Fuzzy Hash: AC11E174600319ABCB20AF64DC46FFDB324FF24324F14852AF911A72D1DB32A811E6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00D092E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00D0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D0B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D09355

Strings

ListBox, xrefs: 00D0931F
ComboBox, xrefs: 00D092F4

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 40074698a718cb4d759b72d00f77045fa584e769c2105a57c7dda25a90b79eff
Instruction ID: 3de6ce7e8f339060c250905d84ab25f824a2d82b73195c91328097e7973f53c4
Opcode Fuzzy Hash: 40074698a718cb4d759b72d00f77045fa584e769c2105a57c7dda25a90b79eff
Instruction Fuzzy Hash: AE019271A45214ABCB04EBA4CCA29FEB76DFF46320B140619F876672D2DA31590C9670

Uniqueness

Uniqueness Score: -1.00%

Function 00D091DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00D0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D0B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D0924D

Strings

ListBox, xrefs: 00D09217
ComboBox, xrefs: 00D091EC

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 62dd40e7644b8f91834fc2890763495c8136ed4a9ff3d68caa72b599a8de1623
Instruction ID: b365adc36b0a1a1205045dc1b821340ba63e1b71e434acf276fed05308b56003
Opcode Fuzzy Hash: 62dd40e7644b8f91834fc2890763495c8136ed4a9ff3d68caa72b599a8de1623
Instruction Fuzzy Hash: 9401A771A452087BCB04EBA0C9A2FFFB3ACDF45310F540119B956672D2EA215F1CA675

Uniqueness

Uniqueness Score: -1.00%

Function 00D09264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7F41: _memmove.LIBCMT ref: 00CB7F82

Part of subcall function 00D0B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D0B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D092D0

Strings

ListBox, xrefs: 00D0929C
ComboBox, xrefs: 00D09271

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: bb2ab647a6f7156ab22de3dd866259f8d29fb69b08c7cd3284b1d001eb8b10fe
Instruction ID: a951298e654fce3d14c2eb8572f8c5990a7b9b11863d91c039f82e202224ebba
Opcode Fuzzy Hash: bb2ab647a6f7156ab22de3dd866259f8d29fb69b08c7cd3284b1d001eb8b10fe
Instruction Fuzzy Hash: C101A271E462087BCB04EBB0C9A2FFFB7AC9F11310F640115B856632C2DA219E0CA279

Uniqueness

Uniqueness Score: -1.00%

Function 00D151CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D151E8
_wcscmp.LIBCMT ref: 00D151FA

Strings

#32770, xrefs: 00D151F4

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 3f0395d2d9166da30f99cee4ebed39524eda351b4851f9f3c30bb2b549543038
Instruction ID: 059809013d68b62e91f523edc2b5c10f5df11b21f56ec69023a39fce32cffbeb
Opcode Fuzzy Hash: 3f0395d2d9166da30f99cee4ebed39524eda351b4851f9f3c30bb2b549543038
Instruction Fuzzy Hash: 83E02272A0032C2BE3209B99AC09BA7F7ACEB44721F00016BFD14D3140E5609A448BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D081BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D081CA

Part of subcall function 00CD3598: _doexit.LIBCMT ref: 00CD35A2

Strings

AutoIt, xrefs: 00D081BE
Error allocating memory., xrefs: 00D081C3

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: ce86a596e4d94ec3140d8e1a14a9b800912b89ebf4e22d09efa5205e2aaa4ae1
Instruction ID: d7460f75c4a71851677ef1932189d5806aa9727b80d0ccb86737297d103d0d45
Opcode Fuzzy Hash: ce86a596e4d94ec3140d8e1a14a9b800912b89ebf4e22d09efa5205e2aaa4ae1
Instruction Fuzzy Hash: 1ED0123228535837D21432A67D07BC575484B05B51F044016BB08956D38ED2598152B9

Uniqueness

Uniqueness Score: -1.00%

Function 00CEB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CEB564: _memset.LIBCMT ref: 00CEB571

Part of subcall function 00CD0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CEB540,?,?,?,00CB100A), ref: 00CD0B89

IsDebuggerPresent.KERNEL32(?,?,?,00CB100A), ref: 00CEB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CB100A), ref: 00CEB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CEB54E

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: cdc626563cf153e26fae942821b4cd2e7391c14182a73f6f5e8e35bce1449c57
Instruction ID: 46b0520294a3e13ce5cb0c329a636fb34e86dcdc0b9f2256490bbd6472ae8b05
Opcode Fuzzy Hash: cdc626563cf153e26fae942821b4cd2e7391c14182a73f6f5e8e35bce1449c57
Instruction Fuzzy Hash: DEE06DB0601755CFD720DF29E5053637BE4AB04705F00892DE886C2761E7B4D848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D35BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D35BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D35C08

Part of subcall function 00D154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D1555E

Strings

Shell_TrayWnd, xrefs: 00D35BEE

Memory Dump Source

Source File: 00000000.00000002.2106654800.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.2106637597.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D3F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106734332.0000000000D65000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106799057.0000000000D6F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2106841660.0000000000D78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_r)_78768.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 904fc0ff972ff05c523d33aefe4e194bbfc7a354bad622df6c8fe677d741619a
Instruction ID: bbde961fe4d63695df33665cdc0263d62703d2bf3db741b6afeaa6a53e453683
Opcode Fuzzy Hash: 904fc0ff972ff05c523d33aefe4e194bbfc7a354bad622df6c8fe677d741619a
Instruction Fuzzy Hash: 42D0C932788715BBE764AB70BC0BFD76A14EB51B51F040825B655EA2E0D9E85840C670

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r)_78768.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut3B9B.tmp

C:\Users\user\AppData\Local\Temp\aut3BFA.tmp

C:\Users\user\AppData\Local\Temp\derogates

C:\Users\user\AppData\Local\Temp\putrefactible

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
r)_78768.exe

Function 00CB3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00CB4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00CB4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00D193DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00CB302C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63
windowregistryCOMMON

Function 00CB3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00CB71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00CB3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00CB3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00CB3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00E12690 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239
fileCOMMON

Function 00CB39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00E12410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162
fileCOMMON

Function 00CB410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00CD564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre