Edit tour

Windows Analysis Report
ABT-57809267-57236090890_____________________________________.exe

Overview

General Information

Sample name:	ABT-57809267-57236090890_____________________________________.exe
Analysis ID:	1430805
MD5:	111af05dd1407b81db746b75b32e8b92
SHA1:	5fd001e0d0d86e5ee6d19e388bef20d31865f45d
SHA256:	e3e2106835618398ef240b9e3e84026a0019bafda4464f3150756d42c5374f9d
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ABT-57809267-57236090890_____________________________________.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe" MD5: 111AF05DD1407B81DB746B75B32E8B92)

RegSvcs.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "absach@worlorderbillions.top", "Password": "@qwerty90123        "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1668280133.0000000003A90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.2899736344.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe", CommandLine: "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe, NewProcessName: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe, OriginalFileName: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe", ProcessId: 7320, ProcessName: ABT-57809267-57236090890_____________________________________.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: RegSvcs.exe.7336.1.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "absach@worlorderbillions.top", "Password": "@qwerty90123 "}

Multi AV Scanner detection for submitted file

Source: ABT-57809267-57236090890_____________________________________.exe	ReversingLabs: Detection: 44%
Source: ABT-57809267-57236090890_____________________________________.exe	Virustotal: Detection: 35%			Perma Link

Machine Learning detection for sample

Source: ABT-57809267-57236090890_____________________________________.exe

Joe Sandbox ML: detected

Source: ABT-57809267-57236090890_____________________________________.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1661719472.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1662122544.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1661719472.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1662122544.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00744696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00744696
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074C93C FindFirstFileW,FindClose,	0_2_0074C93C
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0074C9C7
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0074F200
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0074F35D
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0074F65E
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00743A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00743A2B
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00743D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00743D4E
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0074BF27

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_007525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007525E2

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0075425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0075425A

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00754458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00754458

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

0_2_0075425A

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00740219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00740219

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0076CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0076CDAC

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: This is a third-party compiled AutoIt script.	0_2_006E3B4C
Source: ABT-57809267-57236090890_____________________________________.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000000.1648696364.0000000000795000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_37a06d60-1
Source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000000.1648696364.0000000000795000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d02c25cf-4
Source: ABT-57809267-57236090890_____________________________________.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_34004ab4-e
Source: ABT-57809267-57236090890_____________________________________.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6a137ce5-a

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00744021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00744021

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00738858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00738858

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0074545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0074545F

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006EE800	0_2_006EE800
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070DBB5	0_2_0070DBB5
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006EE060	0_2_006EE060
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0076804A	0_2_0076804A
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006F4140	0_2_006F4140
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00702405	0_2_00702405
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00716522	0_2_00716522
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0071267E	0_2_0071267E
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00760665	0_2_00760665
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006F6843	0_2_006F6843
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070283A	0_2_0070283A
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_007189DF	0_2_007189DF
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006F8A0E	0_2_006F8A0E
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00760AE2	0_2_00760AE2
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00716A94	0_2_00716A94
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00748B13	0_2_00748B13
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0073EB07	0_2_0073EB07
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070CD61	0_2_0070CD61
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00717006	0_2_00717006
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006F710E	0_2_006F710E
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006F3190	0_2_006F3190
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006E1287	0_2_006E1287
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_007033C7	0_2_007033C7
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070F419	0_2_0070F419
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_007016C4	0_2_007016C4
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006F5680	0_2_006F5680
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_007078D3	0_2_007078D3
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006F58C0	0_2_006F58C0
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00701BB8	0_2_00701BB8
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00719D05	0_2_00719D05
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006EFE40	0_2_006EFE40
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070BFE6	0_2_0070BFE6
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00701FD0	0_2_00701FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_028FD048	1_2_028FD048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_028F4110	1_2_028F4110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_028F95D8	1_2_028F95D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_028F9DD0	1_2_028F9DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_028F4D28	1_2_028F4D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_028F4458	1_2_028F4458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05680040	1_2_05680040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05683268	1_2_05683268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05681918	1_2_05681918

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: String function: 00700D27 appears 70 times
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: String function: 006E7F41 appears 35 times
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: String function: 00708B40 appears 42 times

Source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1660949298.0000000003C13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ABT-57809267-57236090890_____________________________________.exe
Source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1661719472.0000000003DBD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ABT-57809267-57236090890_____________________________________.exe
Source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000002.1668280133.0000000003A90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee98985aa-1a0a-4027-b0e4-a37605f1db47.exe4 vs ABT-57809267-57236090890_____________________________________.exe

Source: ABT-57809267-57236090890_____________________________________.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@3/4@0/0

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0074A2D5 GetLastError,FormatMessageW,

0_2_0074A2D5

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00738713 AdjustTokenPrivileges,CloseHandle,		0_2_00738713
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00738CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00738CC3

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0074B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0074B59E

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0075F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0075F121

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0074C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0074C602

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_006E4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006E4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

File created: C:\Users\user\AppData\Local\Temp\aut8218.tmp

Jump to behavior

Source: ABT-57809267-57236090890_____________________________________.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2900961515.0000000002B23000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ABT-57809267-57236090890_____________________________________.exe	ReversingLabs: Detection: 44%
Source: ABT-57809267-57236090890_____________________________________.exe	Virustotal: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe"
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe"
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ABT-57809267-57236090890_____________________________________.exe

Static file information: File size 1095168 > 1048576

Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ABT-57809267-57236090890_____________________________________.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1661719472.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1662122544.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1661719472.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, ABT-57809267-57236090890_____________________________________.exe, 00000000.00000003.1662122544.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp

Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ABT-57809267-57236090890_____________________________________.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0075C304 LoadLibraryA,GetProcAddress,

0_2_0075C304

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00748719 push FFFFFF8Bh; iretd	0_2_0074871B
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070E94F push edi; ret	0_2_0070E951
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070EA68 push esi; ret	0_2_0070EA6A
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00708B85 push ecx; ret	0_2_00708B98
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070EC43 push esi; ret	0_2_0070EC45
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070ED2C push edi; ret	0_2_0070ED2E

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_006E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006E4A35
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_007655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007655FD

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_007033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_007033C7

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-97328

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

API coverage: 4.0 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00744696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00744696
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074C93C FindFirstFileW,FindClose,	0_2_0074C93C
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0074C9C7
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0074F200
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0074F35D
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0074F65E
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00743A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00743A2B
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00743D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00743D4E
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0074BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0074BF27

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_006E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006E4AFE

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

API call chain: ExitProcess graph end node

graph_0-96598

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_007541FD BlockInput,

0_2_007541FD

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_006E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006E3B4C

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00715CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00715CCC

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0075C304 LoadLibraryA,GetProcAddress,

0_2_0075C304

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_007381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_007381F7

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070A364 SetUnhandledExceptionFilter,		0_2_0070A364
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_0070A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0070A395

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00738C93 LogonUserW,

0_2_00738C93

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_006E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006E3B4C

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_006E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006E4A35

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00744EF5 mouse_event,

0_2_00744EF5

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

0_2_007381F7

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00744C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00744C03

Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0070886B cpuid

0_2_0070886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_007150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_007150D7

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_00722230 GetUserNameW,

0_2_00722230

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_0071418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0071418A

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe

Code function: 0_2_006E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006E4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1668280133.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2899736344.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: WIN_81
Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: WIN_XP
Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: WIN_XPe
Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: WIN_VISTA
Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: WIN_7
Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: WIN_8
Source: ABT-57809267-57236090890_____________________________________.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ABT-57809267-57236090890_____________________________________.exe.3a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1668280133.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2899736344.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00756596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00756596
Source: C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe	Code function: 0_2_00756A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00756A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	21 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	2 Valid Accounts	LSA Secrets	14 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ABT-57809267-57236090890_____________________________________.exe	45%	ReversingLabs	Win32.Trojan.Strab
ABT-57809267-57236090890_____________________________________.exe	36%	Virustotal		Browse
ABT-57809267-57236090890_____________________________________.exe	100%	Joe Sandbox ML

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430805
Start date and time:	2024-04-24 08:05:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ABT-57809267-57236090890_____________________________________.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@3/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Process:	C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe
File Type:	data
Category:	dropped
Size (bytes):	133198
Entropy (8bit):	7.9062349946570665
Encrypted:	false
SSDEEP:	3072:r0DWEaUweQrZcm6UpkJqe2jODOEM/LN3Ki1tPx5dgm:oDqUw1rOm/kJ+jFn/pa0ndP
MD5:	D9D54BBB0F16477599DAFA067D1704F9
SHA1:	E102AD7B07932EA7235013BD68549D84750242EC
SHA-256:	15E5533DD49A5EC39760322B1C5B795E885DF7FB3F0437E9EAE96AE8E58699CD
SHA-512:	28B38BC64C552B112010BB43CC5A005B54D4A4E57F2A3C06B93ABBFB08B90F61A76BBD3F649913418B821114E5D01AB3A71CCB23DD23C497133195F8147E9208
Malicious:	false
Reputation:	low
Preview:	EA06.....[..:52.D.L.t.G2.V.S..y..o4..f.:(..6...:.Z..1....z........0...C.1..-.9e~.k.Ik.i$.Gg.UkU...+R.Yg.)TZ.%.D.+..C#.F.3..T.#6k.....T..L_.F...-2.E...t...V.Q..1..L.t[`...5jE..`.M.P...7D.....=2...L.t....a...@..U@6;..Qh.....2... ..7Ve3...~@..DJ.J...vs..L....N.S....u..lgiI.U. .....G.F(.......R.....i1..0.J(...t.M..=V........pS...........1@...-...$P...m4.M,.)....&...ZgQ..x.......{...0..$U:5..6.T..h.Z.I.Q....e&..c..f.6.X..y.n.B.Pk...ng..L&t:.6.0.miw..F..0W@...jo....T[`..@..0.............+..M..9.M&..... ..i.i.p.....`..,.xfT.$.mr.T.......N(W....F........S.3...;..h....o....B....G..3..W.Zh3H..eM.U@.....G.K93X..0..Pk..6..._j6.@....0$`..>.S....mB.J...._#...8.......=z.l.M&R.T.3-..h.J.z.I.Tcu..".o.M&....;8..iU......T... ...F&q.c.f..%.u+z.@R..z..s...g.~m..P.L.N.......Y..?2..gS....M.s)Vj..[.Q....bk....[m..D.G...,.%G.K..y.r\|..F&.Ze....R.U..^.H.T.1...i7..'TZe6.R.B+w..N.N.S.....c5.Lm....M].W.5..Z+a... ...w4..'4.......J}f.M.M'....!@......L..*5j..._.H..y.v...yhr..

C:\Users\user\AppData\Local\Temp\aut8276.tmp

Download File

Process:	C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe
File Type:	data
Category:	dropped
Size (bytes):	9910
Entropy (8bit):	7.584431063003772
Encrypted:	false
SSDEEP:	192:C+cK50L02Jtyl2ftvwmziMVC6baopzBvq5OgWSjDvjRQM+WWYk:h750LRJtyl2ftLCghBmOgWkQM+WWh
MD5:	700DCDC08871960DC0972F2F3B7BD6FA
SHA1:	EDDD19C1AD07B204CD78688135A5575620F733D6
SHA-256:	BA2EED4ADDD0A0114E910F0CEA7F793554C4A0308C7187B6E877916AD66CD913
SHA-512:	830159BFDDBB3F598D537C22A66FF6447AED9CF85EEDDAC07519D9F9C5F20ACB0271458714BA07F268A1565FB8B489EF4DB6D602DA11BCC25161BB952151BB8C
Malicious:	false
Reputation:	low
Preview:	EA06..p0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\caulds

Download File

Process:	C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe
File Type:	data
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	7.124243905016253
Encrypted:	false
SSDEEP:	3072:qa0UabjfxiHHlraAykkxl7RXioskrCF6FDTj4PTnOcupkmWZeGkS4crVwP:qa0d4NaAykkxt/Lk+gWcVk6S
MD5:	BDF3C84A9699A9AC083DED7792BD8E3A
SHA1:	346F455850E226E0D6D7F0E416361FCCF5E5870D
SHA-256:	9DED05A06EF73E2370D3B694EE58DF26943D6794A6EA00DD6A4FF672E346CC8E
SHA-512:	BC659C4CA47B6F57C50C6198D103C9D4A7C8E5DDBCE090059655E9FCE9A5BCF1CAE33BB77D2CB0AA022963C659B2FFB48B83D06506EF86E6616AF083D5C26BC7
Malicious:	false
Reputation:	low
Preview:	\|o.3FLGD22KJ..QV.NGG4474q503ELGD62KJW3QVHNGG44741503ELGD62KJ.3QVFQ.I4.>...1..m.,_Ak:%\6$)#g$UZY[E.RVe>2.[%j.\|.v%!#".9:>.503ELGDfwKJ.2RVT..#44741503.LEE=3{JW.SVHFGG4474..23ElGD62KJW3.VHnGG46745503ELGD22KJW3QVHNDG46741503GL..62[JW#QVHNWG4$741503ULGD62KJW3QV..EG{4741.23.IGD62KJW3QVHNGG44741.23ILGD62KJW3QVHNGG44741503ELGD62KJW3QVHNGG44741503ELGD6.KJ_3QVHNGG44749.03.LGD62KJW3QVf:"?@474u.23ElGD6.IJW1QVHNGG44741503eLG$.@8843QV.KGG4.541303E.ED62KJW3QVHNGGt47t.GU_/GD:2KJW.SVHLGG4.541503ELGD62KJ.3Q.HNGG44741503ELGD..IJW3QV.NGG6424e223..GD52KJV3QPHNGG44741503ELGD62KJW3QVHNGG44741503ELGD62KJW3QV[~EG}474050"SFl.64R.V.V~INGM.>72&.1.Il.K62cHW3[NBNA_.5.3.603CUMD0$.K{0QABNA].5.6.7..oREl22K@}3QVK~EG.474050"SF..62KJQ,X.IbJ96470^n03CSMN64\.V.V~CNGA,>72,.1.I2ID66r.W3QHBNA\.5.8Bx03C.FD66W@W5K.IbN99470..+9EJ[.7.G4V3QR'.GG2)=47+.2iA4.62M.U3QRWGMG2,.5.2.3GLA]<2MS.2}Q`HGG2.=47#.2iOGS<2MU].PzJeB......503V\|CD.2KJV3QG^Dlp42 .0.-..D.U.RIJQ.XVHHo@4416&.81EJ_N64].V.RV_DGA,.6.3.2..fGD-.NJ.3QVJNGV"9..1<'.D`Pl32K@wqY.

C:\Users\user\AppData\Local\Temp\drawlingly

Download File

Process:	C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe
File Type:	ASCII text, with very long lines (28720), with no line terminators
Category:	dropped
Size (bytes):	28720
Entropy (8bit):	3.5976484099936936
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if6l:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RS
MD5:	19E86CF4CD2E43CB383A27E6AB9F1DD2
SHA1:	0EAFB34DCAFAA408355A0097D729493E1E9462E6
SHA-256:	33CE88973D298176BE1DE5316EF74DCC17D36C5381F0EE2F96151047DAF62C94
SHA-512:	DFD9B9DF0CDDE8181435D4FC7DEE55F3E34CD419C7BE372B56FE5A1D817B45D901AB2F13724EB8C53977D2AE80474A3B03978E9A51E2C9DFEB33A22B7E3A4C2B
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.929559956287233
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ABT-57809267-57236090890_____________________________________.exe
File size:	1'095'168 bytes
MD5:	111af05dd1407b81db746b75b32e8b92
SHA1:	5fd001e0d0d86e5ee6d19e388bef20d31865f45d
SHA256:	e3e2106835618398ef240b9e3e84026a0019bafda4464f3150756d42c5374f9d
SHA512:	bf37a0b838474210df8cecf22d6462e848eb91fda5777aab0ec6b03b5286a52e487b69c2a737883372b13a523bb87ef9a91ab25946028a19f6022e2bddc733a9
SSDEEP:	24576:AAHnh+eWsN3skA4RV1Hom2KXMmHaJJMUyY1WXbVTZD5:3h+ZkldoPK8YaJJgXbR
TLSH:	EF359C3263918325FFAB9E73DB5DB20D56BC6D250123852FD29C2F79A9F01B1122D263
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	1a5ada12a98c3689

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66281751 [Tue Apr 23 20:17:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F1000BD1F3Dh
jmp 00007F1000BC4CF4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1000BC4E7Ah
cmp edi, eax
jc 00007F1000BC51DEh
bt dword ptr [004C41FCh], 01h
jnc 00007F1000BC4E79h
rep movsb
jmp 00007F1000BC518Ch
cmp ecx, 00000080h
jc 00007F1000BC5044h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1000BC4E80h
bt dword ptr [004BF324h], 01h
jc 00007F1000BC5350h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F1000BC501Dh
test edi, 00000003h
jne 00007F1000BC502Eh
test esi, 00000003h
jne 00007F1000BC500Dh
bt edi, 02h
jnc 00007F1000BC4E7Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1000BC4E83h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1000BC4ED5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x40f84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x109000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x40f84	0x41000	eb763bcd2b76b65803c2503aa40083d5	False	0.7279221754807692	data	7.221230116720938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x109000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.046891636105524666
RT_MENU	0xd8ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd9048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd95dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd9c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xda0f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xda6f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdad50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdb1b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdb310	0x2d728	data			1.0003545489707335
RT_GROUP_ICON	0x108a38	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x108a4c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x108a60	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x108a74	0x14	data	English	Great Britain	1.25
RT_VERSION	0x108a88	0x10c	data	English	Great Britain	0.5895522388059702
RT_MANIFEST	0x108b94	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	08:05:56
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe"
Imagebase:	0x6e0000
File size:	1'095'168 bytes
MD5 hash:	111AF05DD1407B81DB746B75B32E8B92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1668280133.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:05:57
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ABT-57809267-57236090890_____________________________________.exe"
Imagebase:	0x770000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.2899736344.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	168

Executed Functions

Function 006E3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006E3B7A
IsDebuggerPresent.KERNEL32 ref: 006E3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,007A62F8,007A62E0,?,?), ref: 006E3BFD

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

Part of subcall function 006F0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,006E3C26,007A62F8,?,?,?), ref: 006F0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 006E3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007993F0,00000010), ref: 0071D4BC
SetCurrentDirectoryW.KERNEL32(?,007A62F8,?,?,?), ref: 0071D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00795D40,007A62F8,?,?,?), ref: 0071D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0071D581

Part of subcall function 006E3A58: GetSysColorBrush.USER32(0000000F), ref: 006E3A62
Part of subcall function 006E3A58: LoadCursorW.USER32(00000000,00007F00), ref: 006E3A71
Part of subcall function 006E3A58: LoadIconW.USER32(00000063), ref: 006E3A88
Part of subcall function 006E3A58: LoadIconW.USER32(000000A4), ref: 006E3A9A
Part of subcall function 006E3A58: LoadIconW.USER32(000000A2), ref: 006E3AAC
Part of subcall function 006E3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006E3AD2
Part of subcall function 006E3A58: RegisterClassExW.USER32(?), ref: 006E3B28

Part of subcall function 006E39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006E3A15
Part of subcall function 006E39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006E3A36
Part of subcall function 006E39E7: ShowWindow.USER32(00000000,?,?), ref: 006E3A4A
Part of subcall function 006E39E7: ShowWindow.USER32(00000000,?,?), ref: 006E3A53

Part of subcall function 006E43DB: _memset.LIBCMT ref: 006E4401
Part of subcall function 006E43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006E44A6

Strings

runas, xrefs: 0071D575
This is a third-party compiled AutoIt script., xrefs: 0071D4B4
%w, xrefs: 006E3C56

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%w
API String ID: 529118366-1713382506
Opcode ID: e406de81cd2f17e63a2dbcd64a58914c756b97c6f6c817935ae8889c7098f87f
Instruction ID: d97f22e3831c6dda493a86db01b87e1b9dde12334dae58785ef2334be831a66d
Opcode Fuzzy Hash: e406de81cd2f17e63a2dbcd64a58914c756b97c6f6c817935ae8889c7098f87f
Instruction Fuzzy Hash: 10513A719053C8AECF11ABB6EC09AFD7B76BB45700F048179F411632E1DA7C8A46CB28

Uniqueness

Uniqueness Score: -1.00%

Function 006E4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006E4EEE,?,?,00000000,00000000), ref: 006E4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006E4EEE,?,?,00000000,00000000), ref: 006E5010
LoadResource.KERNEL32(?,00000000,?,?,006E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,006E4F8F), ref: 0071DD60
SizeofResource.KERNEL32(?,00000000,?,?,006E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,006E4F8F), ref: 0071DD75
LockResource.KERNEL32(Nn,?,?,006E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,006E4F8F,00000000), ref: 0071DD88

Strings

Nn, xrefs: 0071DD85
SCRIPT, xrefs: 006E5006

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$Nn
API String ID: 3051347437-1210639939
Opcode ID: 05f03e33ceb189010a7e994bdbda5b464504d3f7d101d3d037b5869e7e085df5
Instruction ID: 772aca9e8d84d4fc44df2d91dd110ab6a66f51ddbed54ce88e5ae2a24553aa34
Opcode Fuzzy Hash: 05f03e33ceb189010a7e994bdbda5b464504d3f7d101d3d037b5869e7e085df5
Instruction Fuzzy Hash: 51115A75201701AFD7218B66EC58F6B7BBAFBC9B15F208168F406C7260DBA1EC008A60

Uniqueness

Uniqueness Score: -1.00%

Function 006E4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006E4B2B

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

GetCurrentProcess.KERNEL32(?,0076FAEC,00000000,00000000,?), ref: 006E4BF8
IsWow64Process.KERNEL32(00000000), ref: 006E4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 006E4C45
FreeLibrary.KERNEL32(00000000), ref: 006E4C50
GetSystemInfo.KERNEL32(00000000), ref: 006E4C81
GetSystemInfo.KERNEL32(00000000), ref: 006E4C8D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 7e45e5fda94e29a33f71fffe5505457bd3b4901767e9da2e27c22cab0abf5698
Instruction ID: 605e5a4a8f6192da954e82ec7ed47f9038c0e9b20ad356a85a0a809fffca50ad
Opcode Fuzzy Hash: 7e45e5fda94e29a33f71fffe5505457bd3b4901767e9da2e27c22cab0abf5698
Instruction Fuzzy Hash: FE91E43154B7C0DEC731CB7994511EABFE6AF2A300B584D9ED0CB83A41D624F948CB69

Uniqueness

Uniqueness Score: -1.00%

Function 006EE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dtz, xrefs: 006EEC21
Dtz, xrefs: 00723F58
Variable must be of type 'Object'., xrefs: 0072428C
Dtz, xrefs: 00723F1F
Dtz, xrefs: 006EEC1A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID: Dtz$Dtz$Dtz$Dtz$Variable must be of type 'Object'.
API String ID: 0-3754608544
Opcode ID: f761607fab32c2245f8ca3239a24bd7fa560b317fc13393ddd26b960f6b0c9fc
Instruction ID: d69287679c64577770eb730c1edac52c7498c4038e03d3b29881fbd98fb61fb5
Opcode Fuzzy Hash: f761607fab32c2245f8ca3239a24bd7fa560b317fc13393ddd26b960f6b0c9fc
Instruction Fuzzy Hash: 10A28F74A05395CFCB24CF99C980AADB7B2FF59300F248069E916AB351D736ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00744696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0071E7C1), ref: 007446A6
FindFirstFileW.KERNELBASE(?,?), ref: 007446B7
FindClose.KERNEL32(00000000), ref: 007446C7

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 80ea83083143f1fbebb80721428a2daa303e3d53227872d1df92115720d194b4
Instruction ID: 94b573884091f962ba0fac79c4dfa5daaf7d0ad9dcdbe84bd427edee38cb9472
Opcode Fuzzy Hash: 80ea83083143f1fbebb80721428a2daa303e3d53227872d1df92115720d194b4
Instruction Fuzzy Hash: 06E0D8314105005B46106738FC4D4EE775CAE06335F104716F836C11E0E7F85960999A

Uniqueness

Uniqueness Score: -1.00%

Function 006F0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006F0BBB
timeGetTime.WINMM ref: 006F0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006F0FB3
TranslateMessage.USER32(?), ref: 006F0FC7
DispatchMessageW.USER32(?), ref: 006F0FD5
Sleep.KERNEL32(0000000A), ref: 006F0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 006F105A
DestroyWindow.USER32 ref: 006F1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006F1080
Sleep.KERNEL32(0000000A,?,?), ref: 007252AD
TranslateMessage.USER32(?), ref: 0072608A
DispatchMessageW.USER32(?), ref: 00726098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007260AC

Strings

prz, xrefs: 0072542D
@GUI_CTRLID, xrefs: 00725364
@GUI_WINHANDLE, xrefs: 007253B9
@COM_EVENTOBJ, xrefs: 0072591A
prz, xrefs: 00725383
prz, xrefs: 007253D8
prz, xrefs: 00725BDE
@GUI_CTRLHANDLE, xrefs: 0072540E
@TRAY_ID, xrefs: 00725BB9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prz$prz$prz$prz
API String ID: 4003667617-1408203079
Opcode ID: 7f33b70dc67377ea8abd08abc8dc13fa5cc857be94430ce5753f24a71876456d
Instruction ID: 0f9bca2ce216ab11e8d21ac5d4e36c9fb8967ed744ae4314352c990f67ad0e26
Opcode Fuzzy Hash: 7f33b70dc67377ea8abd08abc8dc13fa5cc857be94430ce5753f24a71876456d
Instruction Fuzzy Hash: E2B21670608751DFD724DF24D884BAAB7E6FF84304F14891DF58A872A2DB79E844CB86

Uniqueness

Uniqueness Score: -1.00%

Function 007493DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007491E9: __time64.LIBCMT ref: 007491F3

Part of subcall function 006E5045: _fseek.LIBCMT ref: 006E505D

__wsplitpath.LIBCMT ref: 007494BE

Part of subcall function 0070432E: __wsplitpath_helper.LIBCMT ref: 0070436E

_wcscpy.LIBCMT ref: 007494D1
_wcscat.LIBCMT ref: 007494E4
__wsplitpath.LIBCMT ref: 00749509
_wcscat.LIBCMT ref: 0074951F
_wcscat.LIBCMT ref: 00749532

Part of subcall function 0074922F: _memmove.LIBCMT ref: 00749268
Part of subcall function 0074922F: _memmove.LIBCMT ref: 00749277

_wcscmp.LIBCMT ref: 00749479

Part of subcall function 007499BE: _wcscmp.LIBCMT ref: 00749AAE
Part of subcall function 007499BE: _wcscmp.LIBCMT ref: 00749AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007496DC
_wcsncpy.LIBCMT ref: 0074974F
DeleteFileW.KERNEL32(?,?), ref: 00749785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0074979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007497AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007497BE

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 2ae8d63351a49d47e672fbdc7366a7c8a0f1c2ef417e0a03aff6628d518768f4
Instruction ID: 81470914108707151f65af73f0da7fa5ea0f7323972cb6ae7c7e23af82de0c2a
Opcode Fuzzy Hash: 2ae8d63351a49d47e672fbdc7366a7c8a0f1c2ef417e0a03aff6628d518768f4
Instruction Fuzzy Hash: EBC14AB1D00219AEDF21DF95CC85AEFB7BDEF45304F0040AAF609E6151EB749A848F65

Uniqueness

Uniqueness Score: -1.00%

Function 006E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006E3074
RegisterClassExW.USER32(00000030), ref: 006E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006E30AF
InitCommonControlsEx.COMCTL32(?), ref: 006E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006E30DC
LoadIconW.USER32(000000A9), ref: 006E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006E3101

Strings

+, xrefs: 006E305D
0, xrefs: 006E3056
TaskbarCreated, xrefs: 006E30A4
AutoIt v3 GUI, xrefs: 006E3090

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 427b0db468e6c1b9aa02d495835bb9518d0d200e95fe4d3a4fc740cde64807c8
Instruction ID: 140a32a3ffd0873e935f01a10bfca6e8ec275b9894acfe974f4ca009a0a4b26d
Opcode Fuzzy Hash: 427b0db468e6c1b9aa02d495835bb9518d0d200e95fe4d3a4fc740cde64807c8
Instruction Fuzzy Hash: 2F315AB1801345AFDB00CFA4EC48AC9BBF4FB0A314F14852EE551EA2A1D3BA4541CF95

Uniqueness

Uniqueness Score: -1.00%

Function 006E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006E3074
RegisterClassExW.USER32(00000030), ref: 006E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006E30AF
InitCommonControlsEx.COMCTL32(?), ref: 006E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006E30DC
LoadIconW.USER32(000000A9), ref: 006E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006E3101

Strings

+, xrefs: 006E305D
0, xrefs: 006E3056
TaskbarCreated, xrefs: 006E30A4
AutoIt v3 GUI, xrefs: 006E3090

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4b784a402d0aa9250e746f17481811843367003319ca66193304695ce5f5619b
Instruction ID: 368eed6e2a178f0afca3feb345e35a67ebf349bec1845866580b195b5873c4de
Opcode Fuzzy Hash: 4b784a402d0aa9250e746f17481811843367003319ca66193304695ce5f5619b
Instruction Fuzzy Hash: 6321C4B1901318AFDB00DFA4EC89B9DBBF8FB09700F04812AF911A62A0D7B945448F99

Uniqueness

Uniqueness Score: -1.00%

Function 006E71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007A62F8,?,006E37C0,?), ref: 006E4882

Part of subcall function 0070074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006E72C5), ref: 00700771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006E7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0071ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0071ED32
RegCloseKey.ADVAPI32(?), ref: 0071ED70
_wcscat.LIBCMT ref: 0071EDC9

Strings

Include, xrefs: 0071ECE8, 0071ED29
Software\AutoIt v3\AutoIt, xrefs: 006E72FE
\, xrefs: 0071EDEC
\Include\, xrefs: 006E72C5

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: c0ca29d8fc1ea62f7c0ecd442c2717273b4463ae555f1855385df339f8f9b028
Instruction ID: 8081318dca01268087528970d2279533aebd258449c0b7829418b297381f6959
Opcode Fuzzy Hash: c0ca29d8fc1ea62f7c0ecd442c2717273b4463ae555f1855385df339f8f9b028
Instruction Fuzzy Hash: DC718F725093419EC318DF6AEC8599BBBF8FF89350F40852EF445831E1EB789948CB59

Uniqueness

Uniqueness Score: -1.00%

Function 006E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006E36D2
KillTimer.USER32(?,00000001), ref: 006E36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006E371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006E372A
CreatePopupMenu.USER32 ref: 006E373E
PostQuitMessage.USER32(00000000), ref: 006E375F

Strings

TaskbarCreated, xrefs: 006E3725
%w, xrefs: 0071D2D1, 0071D31F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%w
API String ID: 129472671-2254297513
Opcode ID: f68357d9a83a41b5a4dbc544fdf9a07c632b3bf045a919ee6e940c11698bc51d
Instruction ID: 1399eab12a2c62ff72566403e1ba77bf4e426b677ee177f3b0929f1aa517336d
Opcode Fuzzy Hash: f68357d9a83a41b5a4dbc544fdf9a07c632b3bf045a919ee6e940c11698bc51d
Instruction Fuzzy Hash: 6B4138B2202395ABDF205F79EC0DBB93757F741300F180128F512873E1DAACAE459769

Uniqueness

Uniqueness Score: -1.00%

Function 006E3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006E3A62
LoadCursorW.USER32(00000000,00007F00), ref: 006E3A71
LoadIconW.USER32(00000063), ref: 006E3A88
LoadIconW.USER32(000000A4), ref: 006E3A9A
LoadIconW.USER32(000000A2), ref: 006E3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006E3AD2
RegisterClassExW.USER32(?), ref: 006E3B28

Part of subcall function 006E3041: GetSysColorBrush.USER32(0000000F), ref: 006E3074
Part of subcall function 006E3041: RegisterClassExW.USER32(00000030), ref: 006E309E
Part of subcall function 006E3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006E30AF
Part of subcall function 006E3041: InitCommonControlsEx.COMCTL32(?), ref: 006E30CC
Part of subcall function 006E3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006E30DC
Part of subcall function 006E3041: LoadIconW.USER32(000000A9), ref: 006E30F2
Part of subcall function 006E3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006E3101

Strings

0, xrefs: 006E3B06
AutoIt v3, xrefs: 006E3B17
#, xrefs: 006E3B0D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e3afae5c3dc082c0eb9c9ef36007186dbb7bcac97558f25e64ae3fff3732e206
Instruction ID: b1a5a2ad0501e96162c2fddeb4f9698cfe234234d0bb807ad905ed0cf41efe4a
Opcode Fuzzy Hash: e3afae5c3dc082c0eb9c9ef36007186dbb7bcac97558f25e64ae3fff3732e206
Instruction Fuzzy Hash: F7214871A01308AFEB109FA5EC09B9D7BB5FB89711F04812AE504A62E0D3BE56549F88

Uniqueness

Uniqueness Score: -1.00%

Function 006E3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bz, xrefs: 0071D44E
/AutoIt3OutputDebug, xrefs: 006E38A4
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006E37C0
/AutoIt3ExecuteScript, xrefs: 006E38CE
CMDLINE, xrefs: 006E3834
/ErrorStdOut, xrefs: 006E388F
/AutoIt3ExecuteLine, xrefs: 006E38B9
CMDLINERAW, xrefs: 006E380D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bz
API String ID: 1825951767-4199190877
Opcode ID: 104f9e1964d1efb532c056f3a088620a3f97b23bcd436a3349b3053a04338ef3
Instruction ID: 66c77995bac9e0b163d8bb0202b6009eeb97d75c9e2a76ad9d0d4d0fd7a382ef
Opcode Fuzzy Hash: 104f9e1964d1efb532c056f3a088620a3f97b23bcd436a3349b3053a04338ef3
Instruction Fuzzy Hash: D5A171718113A99ACF44EBA6DC95AEEB77ABF54300F04012DF412B7191EF785A09CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006EF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007003A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007003D3
Part of subcall function 007003A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 007003DB
Part of subcall function 007003A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007003E6
Part of subcall function 007003A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007003F1
Part of subcall function 007003A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 007003F9
Part of subcall function 007003A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00700401

Part of subcall function 006F6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,006EFA90), ref: 006F62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006EFB2D
OleInitialize.OLE32(00000000), ref: 006EFBAA
CloseHandle.KERNEL32(00000000), ref: 007249F2

Strings

\dz, xrefs: 006EF957
<gz, xrefs: 006EFA90
cz, xrefs: 006EF94B
%w, xrefs: 006EF8F6, 006EF908, 006EFACE, 006EFBB1

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <gz$\dz$%w$cz
API String ID: 1986988660-4086915420
Opcode ID: b5fb280601cfe929c0d6157ee9c2313f5b872533b05cc44b77e1f69f555a4662
Instruction ID: 4a3aa56e96f43f4bb80bb4ea2625a088191d492bfa8e4134d2b6a38ede52aae2
Opcode Fuzzy Hash: b5fb280601cfe929c0d6157ee9c2313f5b872533b05cc44b77e1f69f555a4662
Instruction Fuzzy Hash: 9E81BAB0915280CFCB84EF3AE9446157AE5EBDE708718C23ED029C72A2EB7D4605CF59

Uniqueness

Uniqueness Score: -1.00%

Function 006E39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006E3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006E3A36
ShowWindow.USER32(00000000,?,?), ref: 006E3A4A
ShowWindow.USER32(00000000,?,?), ref: 006E3A53

Strings

edit, xrefs: 006E3A30
AutoIt v3, xrefs: 006E3A0D, 006E3A12, 006E3A13

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 9d5ec801371009264ee3f9216906efa07f887ff23252a0167ca42f1ec3b7dcc2
Instruction ID: c9573e85341e4a247d6d9848db8971f620819a36ea90d0ab09b7e918be495483
Opcode Fuzzy Hash: 9d5ec801371009264ee3f9216906efa07f887ff23252a0167ca42f1ec3b7dcc2
Instruction Fuzzy Hash: 2FF03A706002907EEA3117237C08F272E7DE7C7F60B04802AF900A21B0C6AD5800DAB8

Uniqueness

Uniqueness Score: -1.00%

Function 006E410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0071D5EC

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

_memset.LIBCMT ref: 006E418D
_wcscpy.LIBCMT ref: 006E41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006E41F1

Strings

Line: , xrefs: 0071D615

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 6e9507265aed481ec95333d2ebc822730dbdaa89e720c9edf36f057b7ba4cedf
Instruction ID: f8546bb0670b37e5eebce6421d4fe4485475c1c53b3416e015045e081f524548
Opcode Fuzzy Hash: 6e9507265aed481ec95333d2ebc822730dbdaa89e720c9edf36f057b7ba4cedf
Instruction Fuzzy Hash: 6131347100A384AED761EB60DC45FDB73EDAF85300F14461EF185820E1EF78A649C78A

Uniqueness

Uniqueness Score: -1.00%

Function 0070564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 007056AB
_memcpy_s.LIBCMT ref: 0070571D
__read_nolock.LIBCMT ref: 0070577B
__filbuf.LIBCMT ref: 0070579E
_memset.LIBCMT ref: 007057E2

Part of subcall function 00708D68: __getptd_noexit.LIBCMT ref: 00708D68

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 8474ad5134136cf40d2413435206fae8e44a3c11e8bd096bfab0efc67b7b64cd
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: E451A130A00B09DFDB248FB9C8846AF77F5AF40720F648729F829962D1D7799D51AF50

Uniqueness

Uniqueness Score: -1.00%

Function 006E69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006E4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006E4F6F

_free.LIBCMT ref: 0071E68C
_free.LIBCMT ref: 0071E6D3

Part of subcall function 006E6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 006E6D0D

Strings

Bad directive syntax error, xrefs: 0071E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0071E462

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 2b19eebe2a6deb354c3797eaef86cc7574b92ddbc1ee8943aa7392ab96a98862
Instruction ID: 1940cf122fe4690db7eb25af2e9ddda3e11099948712e91117ad306398a707d8
Opcode Fuzzy Hash: 2b19eebe2a6deb354c3797eaef86cc7574b92ddbc1ee8943aa7392ab96a98862
Instruction Fuzzy Hash: A491BD71910259EFCF04EFA9CC859EDB7B5FF18314F40442AF816AB291EB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006E35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006E35A1,SwapMouseButtons,00000004,?), ref: 006E35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006E35A1,SwapMouseButtons,00000004,?,?,?,?,006E2754), ref: 006E35F5
RegCloseKey.KERNELBASE(00000000,?,?,006E35A1,SwapMouseButtons,00000004,?,?,?,?,006E2754), ref: 006E3617

Strings

Control Panel\Mouse, xrefs: 006E35D2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9d151252246e97fb92830c45431af29fc1c5e90eb9dd7cd4c1f359f6f6970ec4
Instruction ID: 8d4b2cc2d667a504b11a7e82483d04c03a93a5dc44f41a4b7298d98e305a81d5
Opcode Fuzzy Hash: 9d151252246e97fb92830c45431af29fc1c5e90eb9dd7cd4c1f359f6f6970ec4
Instruction Fuzzy Hash: 82114871512268BFDB21CFA5EC489EEB7B9EF05740F018469E805D7310E2719E449764

Uniqueness

Uniqueness Score: -1.00%

Function 0070493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007049D0
__flush.LIBCMT ref: 007049F0
__write.LIBCMT ref: 00704A23
__flsbuf.LIBCMT ref: 00704A51

Part of subcall function 00708D68: __getptd_noexit.LIBCMT ref: 00708D68

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 95a17e9298396b5c1c1a020af37d84d01442ca2cbf1d066b05157204b259d003
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 0241B4F1710605EBDB28CEA9C88496F77E5EF84360B24C33DEA55C76D0D678AD418B44

Uniqueness

Uniqueness Score: -1.00%

Function 006E4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E4E1A

Strings

AU3!P/w, xrefs: 006E4E14
EA06, xrefs: 0071DCF5

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/w$EA06
API String ID: 4104443479-1282343377
Opcode ID: 86f62cf8b838b7c5194619543bb9eb850d509d617c5cb03653d6b10c87ef4729
Instruction ID: 933c7d94ef07283bbeb8587abefffa59ef3e665897d66202f540ccf2b5c80296
Opcode Fuzzy Hash: 86f62cf8b838b7c5194619543bb9eb850d509d617c5cb03653d6b10c87ef4729
Instruction Fuzzy Hash: 21418D72A053D49BCF215F7688517FE7FA7AF45300F284079F882AB282CE259D8187E1

Uniqueness

Uniqueness Score: -1.00%

Function 006E73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0071EE62
GetOpenFileNameW.COMDLG32(?), ref: 0071EEAC

Part of subcall function 006E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006E48A1,?,?,006E37C0,?), ref: 006E48CE

Part of subcall function 007009D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007009F4

Strings

X, xrefs: 0071EE7A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 2c321bbe1141904306d92e09660105463955527e7f6c9cd32b46e814003e0487
Instruction ID: 8a5696e9a2046ca20ec8c58e0995e2f8933a3883269699cb150866180ce0efa4
Opcode Fuzzy Hash: 2c321bbe1141904306d92e09660105463955527e7f6c9cd32b46e814003e0487
Instruction Fuzzy Hash: E521F670900288DBDF51DF98C805BEE7BF99F49300F00401AE509EB281DBB859898B91

Uniqueness

Uniqueness Score: -1.00%

Function 0074901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00749036
__fread_nolock.LIBCMT ref: 0074904B

Strings

EA06, xrefs: 0074907D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 8c137bbdb7add9d8423ac753020c14a7e97a0b5cec1bcdb4fbefd29f296aabb6
Instruction ID: aa7a4409d65d6c38107c4479014fc9930aa6c80422112a10214a58e0097da56b
Opcode Fuzzy Hash: 8c137bbdb7add9d8423ac753020c14a7e97a0b5cec1bcdb4fbefd29f296aabb6
Instruction Fuzzy Hash: 1601B971944258FEDB28C6A8D85AEEE7BFCDB15311F00429AF592D21C1E579A6088BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00749B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00749B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00749B99

Strings

aut, xrefs: 00749B93

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 51c6952103c51197faa4678c22ab680f58bba08765e6fae28c8e4b729b6f1cf6
Instruction ID: 132b97a8f9cdb56f4f04ab5e3ccd0a8567e475a87e360b2602f6c3a5bf510f51
Opcode Fuzzy Hash: 51c6952103c51197faa4678c22ab680f58bba08765e6fae28c8e4b729b6f1cf6
Instruction Fuzzy Hash: 2AD05E7954030EBFDB10AB94EC0EF9A772CE704704F0082A1FE55910A1DEF855988FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0075CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29360306e757b964a60ba06648a2e5f799ced56f2ea018477635b0cff2c8691e
Instruction ID: 184f83b3914fef478f709409c63e623c04c67e168631b4765bb90d7b63378dab
Opcode Fuzzy Hash: 29360306e757b964a60ba06648a2e5f799ced56f2ea018477635b0cff2c8691e
Instruction Fuzzy Hash: 10F146716083419FC724DF29C484A6ABBE5FF88314F14892EF89A9B251D774ED46CF82

Uniqueness

Uniqueness Score: -1.00%

Function 006E43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 006E44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 006E44C3

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 87c9253f9c7c2e2189b2809beb9089a6b2f52233b7aeb41181db9e25ba3030d2
Instruction ID: b33884d5c8bc177436c0f92c6f4b14fef851524a480c45ff663bbb4c6b64a4d3
Opcode Fuzzy Hash: 87c9253f9c7c2e2189b2809beb9089a6b2f52233b7aeb41181db9e25ba3030d2
Instruction Fuzzy Hash: 803180B0605341CFD720DF35D884B9BBBE9FB49304F04492EF59A83280DBB5A948CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0070594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00705963

Part of subcall function 0070A3AB: __NMSG_WRITE.LIBCMT ref: 0070A3D2
Part of subcall function 0070A3AB: __NMSG_WRITE.LIBCMT ref: 0070A3DC

__NMSG_WRITE.LIBCMT ref: 0070596A

Part of subcall function 0070A408: GetModuleFileNameW.KERNEL32(00000000,007A43BA,00000104,?,00000001,00000000), ref: 0070A49A
Part of subcall function 0070A408: ___crtMessageBoxW.LIBCMT ref: 0070A548

Part of subcall function 007032DF: ___crtCorExitProcess.LIBCMT ref: 007032E5
Part of subcall function 007032DF: ExitProcess.KERNEL32 ref: 007032EE

Part of subcall function 00708D68: __getptd_noexit.LIBCMT ref: 00708D68

RtlAllocateHeap.NTDLL(01200000,00000000,00000001,00000000,?,?,?,00701013,?), ref: 0070598F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ac8eaa0c16912479e3627caba4123441eca87f03676e4a7f75ddcf971c29f906
Instruction ID: c50d5d774a3114880114a8f93a93a755e6066fc5dfff9ff333147afc22d96b07
Opcode Fuzzy Hash: ac8eaa0c16912479e3627caba4123441eca87f03676e4a7f75ddcf971c29f906
Instruction Fuzzy Hash: 0E01B535311B15EEE6152B74EC4AB6F72C89F92770F10033AF4019A1D1DEBDAD019A65

Uniqueness

Uniqueness Score: -1.00%

Function 00749B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007497D2,?,?,?,?,?,00000004), ref: 00749B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007497D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00749B5B
CloseHandle.KERNEL32(00000000,?,007497D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00749B62

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 167f0db7dd6077c2600b3089661b00e20d1c8d74fe67350c818a7ecfa710a7c6
Instruction ID: 30fdb014afb065ec28896ffebe1a1bae29a2d3d097cb90ab8357ee51adcd8326
Opcode Fuzzy Hash: 167f0db7dd6077c2600b3089661b00e20d1c8d74fe67350c818a7ecfa710a7c6
Instruction Fuzzy Hash: 2AE08632181318B7D7211B54FC09FCA7F58EB067A1F148120FB55690E087F52911979C

Uniqueness

Uniqueness Score: -1.00%

Function 00748F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00748FA5

Part of subcall function 00702F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00709C64), ref: 00702FA9
Part of subcall function 00702F95: GetLastError.KERNEL32(00000000,?,00709C64), ref: 00702FBB

_free.LIBCMT ref: 00748FB6
_free.LIBCMT ref: 00748FC8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: c95eb3b4b1792ed8e0ee5876b2cec9b91ba29ff68043648389e43cdcaf42272e
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 2FE012A2609706CACB64A578AD48A9757EE5F48390B68091DB419DB183DF2CF8468124

Uniqueness

Uniqueness Score: -1.00%

Function 006EAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0072002B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 1ec3b62297c079c80dfec6ecc317d0e844001fb75823a864758183b774884bbd
Instruction ID: 02cd83d64d71d7fd0b4089206c2acfcec44083eddc4849e3f2eec6e8c5c0e63c
Opcode Fuzzy Hash: 1ec3b62297c079c80dfec6ecc317d0e844001fb75823a864758183b774884bbd
Instruction Fuzzy Hash: D2225974609391CFD724DF15C494B6ABBE2BF84300F14896DE8868B362D735ED85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 006E7BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E7C0B
_memmove.LIBCMT ref: 006E7C76

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
Instruction ID: 3e4bbbe20cb6759d4066bf8477bd77883821625d87279e66cb4bbb43485f83b5
Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
Instruction Fuzzy Hash: 0431C2B1604646EFC714DF29D8D1EA9B3AAFF487207258629E915CB391EB30E851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006E492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 006E4992

Part of subcall function 007035AC: __lock.LIBCMT ref: 007035B2
Part of subcall function 007035AC: DecodePointer.KERNEL32(00000001,?,006E49A7,007381BC), ref: 007035BE
Part of subcall function 007035AC: EncodePointer.KERNEL32(?,?,006E49A7,007381BC), ref: 007035C9

Part of subcall function 006E4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 006E4A73
Part of subcall function 006E4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006E4A88

Part of subcall function 006E3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006E3B7A
Part of subcall function 006E3B4C: IsDebuggerPresent.KERNEL32 ref: 006E3B8C
Part of subcall function 006E3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,007A62F8,007A62E0,?,?), ref: 006E3BFD
Part of subcall function 006E3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 006E3C81

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 006E49D2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: ad2b6723eb76e8c3af151da0462f3f24e9144b158e58c86e30687dcada330369
Instruction ID: 33188c1f80052458c83a13fca7dc130b63e0b71d42ebea13550fc3db4200b147
Opcode Fuzzy Hash: ad2b6723eb76e8c3af151da0462f3f24e9144b158e58c86e30687dcada330369
Instruction Fuzzy Hash: 01118C719093519BC300EF2AEC0590ABBE8FFD9710F00852EF055972B1DBB89545CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 006E5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,006E5981,?,?,?,?), ref: 006E5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,006E5981,?,?,?,?), ref: 0071E19C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 345f80a8fecab97755d3b40e84902090b37266f76d8408ba5bd6796c7f8e40ed
Instruction ID: d8fd20b9eb34d1e954f15caa9f96492d26cf62e1cd285a0824465587737c9140
Opcode Fuzzy Hash: 345f80a8fecab97755d3b40e84902090b37266f76d8408ba5bd6796c7f8e40ed
Instruction Fuzzy Hash: 5C01B570244748BEF3240E29DC8AFA63BDDEB0176CF10C319FAE65A1E0C6B41E458B54

Uniqueness

Uniqueness Score: -1.00%

Function 00700FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0070594C: __FF_MSGBANNER.LIBCMT ref: 00705963
Part of subcall function 0070594C: __NMSG_WRITE.LIBCMT ref: 0070596A
Part of subcall function 0070594C: RtlAllocateHeap.NTDLL(01200000,00000000,00000001,00000000,?,?,?,00701013,?), ref: 0070598F

std::exception::exception.LIBCMT ref: 0070102C
__CxxThrowException@8.LIBCMT ref: 00701041

Part of subcall function 007087DB: RaiseException.KERNEL32(?,?,?,0079BAF8,00000000,?,?,?,?,00701046,?,0079BAF8,?,00000001), ref: 00708830

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 0121dc4e5181f72e8e1fc33041af64190b08c397a489ab23c72bd44c43a24021
Instruction ID: edb44ca94acaa91c4ba2a85c39ec7af932532a84c2ec4092732436d6dfd41620
Opcode Fuzzy Hash: 0121dc4e5181f72e8e1fc33041af64190b08c397a489ab23c72bd44c43a24021
Instruction Fuzzy Hash: 48F02D3460030DE6CF30BA98EC099EF77ECDF00360F604225F888912D2DFB99A8186D1

Uniqueness

Uniqueness Score: -1.00%

Function 0070582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070585C
__lock_file.LIBCMT ref: 0070587D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: e0372676e57eaaa0bd3e0eaa02634b9e34598674a92fa8e385968c1eaf9686a5
Instruction ID: eacfa3eb5a717624916d9d1875c3d890e5e44996888258e67cfab1f89b8e3740
Opcode Fuzzy Hash: e0372676e57eaaa0bd3e0eaa02634b9e34598674a92fa8e385968c1eaf9686a5
Instruction Fuzzy Hash: 16018471800A09EBCF22AF69CC0999F7BE1AF40360F148315BC145A1E1DB79CA61DF91

Uniqueness

Uniqueness Score: -1.00%

Function 007055D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00708D68: __getptd_noexit.LIBCMT ref: 00708D68

__lock_file.LIBCMT ref: 0070561B

Part of subcall function 00706E4E: __lock.LIBCMT ref: 00706E71

__fclose_nolock.LIBCMT ref: 00705626

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4b1c48fc998477cc153c2e29fdc5a4e328e95d800d862b09518a4b88e2fc8b10
Instruction ID: 7542f0291b2ed96b85f097a04ac0489d0c889e19e0d11590f2fea287ce3339dc
Opcode Fuzzy Hash: 4b1c48fc998477cc153c2e29fdc5a4e328e95d800d862b09518a4b88e2fc8b10
Instruction Fuzzy Hash: DDF0F071800A00DADB60AB74880A76F76E12F00B30F548309A450EB1C1CFBC89019F56

Uniqueness

Uniqueness Score: -1.00%

Function 006F2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9025dbfbc68ed5ceb159971b2fb2cfbc9a51e5f4bbc7ef89f0b44453144fd7d
Instruction ID: 7384f81900f36573a7357a6902c92bef4ba205ee9d774050e1f724b30f6f8424
Opcode Fuzzy Hash: c9025dbfbc68ed5ceb159971b2fb2cfbc9a51e5f4bbc7ef89f0b44453144fd7d
Instruction Fuzzy Hash: 0A51AD34600644EFCF14EB68C9A5EBE77A6AF45314F14806DF946AB392CB34EE00CB59

Uniqueness

Uniqueness Score: -1.00%

Function 006E5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 006E5CF6

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 81398a0f4c93510ba9b857bd69ad067b1945e92afa0de341ad9cf37e362f0eb5
Instruction ID: d72baf8452ab3aab88a2ba893c56561c99feb30473200efd9e65df0e9252b354
Opcode Fuzzy Hash: 81398a0f4c93510ba9b857bd69ad067b1945e92afa0de341ad9cf37e362f0eb5
Instruction Fuzzy Hash: BD319031A01B49AFCB08CF2EC8946ADB7B6FF48714F248629D81A93700D770BD50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 007200D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007200E1

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8fe5edda5a2a1663fbba0ed41a1bb382233411c494bdcb9ce4c7a78cafb882b6
Instruction ID: e5f6756146f87f20a02d375ac5c2d65c6ed4a96f5340dcaf5fc51c1f7319e31e
Opcode Fuzzy Hash: 8fe5edda5a2a1663fbba0ed41a1bb382233411c494bdcb9ce4c7a78cafb882b6
Instruction Fuzzy Hash: 3E413674605391CFDB24DF15C484B1ABBE1BF44318F1988ACE8894B362C336EC85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 006E7CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E7D13

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: da6e5543807a6feb2e4d7cdba790fb4a82e76ff06d2f7e8d36ae11e7016647d3
Instruction ID: b13770d5f8455fd3656b7680fe0ab19a384f27490947e8b8b66680e679f8ee31
Opcode Fuzzy Hash: da6e5543807a6feb2e4d7cdba790fb4a82e76ff06d2f7e8d36ae11e7016647d3
Instruction Fuzzy Hash: 54210071608A09EBDB104F29FC427A97BB9FF14760F31C56AE486C51D1EB3490E1A749

Uniqueness

Uniqueness Score: -1.00%

Function 006E4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E4D13: FreeLibrary.KERNEL32(00000000,?), ref: 006E4D4D

Part of subcall function 0070548B: __wfsopen.LIBCMT ref: 00705496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006E4F6F

Part of subcall function 006E4CC8: FreeLibrary.KERNEL32(00000000), ref: 006E4D02

Part of subcall function 006E4DD0: _memmove.LIBCMT ref: 006E4E1A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 96a0ba8ccdbe8282d01440defb1dc74593a8c7dd14e36a63272b57487c942306
Instruction ID: 08e247ce02269f765abe23739b9c072b272b0a12f4312fdfb775ddb2055d5cd8
Opcode Fuzzy Hash: 96a0ba8ccdbe8282d01440defb1dc74593a8c7dd14e36a63272b57487c942306
Instruction Fuzzy Hash: 00110A31701349ABCB10FF75DC16FAE77A69F80B00F20842DF542A71C1DE759A059B54

Uniqueness

Uniqueness Score: -1.00%

Function 007201AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 007201BB

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 98f87c9e673b145706452ef31ae63d2d33ac6f28623f5036716057f50bc150c4
Instruction ID: 7edd2d7f32302a1a00b7248e32757f917d9c9762d818d928c490c844b4d4a8c4
Opcode Fuzzy Hash: 98f87c9e673b145706452ef31ae63d2d33ac6f28623f5036716057f50bc150c4
Instruction Fuzzy Hash: 9E2155B4608391CFCB14DF64C444B5ABBE1BF84304F04896CE88A47762D735F845DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006E5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,006E5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 006E5D76

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b048f5c183a90a004a11b003a1beafb492317f53662b4329084f8d05aa2ba820
Instruction ID: b0c32b06ba63952063c725b13d22d2f5b6345eb07cff17e28376d3c1cf3fa830
Opcode Fuzzy Hash: b048f5c183a90a004a11b003a1beafb492317f53662b4329084f8d05aa2ba820
Instruction Fuzzy Hash: 10113A31201B459FD3308F16C888B62B7EAEF45764F10C92EE4AB86A50D7B0E945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00704A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00704AD6

Part of subcall function 00708D68: __getptd_noexit.LIBCMT ref: 00708D68

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: fe24694133f7402165ceac6ef84e8ae27971e2db1d22a6e0273c2e8537b39aa5
Instruction ID: 9111ee16f04206538007750715e74b543c2cb9b99e39a8907f903f2f31337e35
Opcode Fuzzy Hash: fe24694133f7402165ceac6ef84e8ae27971e2db1d22a6e0273c2e8537b39aa5
Instruction Fuzzy Hash: F4F044F1A40209EBDFA1BF74CC0A79E76E1AF00325F148714B5149A1D1DB7C8951DF55

Uniqueness

Uniqueness Score: -1.00%

Function 006E4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006E4FDE

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 192b93278dde0035a02c6af6294302e7a1431945ef88876ecfaa8c86738c3ea6
Instruction ID: 0407d0b63716a5fd7809cadbba685dc8bff3f2a8fbf552404d95a92f6442b2dd
Opcode Fuzzy Hash: 192b93278dde0035a02c6af6294302e7a1431945ef88876ecfaa8c86738c3ea6
Instruction Fuzzy Hash: 39F03971106752CFCB349F76E894852BBE2BF447293208A3EE1D786A10CB71A850DF50

Uniqueness

Uniqueness Score: -1.00%

Function 007009D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007009F4

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 82143245ddf28a14b5c0076b7fa597a22c7fff83109d100ed1a7777bd8a8bf20
Instruction ID: a75ccb72f8966a3d4340fab2c36054791bff684c2c9238ee1ed0e3ea971182ed
Opcode Fuzzy Hash: 82143245ddf28a14b5c0076b7fa597a22c7fff83109d100ed1a7777bd8a8bf20
Instruction Fuzzy Hash: FFE0CD7690532C5BC720D65C9C05FFA77EDDF88790F0441B5FD0CD7244D9A49C818694

Uniqueness

Uniqueness Score: -1.00%

Function 00749129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0074914B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 249cd1473ce09ce2399bf80ee32f9da8a903a49e4ad4c6a3fa14f2a7f30814bc
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: D6E092B0104B049FD7348A24D8147E373E0AB06315F00091DF69A83341EB6678418B59

Uniqueness

Uniqueness Score: -1.00%

Function 006E5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0071E16B,?,?,00000000), ref: 006E5DBF

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2814f69a857f62070bdf2ae0ebdc15772470065162a86738922b3c3a21aefd7a
Instruction ID: f0c344c044f075e3047d7a9d99a6586fe73b37bd5148a3e2de17c0445c9c4f0b
Opcode Fuzzy Hash: 2814f69a857f62070bdf2ae0ebdc15772470065162a86738922b3c3a21aefd7a
Instruction Fuzzy Hash: E3D0C77464430CBFE714DB80DC46FA9777CD705710F100195FD0456290D6F27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 0070548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00705496

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: df3eddfdbf83c62c797544f31046d46fc916f0dc2d304ebceb1d38484a886866
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 4AB0927684020CB7DE012E82EC06A9A3B599B40678F808020FB0C181A2A677A6A09A89

Uniqueness

Uniqueness Score: -1.00%

Function 0074D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0074D46A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 681a86ccbe9b26aa9afef29ddf76cbb953a33ca647d0307588f569dcc7db153a
Instruction ID: 0ecdedd38afc979c7648bc50fb46412e479f0d79cde0d6bd836d5199e8ffa04f
Opcode Fuzzy Hash: 681a86ccbe9b26aa9afef29ddf76cbb953a33ca647d0307588f569dcc7db153a
Instruction Fuzzy Hash: 57717330205342CFC764EF29C491A6EB7E1AF88714F04496DF8968B2A2DF74ED09CB56

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0076CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0076CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0076CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0076CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0076CF00
SendMessageW.USER32 ref: 0076CF29
_wcsncpy.LIBCMT ref: 0076CFA1
GetKeyState.USER32(00000011), ref: 0076CFC2
GetKeyState.USER32(00000009), ref: 0076CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0076CFE5
GetKeyState.USER32(00000010), ref: 0076CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0076D018
SendMessageW.USER32 ref: 0076D03F
SendMessageW.USER32(?,00001030,?,0076B602), ref: 0076D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0076D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0076D16E
SetCapture.USER32(?), ref: 0076D177
ClientToScreen.USER32(?,?), ref: 0076D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0076D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0076D203
ReleaseCapture.USER32 ref: 0076D20E
GetCursorPos.USER32(?), ref: 0076D248
ScreenToClient.USER32(?,?), ref: 0076D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0076D2B1
SendMessageW.USER32 ref: 0076D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0076D31C
SendMessageW.USER32 ref: 0076D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0076D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0076D37B
GetCursorPos.USER32(?), ref: 0076D39B
ScreenToClient.USER32(?,?), ref: 0076D3A8
GetParent.USER32(?), ref: 0076D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0076D431
SendMessageW.USER32 ref: 0076D462
ClientToScreen.USER32(?,?), ref: 0076D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0076D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0076D51A
SendMessageW.USER32 ref: 0076D53D
ClientToScreen.USER32(?,?), ref: 0076D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0076D5C3

Part of subcall function 006E25DB: GetWindowLongW.USER32(?,000000EB), ref: 006E25EC

GetWindowLongW.USER32(?,000000F0), ref: 0076D65F

Strings

prz, xrefs: 0076D1BD
@GUI_DRAGID, xrefs: 0076D1AA
F, xrefs: 0076D543

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$prz
API String ID: 3977979337-4168708538
Opcode ID: 6a082f6e48e045461fe220dba8c4880bbaa4d46892c16d64228da4f65c769ce8
Instruction ID: 18cf070c0d2bd1ea7e9c01c23d94894300e7f6fbdb368ecb931e903a6ccff6c0
Opcode Fuzzy Hash: 6a082f6e48e045461fe220dba8c4880bbaa4d46892c16d64228da4f65c769ce8
Instruction Fuzzy Hash: 6D429D30604341AFD725CF28C844EAABBF6FF49314F14851DFAA6872A1C77A9C54CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0076804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0076873F

Strings

%d/%02d/%02d, xrefs: 00768478

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 3104a0e45717da158533dcd7294d22e363638438c7739b18a9e519fe98baccac
Instruction ID: 745dce886df4dab9ffac8099c2820d1d9d0f77f24d0ad2a75322b4814d296ed9
Opcode Fuzzy Hash: 3104a0e45717da158533dcd7294d22e363638438c7739b18a9e519fe98baccac
Instruction Fuzzy Hash: 1612DE71500348AFEB648F64DC49FAA7BB8EF45710F244229F917EA2E1DFB88945CB11

Uniqueness

Uniqueness Score: -1.00%

Function 006F710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F75C2
_memset.LIBCMT ref: 006F76B1
_memmove.LIBCMT ref: 006F7C4B
_memmove.LIBCMT ref: 006F7E4F

Strings

0wy, xrefs: 00731F5B
Oao, xrefs: 0073287E
[:>:]], xrefs: 006F760A
\b(?=\w), xrefs: 00733C34
DEFINE, xrefs: 007325AF
\b(?<=\w), xrefs: 00733C41
[:<:]], xrefs: 006F75F1
Q\E, xrefs: 006F81C1

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0wy$DEFINE$Oao$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-722347393
Opcode ID: 99b9f49fbc43e0dba681344e5a8e149a4284d9c8f516174b6c605fdacbf884cd
Instruction ID: 55ed723508bb4f336a636ac06056347775e7fd383b505fe725128a08513a6de6
Opcode Fuzzy Hash: 99b9f49fbc43e0dba681344e5a8e149a4284d9c8f516174b6c605fdacbf884cd
Instruction Fuzzy Hash: C8939271A04219DFEB24CF58C8817BDB7B1FF48310F25816AE945AB392E7749E82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 006E4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 006E4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0071DA8E
IsIconic.USER32(?), ref: 0071DA97
ShowWindow.USER32(?,00000009), ref: 0071DAA4
SetForegroundWindow.USER32(?), ref: 0071DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0071DAC4
GetCurrentThreadId.KERNEL32 ref: 0071DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0071DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0071DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0071DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0071DAF8
SetForegroundWindow.USER32(?), ref: 0071DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071DB10
keybd_event.USER32(00000012,00000000), ref: 0071DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071DB25
keybd_event.USER32(00000012,00000000), ref: 0071DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071DB33
keybd_event.USER32(00000012,00000000), ref: 0071DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071DB42
keybd_event.USER32(00000012,00000000), ref: 0071DB47
SetForegroundWindow.USER32(?), ref: 0071DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0071DB71

Strings

Shell_TrayWnd, xrefs: 0071DA89

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3c9ba27bd50369727c82e426b56bfb1a6ce9de7bf93cf93e7c086a65a192d747
Instruction ID: 5a9f4143fabe32275162705ff013c884cae0fda775a4e1656d4f18d79bd80d64
Opcode Fuzzy Hash: 3c9ba27bd50369727c82e426b56bfb1a6ce9de7bf93cf93e7c086a65a192d747
Instruction Fuzzy Hash: 0031A771A40318BBEB305FA5AC49FBF3E6CEB44B50F118025FA02E61D1C6B85D50AEA5

Uniqueness

Uniqueness Score: -1.00%

Function 00738858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00738CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00738D0D
Part of subcall function 00738CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00738D3A
Part of subcall function 00738CC3: GetLastError.KERNEL32 ref: 00738D47

_memset.LIBCMT ref: 0073889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007388ED
CloseHandle.KERNEL32(?), ref: 007388FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00738915
GetProcessWindowStation.USER32 ref: 0073892E
SetProcessWindowStation.USER32(00000000), ref: 00738938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00738952

Part of subcall function 00738713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00738851), ref: 00738728
Part of subcall function 00738713: CloseHandle.KERNEL32(?,?,00738851), ref: 0073873A

Strings

winsta0, xrefs: 00738910
, xrefs: 007388AA
default, xrefs: 0073894D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 301901fcd9cdfe39d2f2c3ec4e7207dc900292136f519ebe8c33c474cd91137d
Instruction ID: 3c5d68c2e8ad45182add33b43c6332955dae607ae9bfe3d66a53d1fca3227a3a
Opcode Fuzzy Hash: 301901fcd9cdfe39d2f2c3ec4e7207dc900292136f519ebe8c33c474cd91137d
Instruction Fuzzy Hash: 75817071901309EFEF51DFA4DC49AEE7BB8EF04304F08816AF911A6162DB798E14DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0075425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0076F910), ref: 00754284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00754292
GetClipboardData.USER32(0000000D), ref: 0075429A
CloseClipboard.USER32 ref: 007542A6
GlobalLock.KERNEL32(00000000), ref: 007542C2
CloseClipboard.USER32 ref: 007542CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 007542E1
IsClipboardFormatAvailable.USER32(00000001), ref: 007542EE
GetClipboardData.USER32(00000001), ref: 007542F6
GlobalLock.KERNEL32(00000000), ref: 00754303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00754337
CloseClipboard.USER32 ref: 00754447

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 112f66459b11a9e9e3de66dd054006413b242d49b7c236b2b9c58f975099fc11
Instruction ID: 26315604595991db531028b896879b6d8e77c4d00b28d420c997bd37d92ec285
Opcode Fuzzy Hash: 112f66459b11a9e9e3de66dd054006413b242d49b7c236b2b9c58f975099fc11
Instruction Fuzzy Hash: 8A51B331204341AFD310AF65EC95FAF77A8BF84B05F00852DF956D21A1DFB8D9488B66

Uniqueness

Uniqueness Score: -1.00%

Function 0074C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0074C9F8
FindClose.KERNEL32(00000000), ref: 0074CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0074CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0074CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0074CAAF
__swprintf.LIBCMT ref: 0074CAFB
__swprintf.LIBCMT ref: 0074CB3E

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

__swprintf.LIBCMT ref: 0074CB92

Part of subcall function 007038D8: __woutput_l.LIBCMT ref: 00703931

__swprintf.LIBCMT ref: 0074CBE0

Part of subcall function 007038D8: __flsbuf.LIBCMT ref: 00703953
Part of subcall function 007038D8: __flsbuf.LIBCMT ref: 0070396B

__swprintf.LIBCMT ref: 0074CC2F
__swprintf.LIBCMT ref: 0074CC7E
__swprintf.LIBCMT ref: 0074CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0074CAF5
%02d, xrefs: 0074CB86, 0074CB90, 0074CBDE, 0074CC2D, 0074CC7C, 0074CCCB
%4d, xrefs: 0074CB38

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 04b3391dbfc84490fb8e20edd09999b5a7466eb3edd6d92babe05ecfdc26ca19
Instruction ID: 778d8db0e63f8bd72d85793e1e45261df9a1a8e89f64aa117e5413b7b795476a
Opcode Fuzzy Hash: 04b3391dbfc84490fb8e20edd09999b5a7466eb3edd6d92babe05ecfdc26ca19
Instruction Fuzzy Hash: 7DA159B2509344ABC740EB65C886DAFB7EDEF94704F40492DF586C3191EB34DA09CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0074F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0074F221
_wcscmp.LIBCMT ref: 0074F236
_wcscmp.LIBCMT ref: 0074F24D
GetFileAttributesW.KERNEL32(?), ref: 0074F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0074F279
FindNextFileW.KERNEL32(00000000,?), ref: 0074F291
FindClose.KERNEL32(00000000), ref: 0074F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0074F2B8
_wcscmp.LIBCMT ref: 0074F2DF
_wcscmp.LIBCMT ref: 0074F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0074F308
SetCurrentDirectoryW.KERNEL32(0079A5A0), ref: 0074F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0074F330
FindClose.KERNEL32(00000000), ref: 0074F33D
FindClose.KERNEL32(00000000), ref: 0074F34F

Strings

*.*, xrefs: 0074F2B3

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: bdd0d8d6006c35537dcb2af048fb2429589fbbbf7867731b7636f58972fe3553
Instruction ID: 80cd2f055de121cb3131fbcf28811104ac5e6f57600b6abb213af58011f243b7
Opcode Fuzzy Hash: bdd0d8d6006c35537dcb2af048fb2429589fbbbf7867731b7636f58972fe3553
Instruction Fuzzy Hash: 9931D376601219AFDF10DFB4EC98ADE77ACAF08360F104276E815D30A0EB78DA45CA64

Uniqueness

Uniqueness Score: -1.00%

Function 00760AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00760BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0076F910,00000000,?,00000000,?,?), ref: 00760C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00760C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00760D1D
RegCloseKey.ADVAPI32(?), ref: 0076103D
RegCloseKey.ADVAPI32(00000000), ref: 0076104A

Strings

REG_MULTI_SZ, xrefs: 00760E05
REG_QWORD, xrefs: 00760F8B
REG_BINARY, xrefs: 00760FD8
REG_DWORD, xrefs: 00760F0E
REG_SZ, xrefs: 00760D5B
REG_EXPAND_SZ, xrefs: 00760CBA

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 403b678ca0db81af0bac2a9f5a5c5f706c8f6bb1afdaec29eca8c2938dfe8b1e
Instruction ID: 5e68bae5d588b46c79142b27a4d8a0804cbd268627c183b081046dff7cb072fb
Opcode Fuzzy Hash: 403b678ca0db81af0bac2a9f5a5c5f706c8f6bb1afdaec29eca8c2938dfe8b1e
Instruction Fuzzy Hash: D5025A752006519FCB14EF25C885A2AB7E5FF88714F04895DF88A9B262CB34EC41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0074F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0074F37E
_wcscmp.LIBCMT ref: 0074F393
_wcscmp.LIBCMT ref: 0074F3AA

Part of subcall function 007445C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007445DC

FindNextFileW.KERNEL32(00000000,?), ref: 0074F3D9
FindClose.KERNEL32(00000000), ref: 0074F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0074F400
_wcscmp.LIBCMT ref: 0074F427
_wcscmp.LIBCMT ref: 0074F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0074F450
SetCurrentDirectoryW.KERNEL32(0079A5A0), ref: 0074F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0074F478
FindClose.KERNEL32(00000000), ref: 0074F485
FindClose.KERNEL32(00000000), ref: 0074F497

Strings

*.*, xrefs: 0074F3FB

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 544ec0e597802311de0da391f34199bdf28858b9f61f594c43fdede080d6601c
Instruction ID: dd268362fe58a17fb29b6eaf1f2163a636e39c9ab4d8f2f469db3ba32067a19d
Opcode Fuzzy Hash: 544ec0e597802311de0da391f34199bdf28858b9f61f594c43fdede080d6601c
Instruction Fuzzy Hash: F731E571601259AFCF10AFB8EC88ADE77AC9F49320F104275E814A31A0DB7CDE44CA64

Uniqueness

Uniqueness Score: -1.00%

Function 007381F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0073874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00738766
Part of subcall function 0073874A: GetLastError.KERNEL32(?,0073822A,?,?,?), ref: 00738770
Part of subcall function 0073874A: GetProcessHeap.KERNEL32(00000008,?,?,0073822A,?,?,?), ref: 0073877F
Part of subcall function 0073874A: HeapAlloc.KERNEL32(00000000,?,0073822A,?,?,?), ref: 00738786
Part of subcall function 0073874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073879D

Part of subcall function 007387E7: GetProcessHeap.KERNEL32(00000008,00738240,00000000,00000000,?,00738240,?), ref: 007387F3
Part of subcall function 007387E7: HeapAlloc.KERNEL32(00000000,?,00738240,?), ref: 007387FA
Part of subcall function 007387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00738240,?), ref: 0073880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0073825B
_memset.LIBCMT ref: 00738270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0073828F
GetLengthSid.ADVAPI32(?), ref: 007382A0
GetAce.ADVAPI32(?,00000000,?), ref: 007382DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007382F9
GetLengthSid.ADVAPI32(?), ref: 00738316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00738325
HeapAlloc.KERNEL32(00000000), ref: 0073832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0073834D
CopySid.ADVAPI32(00000000), ref: 00738354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00738385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007383AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007383BF

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 6b21762044cd48151144a399e8116192160b6492a3af344d2ac2152f086aa84d
Instruction ID: 086e32637ba810a256cc0ceba618e8b357a860aae5feb041cb20d0a20075f2ea
Opcode Fuzzy Hash: 6b21762044cd48151144a399e8116192160b6492a3af344d2ac2152f086aa84d
Instruction Fuzzy Hash: E8615D71904209EFEF00DF94DC45AEEBBB9FF44700F148169F816A7292DB799A05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006F6843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

Oao, xrefs: 00731888, 0073192F, 007319DD
NO_START_OPT), xrefs: 00731588
CR), xrefs: 007316C0
LIMIT_MATCH=, xrefs: 007315A9
BSR_UNICODE), xrefs: 00731771
ANY), xrefs: 00731717
BSR_ANYCRLF), xrefs: 00731757
NO_AUTO_POSSESS), xrefs: 00731567
UTF), xrefs: 00731533
UTF16), xrefs: 00731508
UCP), xrefs: 00731546
CRLF), xrefs: 007316FA
LIMIT_RECURSION=, xrefs: 00731635
ANYCRLF), xrefs: 00731734
PJx, xrefs: 006F68B3
LF), xrefs: 007316DD

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oao$PJx$UCP)$UTF)$UTF16)
API String ID: 0-33242879
Opcode ID: 023f84105acd5acdd594e67e34252efbdc80975d494b53105004502ddbf9c237
Instruction ID: 70a849bcd091639d25538fe5993c0d86c71dfc8d2fbd88d0bcd6da10b9204cbe
Opcode Fuzzy Hash: 023f84105acd5acdd594e67e34252efbdc80975d494b53105004502ddbf9c237
Instruction Fuzzy Hash: C4725E75E00219DBEB24CF58D8807BEB7B6FF48310F54816AE949EB291EB749D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00760665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00760038,?,?), ref: 007610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00760737

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007607D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0076086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00760AAD
RegCloseKey.ADVAPI32(00000000), ref: 00760ABA

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 8e31faf9c9cfac3a93d4420265fa9694b40b63ca413d95e606927c8dc859cb9f
Instruction ID: 76134581b1c3a0dc56d8be6bbb525464c30efaabd8d4b3282cbd0a9e0e24f953
Opcode Fuzzy Hash: 8e31faf9c9cfac3a93d4420265fa9694b40b63ca413d95e606927c8dc859cb9f
Instruction Fuzzy Hash: 4BE13B71204310AFCB14DF29C895E6BBBE5EF89714B04896DF84ADB262DA34ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00740219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00740241
GetAsyncKeyState.USER32(000000A0), ref: 007402C2
GetKeyState.USER32(000000A0), ref: 007402DD
GetAsyncKeyState.USER32(000000A1), ref: 007402F7
GetKeyState.USER32(000000A1), ref: 0074030C
GetAsyncKeyState.USER32(00000011), ref: 00740324
GetKeyState.USER32(00000011), ref: 00740336
GetAsyncKeyState.USER32(00000012), ref: 0074034E
GetKeyState.USER32(00000012), ref: 00740360
GetAsyncKeyState.USER32(0000005B), ref: 00740378
GetKeyState.USER32(0000005B), ref: 0074038A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9c46ab4f9c616bf1a75b55ac7d35e62ad26ce0aa6cbd58c44c6e95690a23cd50
Instruction ID: 2393dabf4b84245ca62e321b595b22525b31809a78fa07bcf7f78b4d15949698
Opcode Fuzzy Hash: 9c46ab4f9c616bf1a75b55ac7d35e62ad26ce0aa6cbd58c44c6e95690a23cd50
Instruction Fuzzy Hash: 174175345047C96EFF319E6498083A5BEA07B12344F08859ED7C6561C2EBFC5DD48BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00754458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0075447F
EmptyClipboard.USER32 ref: 00754485
GlobalAlloc.KERNEL32(00000002,?), ref: 0075449A
CloseClipboard.USER32 ref: 00754539

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2680f62b7e6e8265e7f6d81e405aae50f78cbd1d7c93de752815536c27a08946
Instruction ID: 4ccc6f2ce9e2e4e2f2d18af3d271d5060b45c855cbbc2b9fbd0d1e546d304d9e
Opcode Fuzzy Hash: 2680f62b7e6e8265e7f6d81e405aae50f78cbd1d7c93de752815536c27a08946
Instruction Fuzzy Hash: A3216D35201210AFDB10AF65EC09B6D77A8FF44725F14C02AF946DB2A1DBB8AD41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00743A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006E48A1,?,?,006E37C0,?), ref: 006E48CE

Part of subcall function 00744CD3: GetFileAttributesW.KERNEL32(?,00743947), ref: 00744CD4

FindFirstFileW.KERNEL32(?,?), ref: 00743ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00743B87
MoveFileW.KERNEL32(?,?), ref: 00743B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00743BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00743BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00743BF5

Strings

\*.*, xrefs: 00743A8A, 00743A93, 00743AA8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 1a066287523b417a5d5236948ab39659792ad589510ebfbdb75565a18264a92e
Instruction ID: 46ce9e63b7eec0e0de979c1cc301e49fe236cbceb08a294014110aad3ae13b92
Opcode Fuzzy Hash: 1a066287523b417a5d5236948ab39659792ad589510ebfbdb75565a18264a92e
Instruction Fuzzy Hash: E251907180238D9ACF05EBA5DE929EDB77AAF14300F6441ADE40677091EF746F09CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 006F4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

Oao, xrefs: 006F4984, 00728173
ERCP, xrefs: 006F421F
VUUU, xrefs: 006F4520
VUUU, xrefs: 006F44ED
VUUU, xrefs: 00727B0C
VUUU, xrefs: 006F44DB

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID: ERCP$Oao$VUUU$VUUU$VUUU$VUUU
API String ID: 0-349144446
Opcode ID: 1fa0de31af24a792aa9412f8742701f344b4deba28190a9824771e09dba5c718
Instruction ID: 035e5627e9b8157f1c56713d0dfdc01fc74e5039509fc043f1da04c3d6d6fa28
Opcode Fuzzy Hash: 1fa0de31af24a792aa9412f8742701f344b4deba28190a9824771e09dba5c718
Instruction Fuzzy Hash: 66A28E70E0422ECBDF28CF58D9907FEB7B2BB54314F1481AAD955A7680EB749E81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0074F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0074F6AB
Sleep.KERNEL32(0000000A), ref: 0074F6DB
_wcscmp.LIBCMT ref: 0074F6EF
_wcscmp.LIBCMT ref: 0074F70A
FindNextFileW.KERNEL32(?,?), ref: 0074F7A8
FindClose.KERNEL32(00000000), ref: 0074F7BE

Strings

*.*, xrefs: 0074F690

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 58bd8e9124cb94f8927af0a8534df210947060c40bfe00e88d29e126b1d95acc
Instruction ID: a9e35e98f4d53cbf71a672eca73c29fdf674c8e644a350ff72ac68a43b49918e
Opcode Fuzzy Hash: 58bd8e9124cb94f8927af0a8534df210947060c40bfe00e88d29e126b1d95acc
Instruction Fuzzy Hash: 0741807190120AAFDF51DF64CC89EEEBBB4FF05310F54456AE815A31A0EB389E44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 006F58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F5A05
_memmove.LIBCMT ref: 006F5A55
_memmove.LIBCMT ref: 006F5ABB

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f515b12b1041c2ca52444b33fca91e677211f14bffdc5bd3d6c53cf731f7d145
Instruction ID: 969781707ede310b02ae28040d6b238e080932a1afab11cc85f08d817c0628d6
Opcode Fuzzy Hash: f515b12b1041c2ca52444b33fca91e677211f14bffdc5bd3d6c53cf731f7d145
Instruction Fuzzy Hash: 3D129A70A00609DFDF04DFA5D995AEEB7F6FF48300F108229E546A7291EB39AD11CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006F5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00700FF6: std::exception::exception.LIBCMT ref: 0070102C
Part of subcall function 00700FF6: __CxxThrowException@8.LIBCMT ref: 00701041

_memmove.LIBCMT ref: 0073062F
_memmove.LIBCMT ref: 00730744
_memmove.LIBCMT ref: 007307EB

Strings

yZo, xrefs: 00730881, 007307FF

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZo
API String ID: 1300846289-959988698
Opcode ID: 15c79d37c9d7f6efc485e4fac0e14820b9f855c129224b0c8ac95dde22af4732
Instruction ID: c0a9b59947e259333a1789b7faf7a02c913b3bf2366dbeb8641c178ef0a909a4
Opcode Fuzzy Hash: 15c79d37c9d7f6efc485e4fac0e14820b9f855c129224b0c8ac95dde22af4732
Instruction Fuzzy Hash: 6C02AEB0A00209DFDF04DF64D991ABEBBB6EF44300F148069E906DB296EB35DE51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0074545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00738CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00738D0D
Part of subcall function 00738CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00738D3A
Part of subcall function 00738CC3: GetLastError.KERNEL32 ref: 00738D47

ExitWindowsEx.USER32(?,00000000), ref: 0074549B

Strings

SeShutdownPrivilege, xrefs: 0074546B
, xrefs: 00745489
@, xrefs: 0074548E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: dff1de63f08f726c64fe1a49e84cba89e09b1284d84edc91decbfc873be0526e
Instruction ID: 1a6a4c98dbc0fb1c4f9fdc896d0c35f11a37c441125ad0a8106131030a61e122
Opcode Fuzzy Hash: dff1de63f08f726c64fe1a49e84cba89e09b1284d84edc91decbfc873be0526e
Instruction Fuzzy Hash: 5101F231655B516BFB6866BCEC8BBBA7258EB04752F240121FC17DA0D3DBAC5C8081A4

Uniqueness

Uniqueness Score: -1.00%

Function 006F3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oao, xrefs: 006F3482

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oao
API String ID: 674341424-627848640
Opcode ID: 5a0f9708291f9dfaf58d938ed673dca4ca0478924fb0552926d122128ab354fb
Instruction ID: 0b5dac64a189a90304ec9863f0a8f54cbf56cd300fa55bb573b1ec1cf530a4f3
Opcode Fuzzy Hash: 5a0f9708291f9dfaf58d938ed673dca4ca0478924fb0552926d122128ab354fb
Instruction Fuzzy Hash: A1229A71608365DFD724DF24C881B6AB7E6BF84304F10492DFA9697391DB34EA05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00756596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007565EF
WSAGetLastError.WSOCK32(00000000), ref: 007565FE
bind.WSOCK32(00000000,?,00000010), ref: 0075661A
listen.WSOCK32(00000000,00000005), ref: 00756629
WSAGetLastError.WSOCK32(00000000), ref: 00756643
closesocket.WSOCK32(00000000,00000000), ref: 00756657

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: a3247b6ba9505b778f7537cf22be632e6c96359fc285c5b2869565974825762e
Instruction ID: b0127d47fe7e2e8deab93533bdb90a31c003721f8b202d94fcfc49a6188c229e
Opcode Fuzzy Hash: a3247b6ba9505b778f7537cf22be632e6c96359fc285c5b2869565974825762e
Instruction Fuzzy Hash: D7219E30600200AFCB10AF24D889A6EB7E9EF44721F548169E956A73D1CBB8AD058B65

Uniqueness

Uniqueness Score: -1.00%

Function 006E1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006E19FA
GetSysColor.USER32(0000000F), ref: 006E1A4E
SetBkColor.GDI32(?,00000000), ref: 006E1A61

Part of subcall function 006E1290: DefDlgProcW.USER32(?,00000020,?), ref: 006E12D8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 2a2282e44111928f815b4fac218ba05a8d4c6bdfb83fdb3616ba500dda62e398
Instruction ID: 62e8c9acf622c63b7ce8a96a2fb2463316b8754a6c6d661ea1d5373562dc5006
Opcode Fuzzy Hash: 2a2282e44111928f815b4fac218ba05a8d4c6bdfb83fdb3616ba500dda62e398
Instruction Fuzzy Hash: 5FA104B01077C4BAD738AA2E8C59DFF355FDB87341B244129F402DA2D2DA3C9D42A2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00756A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007580CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00756AB1
WSAGetLastError.WSOCK32(00000000), ref: 00756ADA
bind.WSOCK32(00000000,?,00000010), ref: 00756B13
WSAGetLastError.WSOCK32(00000000), ref: 00756B20
closesocket.WSOCK32(00000000,00000000), ref: 00756B34

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 99870c7db8d8da991865114aeaf2e9111944ea0592f859db10b8c3ab7114b36e
Instruction ID: 26fd47d921838f6908f2d10a693ae35c995ba4651ff33617a04895b34817fdb2
Opcode Fuzzy Hash: 99870c7db8d8da991865114aeaf2e9111944ea0592f859db10b8c3ab7114b36e
Instruction Fuzzy Hash: 52419075600310AFEB50AF25DC86F6E77AAAF44720F44805CF91AAB3D2DAB49D0087A5

Uniqueness

Uniqueness Score: -1.00%

Function 007655FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0076564C
IsWindowEnabled.USER32 ref: 0076565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00765667
IsIconic.USER32 ref: 00765675
IsZoomed.USER32 ref: 00765683

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 367f56029b508f5f04caf782c184b5678a2227626d8fb88ec89748d69cb9b74e
Instruction ID: 0ca35f8a3f11580c02a8a5dbaf95f360379ee7e1ae01cc2d67b1de7f13d39002
Opcode Fuzzy Hash: 367f56029b508f5f04caf782c184b5678a2227626d8fb88ec89748d69cb9b74e
Instruction Fuzzy Hash: B811BF72701A116FE7212F26EC44A2BBB99EF44B21F808029EC07D7241CB789D01DAA9

Uniqueness

Uniqueness Score: -1.00%

Function 0074C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0074C69D
CoCreateInstance.OLE32(00772D6C,00000000,00000001,00772BDC,?), ref: 0074C6B5

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

CoUninitialize.OLE32 ref: 0074C922

Strings

.lnk, xrefs: 0074C631, 0074C659, 0074C663

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 175968aebab52141c234d6ec65078122d21c9d3e731dfaac0b1d066f6f8b1784
Instruction ID: cb5cba3c3eecc4b40d761d576907460fc2326a5b7ecd2588bd9af4a74b10e7b4
Opcode Fuzzy Hash: 175968aebab52141c234d6ec65078122d21c9d3e731dfaac0b1d066f6f8b1784
Instruction Fuzzy Hash: BDA14BB1109345AFD740EF55C881EABB7E9EF94304F00496CF156971A2EB70EE09CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0075C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00721D88,?), ref: 0075C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0075C324

Strings

GetSystemWow64DirectoryW, xrefs: 0075C31E
kernel32.dll, xrefs: 0075C30D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 21e8dc6566dd467c4254679ef6fa045b6e95c825fa0507954c9b15e64e68f4c6
Instruction ID: cacf0eda906220400aca13ec3e2992e4cb4863695a4adeeeafa2811f40aa1f2d
Opcode Fuzzy Hash: 21e8dc6566dd467c4254679ef6fa045b6e95c825fa0507954c9b15e64e68f4c6
Instruction Fuzzy Hash: 69E0ECB460071BCFDB259B39E804B8676D4EB09756B80C439EC96D2650E7BCD884CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0075F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0075F151
Process32FirstW.KERNEL32(00000000,?), ref: 0075F15F

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Process32NextW.KERNEL32(00000000,?), ref: 0075F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0075F22E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 7ebb414d40b29b84c683f252705494742eaa9337d770a164ee94970f34a0d0d9
Instruction ID: c70f0656bc9ff1349fac8b4e3acf4d67b54917b02ddc74a9efcedf56cec61cef
Opcode Fuzzy Hash: 7ebb414d40b29b84c683f252705494742eaa9337d770a164ee94970f34a0d0d9
Instruction Fuzzy Hash: 5851BF715093409FD350EF25DC85EABBBE9FF88710F10482DF99687291EB70A908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0073EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0073EB19

Strings

|, xrefs: 0073EB49
(, xrefs: 0073EB5F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 25c6099687dfc9c972a34ded0496f3dc25961a79463a1d44a17f2e4639342aee
Instruction ID: 7fc9fa116f426fcdcdbd894f9b1362d604a5a717aaf2481a4c1f81ac03f3e73c
Opcode Fuzzy Hash: 25c6099687dfc9c972a34ded0496f3dc25961a79463a1d44a17f2e4639342aee
Instruction Fuzzy Hash: B53204B5A00605DFDB28CF19C481A6AB7F1FF48320B15C56EE49ADB3A2D774E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007525E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 007526D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0075270C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 1faea9aba9043772a0fa99553e62a14918220727774b3fb70d7e328b2aac4739
Instruction ID: 4b7b6ebac9bec3b7b12498fc9c153978ade95bceab80c0ac138cf27b06815ea0
Opcode Fuzzy Hash: 1faea9aba9043772a0fa99553e62a14918220727774b3fb70d7e328b2aac4739
Instruction Fuzzy Hash: 85413671600209FFEB20DB54CC85EFB73FCEB01316F10406AFE01A6542EAF99D4A9654

Uniqueness

Uniqueness Score: -1.00%

Function 0074B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0074B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0074B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0074B655

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1f0d7d478444f9021a0f2bfdea85a6d0751ee0461695123b9d63a41ec3f98c2b
Instruction ID: 7071f93b0206abf5ec3a418b3977cb7b034e191731f8d2a8b0213362440ac1a6
Opcode Fuzzy Hash: 1f0d7d478444f9021a0f2bfdea85a6d0751ee0461695123b9d63a41ec3f98c2b
Instruction Fuzzy Hash: 8C21A135A00208EFCB00EF65D884EADBBB8FF48310F0480A9E806AB351CB359905CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00738CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00700FF6: std::exception::exception.LIBCMT ref: 0070102C
Part of subcall function 00700FF6: __CxxThrowException@8.LIBCMT ref: 00701041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00738D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00738D3A
GetLastError.KERNEL32 ref: 00738D47

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 46b780ff3b35438edf2644491bcb67489566a4fee43149f127e9b2b617c70a9a
Instruction ID: 9f88a62e4841c4e31d5eec9ef8ddd5214cdc2820f7cea9180f1aa06066e74378
Opcode Fuzzy Hash: 46b780ff3b35438edf2644491bcb67489566a4fee43149f127e9b2b617c70a9a
Instruction Fuzzy Hash: 98118FB2514309EFE728AF54EC85D6BB7F8EB44710B20852EF45697242EB74BC408A64

Uniqueness

Uniqueness Score: -1.00%

Function 00744021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0074404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00744088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00744091

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: a68ec352ba7e526b682612ab8fda5faa7343c7f468e6f625ac74a5bb29f279e3
Instruction ID: 22114f786419412b566442418d6eec1baff24cbfa315970254d322dc98350e14
Opcode Fuzzy Hash: a68ec352ba7e526b682612ab8fda5faa7343c7f468e6f625ac74a5bb29f279e3
Instruction Fuzzy Hash: 8F1170B2900228BEE7109BE8DC44FAFBBBCEB09750F004656FA05E71A0C2B8591487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00744C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00744C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00744C43
FreeSid.ADVAPI32(?), ref: 00744C53

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 19a8eb54bfd0dce98cc3152fa72198e480c8417c8fb298d60e8b2039cbd96893
Instruction ID: fb535c42418f6697f0a977e7eb66555d0df1bf09addef3d63b21db34d30fc8e0
Opcode Fuzzy Hash: 19a8eb54bfd0dce98cc3152fa72198e480c8417c8fb298d60e8b2039cbd96893
Instruction Fuzzy Hash: 14F03C75A11308BBDB04DFE09D89AADB7B8EB08201F004469E502E2181D6745A048B54

Uniqueness

Uniqueness Score: -1.00%

Function 00748B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00748B25

Part of subcall function 0070543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007491F8,00000000,?,?,?,?,007493A9,00000000,?), ref: 00705443
Part of subcall function 0070543A: __aulldiv.LIBCMT ref: 00705463

Strings

0uz, xrefs: 00748B1C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0uz
API String ID: 2893107130-967977235
Opcode ID: 64b01670b3c2f4136c6461726e1209005110a99385ef26b73a6e71866bca9d7c
Instruction ID: 8853a641d38230fbfbc693e166f3888b9a3e91d45822ad81a6a8a746f9c08bce
Opcode Fuzzy Hash: 64b01670b3c2f4136c6461726e1209005110a99385ef26b73a6e71866bca9d7c
Instruction Fuzzy Hash: F021A272625514CFC729CF29D841A52B3E1EBA5311F288E6CE0E5CB2D0CB78B945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006EE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e2a4d6d25dce756ff5efd583ac58ae1aaf428767f73a62b235d34acb5aa633
Instruction ID: 1088c3fd5f90ebc6e161688e7e8304620b04d1144ed6afd687378c6a9a585355
Opcode Fuzzy Hash: 91e2a4d6d25dce756ff5efd583ac58ae1aaf428767f73a62b235d34acb5aa633
Instruction Fuzzy Hash: B722BE70A01356CFDB24DF55C484AAEB7F2FF08300F148169E8569B395E73AAD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0074C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0074C966
FindClose.KERNEL32(00000000), ref: 0074C996

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cba69aff4e9ac33b2ed2ef9b7f0034d6b78924c60dc74dc0ad7183a2a3de2381
Instruction ID: 0bf452c95d5d6301c8062abf47e4242c749084f7b42feed0bc0d05667974ba84
Opcode Fuzzy Hash: cba69aff4e9ac33b2ed2ef9b7f0034d6b78924c60dc74dc0ad7183a2a3de2381
Instruction Fuzzy Hash: 18115E726106009FD710EF2AD845A2AF7E9FF85324F04C55EF8AAD7291DB74AC00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0074A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0075977D,?,0076FB84,?), ref: 0074A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0075977D,?,0076FB84,?), ref: 0074A314

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 70bc09ef3b6fcd3275fa641fc727a0fff1b53d0803bfecdfcf2ff4a4c358afa4
Instruction ID: 81c632262b35617a80d41d66f8a219e0d7e0cb050ecbf756ae42bb7f787b15d1
Opcode Fuzzy Hash: 70bc09ef3b6fcd3275fa641fc727a0fff1b53d0803bfecdfcf2ff4a4c358afa4
Instruction Fuzzy Hash: 97F0E23114832DFBDB20AFA4CC48FEA736DBF08761F008265F909D6180E7749944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00738713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00738851), ref: 00738728
CloseHandle.KERNEL32(?,?,00738851), ref: 0073873A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 80cb650005be6fbfc0645476ce205d527e7f02b8d4069b783da697a44138564a
Instruction ID: b809d518a6db11f3fa9df0fe21f4534c02d2bd03a5d1565e5a869b2a8c0c8bb5
Opcode Fuzzy Hash: 80cb650005be6fbfc0645476ce205d527e7f02b8d4069b783da697a44138564a
Instruction Fuzzy Hash: BDE0B676014611EEF7252B61FD09D777BE9EB04350B248929F49680471DBA6AC90DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0070A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00708F97,?,?,?,00000001), ref: 0070A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0070A3A3

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78edb1f2aaf4e8137390a4c50c570e204952f302cc55f6b28ce8ace831aa4afa
Instruction ID: 9526f8fed1aa4bf4f7ee7dbeffcca0b93840ea1d239c0569db2f3f08ebb8246b
Opcode Fuzzy Hash: 78edb1f2aaf4e8137390a4c50c570e204952f302cc55f6b28ce8ace831aa4afa
Instruction Fuzzy Hash: B0B09231058308ABCA002B92FC09B883F68EB44AA2F408020F60E84260EBA658508A99

Uniqueness

Uniqueness Score: -1.00%

Function 0070F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17c30b6490b45f9582c8336cfc8c42701333aa2b4911baf617fc49d417b64c2
Instruction ID: 66c1637138e1b1e503d0ee2417b714024d6be930ff8abf5418480d1b24c0a36e
Opcode Fuzzy Hash: a17c30b6490b45f9582c8336cfc8c42701333aa2b4911baf617fc49d417b64c2
Instruction Fuzzy Hash: 9932EF62D69F418DD7279634D832336A289AFB73C4F15D737E81AB5EA6EB2C84C34104

Uniqueness

Uniqueness Score: -1.00%

Function 0071267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e72f55b8bc359db5ab5408b4ad71c98527fe87c7649afb7a9b009cf59b989c7
Instruction ID: 0c8093819660155d8cfe6229b16d3ad743156377f1ae53bdacacaec37b6f9dec
Opcode Fuzzy Hash: 5e72f55b8bc359db5ab5408b4ad71c98527fe87c7649afb7a9b009cf59b989c7
Instruction Fuzzy Hash: A0B1E020D2AF414DE3239A39883533AB65CAFFB2C5B51D71BFC1A74D62EB2685C34141

Uniqueness

Uniqueness Score: -1.00%

Function 007541FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00754218

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1b0a95b5adc2cd2f753f1d14fd3b8d6b17b749cb2cf3405879b6d27cde88bb88
Instruction ID: cec7dc424fb0ec2dbe51211eeb3e0e77c56199d3c143f42d80f4b2ca6ace9afc
Opcode Fuzzy Hash: 1b0a95b5adc2cd2f753f1d14fd3b8d6b17b749cb2cf3405879b6d27cde88bb88
Instruction Fuzzy Hash: 86E04F712402149FC710EF5AE844A9AF7E9AF94765F00C02AFC4AC7352DAB4E8448BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00744EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00744F18

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: b7dc63a3de8f3d769ebf4a7a828276ff7a74e959c16d9f5365f94c048c074ab4
Instruction ID: bcdc5bcc4f2c858a2566320d8acd6a8d4ebce8a872bd679f712788d7c8ee2995
Opcode Fuzzy Hash: b7dc63a3de8f3d769ebf4a7a828276ff7a74e959c16d9f5365f94c048c074ab4
Instruction Fuzzy Hash: 7ED09EB4168615B9FE184B20AC1FF761119E340791F9C59897602954C29AED6C58B035

Uniqueness

Uniqueness Score: -1.00%

Function 00738C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007388D1), ref: 00738CB3

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 1e61fdbd45b9f65fd2d8b060e3c7e8ff3da8b3745b6471960fb039d2a9bd3f81
Instruction ID: 1fe52fc7266cc1a56a06881fa785c61d6daed01fcc2c85ef10f7b432df58bf01
Opcode Fuzzy Hash: 1e61fdbd45b9f65fd2d8b060e3c7e8ff3da8b3745b6471960fb039d2a9bd3f81
Instruction Fuzzy Hash: 59D09E3226460EBBEF019EA4ED05EAE3B69EB04B01F408511FE16D51A1C7B5D935AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00722230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00722242

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ab28b73974e8c2205fc62816a23c6cde18dd4555e747b78a43793e76f953977c
Instruction ID: 8540a2e1cf5cb2ac4c7bbd524085326fd826734a674fe2020709243bb81bca8e
Opcode Fuzzy Hash: ab28b73974e8c2205fc62816a23c6cde18dd4555e747b78a43793e76f953977c
Instruction Fuzzy Hash: 5FC04CF1800119DBDB05DB90E988DFE77BCBB04304F104055E102F2100D7789B448A71

Uniqueness

Uniqueness Score: -1.00%

Function 0070A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0070A36A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 65d70a567c83c3b17ec200c3b97f9cf7d013f54140d077a15f765476c7c67b0a
Instruction ID: 104a5347f4cb0cc9d49e95b90a01a9bcee1b92993f55a2d202e056d44082f17d
Opcode Fuzzy Hash: 65d70a567c83c3b17ec200c3b97f9cf7d013f54140d077a15f765476c7c67b0a
Instruction Fuzzy Hash: DDA0123000020CA78A001B42FC044447F5CD6001907008020F40D40121977258104584

Uniqueness

Uniqueness Score: -1.00%

Function 006F8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca771a27c4b9385314a7aaa9f5d2d5bdd527b5b89dfe50b75966ba2c1818d43e
Instruction ID: f73c2548213a2fac871dd561e534d0dd45dc746b924ac9f3be0be837a4cde7bc
Opcode Fuzzy Hash: ca771a27c4b9385314a7aaa9f5d2d5bdd527b5b89dfe50b75966ba2c1818d43e
Instruction Fuzzy Hash: 3E221B30605659CFEF288F18C4D46BD77A3FF42344F6484AADA528B693DB389D81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00702405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 8dc9afc66b7ccb374c3bf044843ebb4aebe414a9014431c48017e6696703222b
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 0EC1B73320609389DF2D4639D53803EFAE15EA27B135A0B5DE8B3CB5D5EF28E525D620

Uniqueness

Uniqueness Score: -1.00%

Function 0070283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4d366e012d571728a595baefe063459d9cc2e4bfad675db0814ba4aa14618e20
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 46C1C53320519389DF6D4639C53803EFBE15BA27B135A0B6DE4B2DB4C5EF28E525D620

Uniqueness

Uniqueness Score: -1.00%

Function 00757B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00757B70
DeleteObject.GDI32(00000000), ref: 00757B82
DestroyWindow.USER32 ref: 00757B90
GetDesktopWindow.USER32 ref: 00757BAA
GetWindowRect.USER32(00000000), ref: 00757BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00757CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00757D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757D4A
GetClientRect.USER32(00000000,?), ref: 00757D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00757D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757DF8
GlobalFree.KERNEL32(00000000), ref: 00757E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00772CAC,00000000), ref: 00757E2B
GlobalFree.KERNEL32(00000000), ref: 00757E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00757E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00757E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00757EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0075808F

Strings

DISPLAY, xrefs: 00757EF2
AutoIt v3, xrefs: 00757D42
static, xrefs: 00757D8A, 00757EE1
, xrefs: 00758015

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 9ceee94bc0f292cfe08caa0388ff2afa9e241f17658d9da63b5800dd83cf0d1a
Instruction ID: ea6f4634bde6373da8659c9a2a50edc2f27288a1d200bfd08c2294530b48655e
Opcode Fuzzy Hash: 9ceee94bc0f292cfe08caa0388ff2afa9e241f17658d9da63b5800dd83cf0d1a
Instruction Fuzzy Hash: AD029171900205EFDB14DF64EC89EAE7BB9FF49311F148158F916AB2A1CBB89D01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007637F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0076F910), ref: 007638AF
IsWindowVisible.USER32(?), ref: 007638D3

Strings

ADDSTRING, xrefs: 0076399E
CHECK, xrefs: 00763AF5
GETCURRENTCOL, xrefs: 00763BB0
GETCURRENTLINE, xrefs: 00763B75
GETLINECOUNT, xrefs: 00763B4E
GETCURRENTSELECTION, xrefs: 00763A6B
DELSTRING, xrefs: 007639D1
TABLEFT, xrefs: 0076390F
CURRENTTAB, xrefs: 00763945
TABRIGHT, xrefs: 00763925
FINDSTRING, xrefs: 007639FE
ISVISIBLE, xrefs: 007638BF
SHOWDROPDOWN, xrefs: 00763968
ISCHECKED, xrefs: 00763AC1
GETLINE, xrefs: 00763C23
ISENABLED, xrefs: 007638F3
HIDEDROPDOWN, xrefs: 00763988
EDITPASTE, xrefs: 00763BE7
GETSELECTED, xrefs: 00763B2B
SENDCOMMANDID, xrefs: 00763C62
SELECTSTRING, xrefs: 00763A8E
UNCHECK, xrefs: 00763B0B
SETCURRENTSELECTION, xrefs: 00763A3E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: c79ea66d3507ef4f74f7e96d587584c0221da4fb184b11bcca4986d76e12db7b
Instruction ID: 73da0ad54fd4e3f0a654a4cbf924ed5ab83f80da1ca181e23474a23b11001dd2
Opcode Fuzzy Hash: c79ea66d3507ef4f74f7e96d587584c0221da4fb184b11bcca4986d76e12db7b
Instruction Fuzzy Hash: 68D19E30208305DBCB14EF21D555A6A77A2AF94754F10856CFC875B2E3CB39EE0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0076A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0076A89F
GetSysColorBrush.USER32(0000000F), ref: 0076A8D0
GetSysColor.USER32(0000000F), ref: 0076A8DC
SetBkColor.GDI32(?,000000FF), ref: 0076A8F6
SelectObject.GDI32(?,?), ref: 0076A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0076A930
GetSysColor.USER32(00000010), ref: 0076A938
CreateSolidBrush.GDI32(00000000), ref: 0076A93F
FrameRect.USER32(?,?,00000000), ref: 0076A94E
DeleteObject.GDI32(00000000), ref: 0076A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0076A9A0
FillRect.USER32(?,?,?), ref: 0076A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0076A9FD

Part of subcall function 0076AB60: GetSysColor.USER32(00000012), ref: 0076AB99
Part of subcall function 0076AB60: SetTextColor.GDI32(?,?), ref: 0076AB9D
Part of subcall function 0076AB60: GetSysColorBrush.USER32(0000000F), ref: 0076ABB3
Part of subcall function 0076AB60: GetSysColor.USER32(0000000F), ref: 0076ABBE
Part of subcall function 0076AB60: GetSysColor.USER32(00000011), ref: 0076ABDB
Part of subcall function 0076AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0076ABE9
Part of subcall function 0076AB60: SelectObject.GDI32(?,00000000), ref: 0076ABFA
Part of subcall function 0076AB60: SetBkColor.GDI32(?,00000000), ref: 0076AC03
Part of subcall function 0076AB60: SelectObject.GDI32(?,?), ref: 0076AC10
Part of subcall function 0076AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0076AC2F
Part of subcall function 0076AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0076AC46
Part of subcall function 0076AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0076AC5B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b6d6a59cc24b8a6c610333a4c80e677224ac294f74bdb3b59af0847b5c881da1
Instruction ID: 52c6004f6169b93d938017af344b7f506912cb8b09c696858a9f7764acc4bed6
Opcode Fuzzy Hash: b6d6a59cc24b8a6c610333a4c80e677224ac294f74bdb3b59af0847b5c881da1
Instruction Fuzzy Hash: F1A17E72008305FFD7119F64EC08A5B7BA9FF89321F108A29F963A61A1D779D844CF56

Uniqueness

Uniqueness Score: -1.00%

Function 006E2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 006E2CA2
DeleteObject.GDI32(00000000), ref: 006E2CE8
DeleteObject.GDI32(00000000), ref: 006E2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 006E2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 006E2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0071C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0071C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0071CAED

Part of subcall function 006E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E2036,?,00000000,?,?,?,?,006E16CB,00000000,?), ref: 006E1B9A

SendMessageW.USER32(?,00001053), ref: 0071CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0071CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0071CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0071CB62

Strings

0, xrefs: 0071C981

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 945208089045084162f40ccc52413d107893dc121fca9cd1576bec7fc980b6a1
Instruction ID: 6f17534140878f4c3d4368288f71b27dda62182bdb8c53df854aedf0c48454b7
Opcode Fuzzy Hash: 945208089045084162f40ccc52413d107893dc121fca9cd1576bec7fc980b6a1
Instruction Fuzzy Hash: 1E12C030245342EFDB22CF28C895BA9B7E6FF04710F148569E596DB2A2C775EC82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007577BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007577F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007578B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007578EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00757900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00757946
GetClientRect.USER32(00000000,?), ref: 00757952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00757996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007579A5
GetStockObject.GDI32(00000011), ref: 007579B5
SelectObject.GDI32(00000000,00000000), ref: 007579B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007579C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007579D2
DeleteDC.GDI32(00000000), ref: 007579DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00757A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00757A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00757A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00757A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00757A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00757AAE
GetStockObject.GDI32(00000011), ref: 00757AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00757AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00757ACE

Strings

DISPLAY, xrefs: 0075799B
AutoIt v3, xrefs: 0075793E
static, xrefs: 00757990, 00757AA8
msctls_progress32, xrefs: 00757A4F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5f801c8007794abdc75c845b42d9584c944663a936ffdcdfa71399f343d0a918
Instruction ID: 7cb28641177806052a6408b3705e6513a8e9dc959f0b38ba44d1aa7ffdb639d6
Opcode Fuzzy Hash: 5f801c8007794abdc75c845b42d9584c944663a936ffdcdfa71399f343d0a918
Instruction Fuzzy Hash: 11A18171A00215BFEB14DBA4EC4AFAE7BB9EB45710F048118FA15A71E0D7B8AD00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0074AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0074AF89
GetDriveTypeW.KERNEL32(?,0076FAC0,?,\\.\,0076F910), ref: 0074B066
SetErrorMode.KERNEL32(00000000,0076FAC0,?,\\.\,0076F910), ref: 0074B1C4

Strings

iSCSI, xrefs: 0074B169
PhysicalDrive, xrefs: 0074B012
Virtual, xrefs: 0074B18C
SSD, xrefs: 0074B0F1
Fixed, xrefs: 0074B0AE
RAMDisk, xrefs: 0074B090
1394, xrefs: 0074B146
ATAPI, xrefs: 0074B138
CDROM, xrefs: 0074B09A
RAID, xrefs: 0074B162
Network, xrefs: 0074B0A4
SAS, xrefs: 0074B170
Removable, xrefs: 0074B0B8
Fibre, xrefs: 0074B154
SSA, xrefs: 0074B14D
\\.\, xrefs: 0074AFDB
ATA, xrefs: 0074B13F
Unknown, xrefs: 0074B086, 0074B12A
USB, xrefs: 0074B15B
SATA, xrefs: 0074B177
FileBackedVirtual, xrefs: 0074B193
MMC, xrefs: 0074B185
SCSI, xrefs: 0074B131

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5bbda8607a2704f7d496b7bf53311fa3f05e787628134e7ab97dd54ae4f4ea3f
Instruction ID: 93c12f1c9ff24232e31fedbbb471bdbf47d7c532b3f810cea98ff56d4a5587ca
Opcode Fuzzy Hash: 5bbda8607a2704f7d496b7bf53311fa3f05e787628134e7ab97dd54ae4f4ea3f
Instruction Fuzzy Hash: 7851D370685349FBCF04DB60E9939BD73B2AF157417208019E40AA72A0CB7DED41DF92

Uniqueness

Uniqueness Score: -1.00%

Function 006E6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006E6A91
__wcsnicmp.LIBCMT ref: 006E6AA9
__wcsnicmp.LIBCMT ref: 006E6AC1
__wcsnicmp.LIBCMT ref: 006E6AD9
__wcsnicmp.LIBCMT ref: 006E6AF1
__wcsnicmp.LIBCMT ref: 006E6B09
__wcsnicmp.LIBCMT ref: 006E6B21
__wcsnicmp.LIBCMT ref: 006E6B35
__wcsnicmp.LIBCMT ref: 006E6B76
__wcsnicmp.LIBCMT ref: 006E6B8A
__wcsnicmp.LIBCMT ref: 006E6B9E
__wcsnicmp.LIBCMT ref: 006E6BB2

Strings

#comments-end, xrefs: 006E6B98
#notrayicon, xrefs: 006E6AA3
#comments-start, xrefs: 006E6B1B, 006E6B70
#include-once, xrefs: 006E6AEB
#pragma compile, xrefs: 006E6A8B
#include, xrefs: 006E6B03
#OnAutoItStartRegister, xrefs: 006E6AD3
Bad directive syntax error, xrefs: 0071E743
#requireadmin, xrefs: 006E6ABB
#cs, xrefs: 006E6B2F, 006E6B84
Cannot parse #include, xrefs: 0071E819
#ce, xrefs: 006E6BAC
Unterminated group of comments, xrefs: 0071E82C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 8b7b11a478b7e36c23540392e1fa9429c3754f361cc81ad5b192a87ac164c4d6
Instruction ID: 2b66118cdfcbc37cb337db1875cd65d24a509e753691db0599107cd497359e39
Opcode Fuzzy Hash: 8b7b11a478b7e36c23540392e1fa9429c3754f361cc81ad5b192a87ac164c4d6
Instruction Fuzzy Hash: 77813FB0741385FADB20AB39DC46FFE7799AF20340F044125FD46EA1C2E768DA52C265

Uniqueness

Uniqueness Score: -1.00%

Function 0076AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0076AB99
SetTextColor.GDI32(?,?), ref: 0076AB9D
GetSysColorBrush.USER32(0000000F), ref: 0076ABB3
GetSysColor.USER32(0000000F), ref: 0076ABBE
CreateSolidBrush.GDI32(?), ref: 0076ABC3
GetSysColor.USER32(00000011), ref: 0076ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0076ABE9
SelectObject.GDI32(?,00000000), ref: 0076ABFA
SetBkColor.GDI32(?,00000000), ref: 0076AC03
SelectObject.GDI32(?,?), ref: 0076AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0076AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0076AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0076AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0076ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0076ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0076ACEC
DrawFocusRect.USER32(?,?), ref: 0076ACF7
GetSysColor.USER32(00000011), ref: 0076AD05
SetTextColor.GDI32(?,00000000), ref: 0076AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0076AD21
SelectObject.GDI32(?,0076A869), ref: 0076AD38
DeleteObject.GDI32(?), ref: 0076AD43
SelectObject.GDI32(?,?), ref: 0076AD49
DeleteObject.GDI32(?), ref: 0076AD4E
SetTextColor.GDI32(?,?), ref: 0076AD54
SetBkColor.GDI32(?,?), ref: 0076AD5E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6465c916077af224fcfdcef135192a2fc420bf46045188dc8db8d9d502421a93
Instruction ID: d5dfb92a6d7fc5b13f0d243930f878f5b9753f249001cc744843ce848f362d79
Opcode Fuzzy Hash: 6465c916077af224fcfdcef135192a2fc420bf46045188dc8db8d9d502421a93
Instruction Fuzzy Hash: 68611D71900218FFDB159FA4EC48EAE7B79EB09320F108125F916AB2A1D6B99D40DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00768C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00768D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00768D45
CharNextW.USER32(0000014E), ref: 00768D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00768DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00768DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00768DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00768DF9
SetWindowTextW.USER32(?,0000014E), ref: 00768E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00768E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00768E8C
_memset.LIBCMT ref: 00768EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00768EFA
_memset.LIBCMT ref: 00768F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00768F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00768FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00769088
InvalidateRect.USER32(?,00000000,00000001), ref: 007690AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007690F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00769121
DrawMenuBar.USER32(?), ref: 00769130
SetWindowTextW.USER32(?,0000014E), ref: 00769158

Strings

0, xrefs: 007690C2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 5f51252a1ab0dc98c1289f7c539c73c6bc909f73747f1461c30b5aeb3d86fabd
Instruction ID: 576281df8d7f2f0803fcdf6d24c123abb66a2eb9178543180ef5112feef4fc48
Opcode Fuzzy Hash: 5f51252a1ab0dc98c1289f7c539c73c6bc909f73747f1461c30b5aeb3d86fabd
Instruction Fuzzy Hash: C1E18370900219EBDF209F54CC88EEE7BB9EF05710F148255FD27AA291DB788A81DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00764B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00764C51
GetDesktopWindow.USER32 ref: 00764C66
GetWindowRect.USER32(00000000), ref: 00764C6D
GetWindowLongW.USER32(?,000000F0), ref: 00764CCF
DestroyWindow.USER32(?), ref: 00764CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00764D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00764D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00764D68
SendMessageW.USER32(?,00000421,?,?), ref: 00764D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00764D90
IsWindowVisible.USER32(?), ref: 00764DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00764DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00764DDF
GetWindowRect.USER32(?,?), ref: 00764DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00764E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00764E37
CopyRect.USER32(?,?), ref: 00764E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00764EB9

Strings

0, xrefs: 00764BFC
tooltips_class32, xrefs: 00764D1D
(, xrefs: 00764E2A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 63046022fee0a55490677249b162dddf9c56fa359ecdc74d5fa6372fcc725e97
Instruction ID: 19719f7baa87c8029a3ccd14e4d9ed26878bb4ca4918fab1b322f3f0ed3eb1e1
Opcode Fuzzy Hash: 63046022fee0a55490677249b162dddf9c56fa359ecdc74d5fa6372fcc725e97
Instruction Fuzzy Hash: B7B1AE71608340AFDB44DF25D848B6ABBE5FF88714F00891CF99A9B2A1D775EC04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006E27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E28BC
GetSystemMetrics.USER32(00000007), ref: 006E28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E28EF
GetSystemMetrics.USER32(00000008), ref: 006E28F7
GetSystemMetrics.USER32(00000004), ref: 006E291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006E2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006E2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006E297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006E2990
GetClientRect.USER32(00000000,000000FF), ref: 006E29AE
GetStockObject.GDI32(00000011), ref: 006E29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006E29D5

Part of subcall function 006E2344: GetCursorPos.USER32(?), ref: 006E2357
Part of subcall function 006E2344: ScreenToClient.USER32(007A67B0,?), ref: 006E2374
Part of subcall function 006E2344: GetAsyncKeyState.USER32(00000001), ref: 006E2399
Part of subcall function 006E2344: GetAsyncKeyState.USER32(00000002), ref: 006E23A7

SetTimer.USER32(00000000,00000000,00000028,006E1256), ref: 006E29FC

Strings

AutoIt v3 GUI, xrefs: 006E2974

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 26e00de8ffbdda7a2a04b46ace19b743e39b8cdd2d3a36aa70d933daeeecb4a8
Instruction ID: 9441808cee1ab745c22493d035128db2288df291811cb43fac42eeb0016cb839
Opcode Fuzzy Hash: 26e00de8ffbdda7a2a04b46ace19b743e39b8cdd2d3a36aa70d933daeeecb4a8
Instruction Fuzzy Hash: 6DB1BC7160034ADFDB14DFA8DC55BEE7BAAFB08310F108229FA16A72D0CB789841CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00764069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007640F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007641B6

Strings

GETTEXT, xrefs: 0076415F
SELECTALL, xrefs: 0076421D
SELECTINVERT, xrefs: 00764286
GETSELECTEDCOUNT, xrefs: 00764199
FINDITEM, xrefs: 00764329
SELECTCLEAR, xrefs: 00764235
DESELECT, xrefs: 007642A4
SELECT, xrefs: 00764250
ISSELECTED, xrefs: 007641C1
GETSUBITEMCOUNT, xrefs: 00764141
GETSELECTED, xrefs: 007642E4
VIEWCHANGE, xrefs: 00764375
GETITEMCOUNT, xrefs: 00764128

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 6171362065f21e309fdc5e04dc7e9823be04b4b85af1e88e8407594d77736707
Instruction ID: c3c40a069e556ef013c576c74a095c8bc49b200ac0d9aba78ac94bac21f046ac
Opcode Fuzzy Hash: 6171362065f21e309fdc5e04dc7e9823be04b4b85af1e88e8407594d77736707
Instruction Fuzzy Hash: 22A17C30214341DFCB14EF25D951A6AB3E6BF94714F14896CB8A69B3D2DB38EC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007552F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00755309
LoadCursorW.USER32(00000000,00007F8A), ref: 00755314
LoadCursorW.USER32(00000000,00007F00), ref: 0075531F
LoadCursorW.USER32(00000000,00007F03), ref: 0075532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00755335
LoadCursorW.USER32(00000000,00007F01), ref: 00755340
LoadCursorW.USER32(00000000,00007F81), ref: 0075534B
LoadCursorW.USER32(00000000,00007F88), ref: 00755356
LoadCursorW.USER32(00000000,00007F80), ref: 00755361
LoadCursorW.USER32(00000000,00007F86), ref: 0075536C
LoadCursorW.USER32(00000000,00007F83), ref: 00755377
LoadCursorW.USER32(00000000,00007F85), ref: 00755382
LoadCursorW.USER32(00000000,00007F82), ref: 0075538D
LoadCursorW.USER32(00000000,00007F84), ref: 00755398
LoadCursorW.USER32(00000000,00007F04), ref: 007553A3
LoadCursorW.USER32(00000000,00007F02), ref: 007553AE
GetCursorInfo.USER32(?), ref: 007553BE
GetLastError.KERNEL32(00000001,00000000), ref: 007553E9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2f0cd7e0c544c646bf47970cadddcd5d9bc18ee55903711674674a2890ecc49e
Instruction ID: 832770122828e70973db6ba47cefbf5802e9f5e2a0175be73f135b944afe1bbf
Opcode Fuzzy Hash: 2f0cd7e0c544c646bf47970cadddcd5d9bc18ee55903711674674a2890ecc49e
Instruction Fuzzy Hash: D4416470E043196ADB109FBA8C4996FFFF8EF51B50F10452FE509E7291DAB8A401CE65

Uniqueness

Uniqueness Score: -1.00%

Function 0073AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0073AAA5
__swprintf.LIBCMT ref: 0073AB46
_wcscmp.LIBCMT ref: 0073AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0073ABAE
_wcscmp.LIBCMT ref: 0073ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0073AC21
GetDlgCtrlID.USER32(?), ref: 0073AC73
GetWindowRect.USER32(?,?), ref: 0073ACA9
GetParent.USER32(?), ref: 0073ACC7
ScreenToClient.USER32(00000000), ref: 0073ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0073AD48
_wcscmp.LIBCMT ref: 0073AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0073AD82
_wcscmp.LIBCMT ref: 0073AD96

Part of subcall function 0070386C: _iswctype.LIBCMT ref: 00703874

Strings

%s%u, xrefs: 0073AB40

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 5f3ada4f46c348c49f81572e1b035fbaa069afa0a298caa80561fd5166d5d41b
Instruction ID: 001340560b6c5c8a19a4cb3d301cc4c9943c430e9e9d356d2275fe946bb179a3
Opcode Fuzzy Hash: 5f3ada4f46c348c49f81572e1b035fbaa069afa0a298caa80561fd5166d5d41b
Instruction Fuzzy Hash: 0DA1B072204706FBE714DF24C885BAAB7E8FF04315F008629F9D9D2592D738E955CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0073B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0073B3DB
_wcscmp.LIBCMT ref: 0073B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0073B414
CharUpperBuffW.USER32(?,00000000), ref: 0073B431
_wcscmp.LIBCMT ref: 0073B44F
_wcsstr.LIBCMT ref: 0073B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0073B498
_wcscmp.LIBCMT ref: 0073B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0073B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0073B518
_wcscmp.LIBCMT ref: 0073B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0073B550
GetWindowRect.USER32(00000004,?), ref: 0073B5B9

Strings

@, xrefs: 0073B3BC
ThumbnailClass, xrefs: 0073B4A3, 0073B523

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: cc3667f9887af93f6f0a9113be176cfe69e2aa672ceab8a7ba3eda924f6a167e
Instruction ID: 75162ab80fe59e6354972cd97819089a01a15f5dc40dcdf9cb1603896b1447c5
Opcode Fuzzy Hash: cc3667f9887af93f6f0a9113be176cfe69e2aa672ceab8a7ba3eda924f6a167e
Instruction Fuzzy Hash: E5819E71008345DBEB05DF14D885FAA7BE8EF84314F048569FE899A093DB38DE49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0076C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

DragQueryPoint.SHELL32(?,?), ref: 0076C917

Part of subcall function 0076ADF1: ClientToScreen.USER32(?,?), ref: 0076AE1A
Part of subcall function 0076ADF1: GetWindowRect.USER32(?,?), ref: 0076AE90
Part of subcall function 0076ADF1: PtInRect.USER32(?,?,0076C304), ref: 0076AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0076C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0076C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0076C9AE
_wcscat.LIBCMT ref: 0076C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0076C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0076CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0076CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0076CA47
DragFinish.SHELL32(?), ref: 0076CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0076CB41

Strings

@GUI_DROPID, xrefs: 0076CA6E
@GUI_DRAGFILE, xrefs: 0076CAF0
prz, xrefs: 0076CA8B
@GUI_DRAGID, xrefs: 0076CAB9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prz
API String ID: 169749273-1664735338
Opcode ID: 35179722a88562ad719d6f019beda0dd51a15d00cdda1c5e2b148dcc0156224f
Instruction ID: da3af71ed3ff9ea3d62568080c96afaa67c79f43a9e89a092ea67c47172c30cf
Opcode Fuzzy Hash: 35179722a88562ad719d6f019beda0dd51a15d00cdda1c5e2b148dcc0156224f
Instruction Fuzzy Hash: 19618C71108340AFC701DF65DC89DABBBE9EF89710F004A2DF5A6931A1DB749A09CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0073B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0073B23F

Strings

[LAST, xrefs: 0073B2EC
ALL, xrefs: 0073B2D3
[CLASS:, xrefs: 0073B28F
LAST, xrefs: 0073B204
REGEXP=, xrefs: 0073B254
[HANDLE:, xrefs: 0073B24B
CLASSNAME=, xrefs: 0073B27C
ACTIVE, xrefs: 0073B21A
[REGEXPTITLE:, xrefs: 0073B267
[ALL, xrefs: 0073B2E5
HANDLE=, xrefs: 0073B238
[ACTIVE, xrefs: 0073B22C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: e24f2b276aeb216ad9815375bf813b58f774cc7633de08405b961ffb9d38e3ba
Instruction ID: 6dd770358125441ad45149296c1713364aec02850f03436fd26d6e3b502a493e
Opcode Fuzzy Hash: e24f2b276aeb216ad9815375bf813b58f774cc7633de08405b961ffb9d38e3ba
Instruction Fuzzy Hash: 2131EF71A04349E6FF10FAA5ED43EEE77A9AF24750F60022CB601720D2EF6A6E04C655

Uniqueness

Uniqueness Score: -1.00%

Function 0073C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0073C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0073C4E6
SetWindowTextW.USER32(?,?), ref: 0073C4FD
GetDlgItem.USER32(?,000003EA), ref: 0073C512
SetWindowTextW.USER32(00000000,?), ref: 0073C518
GetDlgItem.USER32(?,000003E9), ref: 0073C528
SetWindowTextW.USER32(00000000,?), ref: 0073C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0073C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0073C569
GetWindowRect.USER32(?,?), ref: 0073C572
SetWindowTextW.USER32(?,?), ref: 0073C5DD
GetDesktopWindow.USER32 ref: 0073C5E3
GetWindowRect.USER32(00000000), ref: 0073C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0073C636
GetClientRect.USER32(?,?), ref: 0073C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0073C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0073C693

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: f77ce22c18f4b4b4882c068ddabbfed4d799e24d261c6076d9fd28bb12066a4e
Instruction ID: 9dde15030d699095369f69b148792f0ccdf9d37b11e0d6b4a1d600675ccaa293
Opcode Fuzzy Hash: f77ce22c18f4b4b4882c068ddabbfed4d799e24d261c6076d9fd28bb12066a4e
Instruction Fuzzy Hash: 7C518171900709EFEB21DFA8DD89B6EBBF5FF04704F104528E692A25A1C7B8B914CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0076A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076A4C8
DestroyWindow.USER32(00000000,?), ref: 0076A542

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0076A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0076A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0076A5F1
DestroyWindow.USER32(00000000), ref: 0076A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006E0000,00000000), ref: 0076A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0076A663
GetDesktopWindow.USER32 ref: 0076A67C
GetWindowRect.USER32(00000000), ref: 0076A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0076A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0076A6B3

Part of subcall function 006E25DB: GetWindowLongW.USER32(?,000000EB), ref: 006E25EC

Strings

0, xrefs: 0076A4DE
tooltips_class32, xrefs: 0076A5B5, 0076A643

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: e1c7cbddd3eed4a034d52b9c17e2fdf0547db0ad05370a1fa2d8aecb1b4ab842
Instruction ID: 760d0e9961ce9168c7d0859b4f2850db9351f09a984a18fbf370bcdd00132d1d
Opcode Fuzzy Hash: e1c7cbddd3eed4a034d52b9c17e2fdf0547db0ad05370a1fa2d8aecb1b4ab842
Instruction Fuzzy Hash: D3718A71140345AFD720DF28DC49F667BEAEB89700F08852CF996972A1D7B8E912CF16

Uniqueness

Uniqueness Score: -1.00%

Function 00764619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007646AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007646F6

Strings

GETTEXT, xrefs: 00764849
SELECT, xrefs: 007648A7
GETTOTALCOUNT, xrefs: 007646DD
ISCHECKED, xrefs: 00764879
COLLAPSE, xrefs: 0076473C
EXISTS, xrefs: 0076475F
CHECK, xrefs: 00764716
GETSELECTED, xrefs: 00764806
EXPAND, xrefs: 007647A8
UNCHECK, xrefs: 007648D2
GETITEMCOUNT, xrefs: 007647D8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: ea82fae756383262818c042d2b8f0df6b90ca0ea4176c560c4a2f76c024cbfec
Instruction ID: 1a9eadbbd56c280419b07083518e8d8d4450866c4be506fc71e8595df6829a68
Opcode Fuzzy Hash: ea82fae756383262818c042d2b8f0df6b90ca0ea4176c560c4a2f76c024cbfec
Instruction Fuzzy Hash: 62914674204342DFCB14EF21C451A6AB7E2AF94314F04886CEC965B7A3CB38ED4ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 0076BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0076BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00766D80,?), ref: 0076BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0076BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0076BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0076BC7D
FreeLibrary.KERNEL32(?), ref: 0076BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0076BC99
DestroyIcon.USER32(?), ref: 0076BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0076BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0076BCD1

Part of subcall function 0070313D: __wcsicmp_l.LIBCMT ref: 007031C6

Strings

.exe, xrefs: 0076BB04
.dll, xrefs: 0076BB27
.icl, xrefs: 0076BAE4

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 6a4417f5978c6305f3622da087b220e71bbd474785dedb7f08f4494d01795be7
Instruction ID: 07854033b8068471b9f444493be4961734abf464009d9377ec54981d46437733
Opcode Fuzzy Hash: 6a4417f5978c6305f3622da087b220e71bbd474785dedb7f08f4494d01795be7
Instruction Fuzzy Hash: E661D1B1500619FEEB14DF64DC49BBA77A8FF09710F10821AFD16D60C1DBB89A90DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0074A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0076FB78), ref: 0074A0FC

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0074A11E
__swprintf.LIBCMT ref: 0074A177
__swprintf.LIBCMT ref: 0074A190
_wprintf.LIBCMT ref: 0074A246
_wprintf.LIBCMT ref: 0074A264

Strings

Error: , xrefs: 0074A20E
"%s" (%d) : ==> %s:, xrefs: 0074A25F
^ ERROR, xrefs: 0074A1E8
Line %d (File "%s"):, xrefs: 0074A171, 0074A18A
"%s" (%d) : ==> %s:%s%s, xrefs: 0074A241
%w, xrefs: 0074A0C9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%w
API String ID: 311963372-2879527458
Opcode ID: e1d61452083c3bd03a8338cb778ea1fc30062e24e2a15b19287432c881d77572
Instruction ID: 42ce41c067c0bdaacc652d342a43cdc15d16f41f901db702c8085d50a8861a50
Opcode Fuzzy Hash: e1d61452083c3bd03a8338cb778ea1fc30062e24e2a15b19287432c881d77572
Instruction Fuzzy Hash: 0451CF7290120ABADF15EBE0CD86EEEB779BF04300F104169F505720A1EB796F48DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0074A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

CharLowerBuffW.USER32(?,?), ref: 0074A636
GetDriveTypeW.KERNEL32 ref: 0074A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0074A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0074A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0074A730

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

Strings

wait, xrefs: 0074A6ED
type cdaudio alias cd wait, xrefs: 0074A6AE
open , xrefs: 0074A692
open, xrefs: 0074A65D
close cd wait, xrefs: 0074A71B
close, xrefs: 0074A63C
set cd door , xrefs: 0074A6D1
closed, xrefs: 0074A64A, 0074A653

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e687c15f935eff4567611c23824faf7d30d10bff0344c94d085810ff6d89e9c3
Instruction ID: fcbfbab3a5c15e97d3baee332d8a4cffe6ee6752631dc1bf7f4c93792dcee1cd
Opcode Fuzzy Hash: e687c15f935eff4567611c23824faf7d30d10bff0344c94d085810ff6d89e9c3
Instruction Fuzzy Hash: B151A171109345AFC740EF25D88186AB7F5FF94718F04496CF886572A1DB35EE0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0074A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0074A47A
__swprintf.LIBCMT ref: 0074A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0074A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0074A4FE
_memset.LIBCMT ref: 0074A51D
_wcsncpy.LIBCMT ref: 0074A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0074A58E
CloseHandle.KERNEL32(00000000), ref: 0074A599
RemoveDirectoryW.KERNEL32(?), ref: 0074A5A2
CloseHandle.KERNEL32(00000000), ref: 0074A5AC

Strings

\??\%s, xrefs: 0074A496
:, xrefs: 0074A4BD
\, xrefs: 0074A4B2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 5be5cda268ef7078dc547bcc083b09670d36512f52bd85d6d746ed7a953fccb0
Instruction ID: 59dea2e4eaafdd4bd65679ddcf07261a136d9e6eb4071071411bbf46fd688724
Opcode Fuzzy Hash: 5be5cda268ef7078dc547bcc083b09670d36512f52bd85d6d746ed7a953fccb0
Instruction Fuzzy Hash: FD31B2B1540209BBDB219FA4DC48FEF77BCEF88701F1041B6F909D6190E7B896548B25

Uniqueness

Uniqueness Score: -1.00%

Function 0071AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0071AB7B
___wtomb_environ.LIBCMT ref: 0071AB9D

Part of subcall function 00708D68: __getptd_noexit.LIBCMT ref: 00708D68

__malloc_crt.LIBCMT ref: 0071ABC5
__malloc_crt.LIBCMT ref: 0071ABE2
_free.LIBCMT ref: 0071AC19
__recalloc_crt.LIBCMT ref: 0071AC52
__recalloc_crt.LIBCMT ref: 0071AC97
_strlen.LIBCMT ref: 0071ACC3
__calloc_crt.LIBCMT ref: 0071ACCD
_strlen.LIBCMT ref: 0071ACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0071AD0A
_free.LIBCMT ref: 0071AD24
_free.LIBCMT ref: 0071AD31
_free.LIBCMT ref: 0071AD43
__invoke_watson.LIBCMT ref: 0071AD5D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 4064503fe65855e4fe1c6c186b61a2176c6760c59b031d4f85628a93fa9c9132
Instruction ID: e1b66567ea0995023c54ab1cfaf0bd629eb9fad2a870e3dad6b80fdc520ceb85
Opcode Fuzzy Hash: 4064503fe65855e4fe1c6c186b61a2176c6760c59b031d4f85628a93fa9c9132
Instruction Fuzzy Hash: A36114B2A06305FFDB215F2CE805BA977E4EF51721F208215E8419B2C1DB7D99C1C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0074DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0074DC7B
_wcscat.LIBCMT ref: 0074DC93
_wcscat.LIBCMT ref: 0074DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0074DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0074DCCE
GetFileAttributesW.KERNEL32(?), ref: 0074DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0074DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0074DD12

Strings

*.*, xrefs: 0074DD51

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 20142fe4c2abada08d7c102de97b80bf756529bdf75dec3927fde27b4804ca85
Instruction ID: 2ff846920a836658b0ce1c8cf1727db021d736fb44607480bb187c27ad485d35
Opcode Fuzzy Hash: 20142fe4c2abada08d7c102de97b80bf756529bdf75dec3927fde27b4804ca85
Instruction Fuzzy Hash: 38816DB16043419FCB74EF64C8859AAB7E9EF88310F19882EE8C5C7251E778DD44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0076C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0076C4EC
GetFocus.USER32 ref: 0076C4FC
GetDlgCtrlID.USER32(00000000), ref: 0076C507
_memset.LIBCMT ref: 0076C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0076C65D
GetMenuItemCount.USER32(?), ref: 0076C67D
GetMenuItemID.USER32(?,00000000), ref: 0076C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0076C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0076C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0076C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0076C779

Strings

0, xrefs: 0076C62A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 1e529e7d99da77d032d72d3904d5f68be8a5f662824f0f9cf68584c62202aa7d
Instruction ID: b2ed2223b0957dcb70cb399d5fa29e4c1bc5370541424a84d3fefbe37693870c
Opcode Fuzzy Hash: 1e529e7d99da77d032d72d3904d5f68be8a5f662824f0f9cf68584c62202aa7d
Instruction Fuzzy Hash: 7D819B702083019FD711CF24D984A7BBBE9FB88314F14452EFD9697291D778E915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007383F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0073874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00738766
Part of subcall function 0073874A: GetLastError.KERNEL32(?,0073822A,?,?,?), ref: 00738770
Part of subcall function 0073874A: GetProcessHeap.KERNEL32(00000008,?,?,0073822A,?,?,?), ref: 0073877F
Part of subcall function 0073874A: HeapAlloc.KERNEL32(00000000,?,0073822A,?,?,?), ref: 00738786
Part of subcall function 0073874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073879D

Part of subcall function 007387E7: GetProcessHeap.KERNEL32(00000008,00738240,00000000,00000000,?,00738240,?), ref: 007387F3
Part of subcall function 007387E7: HeapAlloc.KERNEL32(00000000,?,00738240,?), ref: 007387FA
Part of subcall function 007387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00738240,?), ref: 0073880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00738458
_memset.LIBCMT ref: 0073846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0073848C
GetLengthSid.ADVAPI32(?), ref: 0073849D
GetAce.ADVAPI32(?,00000000,?), ref: 007384DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007384F6
GetLengthSid.ADVAPI32(?), ref: 00738513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00738522
HeapAlloc.KERNEL32(00000000), ref: 00738529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0073854A
CopySid.ADVAPI32(00000000), ref: 00738551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00738582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007385A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 007385BC

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: df4721e2e22ace7229af3594ab5b2a246d44d3b3b9696e082a2efaa60a40095d
Instruction ID: 60512d83d244195cdfd4bc48df58eed01766f6c1815a72323e5fa6ca1dd9e7cf
Opcode Fuzzy Hash: df4721e2e22ace7229af3594ab5b2a246d44d3b3b9696e082a2efaa60a40095d
Instruction Fuzzy Hash: 8B613A71900209EBEF00DFA5EC45AEEBBB9FF44300F148169F815A7292DB799A15CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0075762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007576A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007576AE
CreateCompatibleDC.GDI32(?), ref: 007576BA
SelectObject.GDI32(00000000,?), ref: 007576C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0075771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00757757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0075777B
SelectObject.GDI32(00000006,?), ref: 00757783
DeleteObject.GDI32(?), ref: 0075778C
DeleteDC.GDI32(00000006), ref: 00757793
ReleaseDC.USER32(00000000,?), ref: 0075779E

Strings

(, xrefs: 00757723

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 896b4cb38133a760b2d13aa25122692ec4e072ec2f94954e28c94b6c57d062cf
Instruction ID: 007672dff3b569c5b6a5319db13c4d292a25554db23ae4da9c158ec16f60f014
Opcode Fuzzy Hash: 896b4cb38133a760b2d13aa25122692ec4e072ec2f94954e28c94b6c57d062cf
Instruction Fuzzy Hash: 55514975904309EFCB15CFA8EC88EAEBBB9EF48310F14852DF94A97210D775A844CB60

Uniqueness

Uniqueness Score: -1.00%

Function 006E6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00700B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,006E6C6C,?,00008000), ref: 00700BB7

Part of subcall function 006E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006E48A1,?,?,006E37C0,?), ref: 006E48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 006E6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 006E6E5A

Part of subcall function 006E59CD: _wcscpy.LIBCMT ref: 006E5A05

Part of subcall function 0070387D: _iswctype.LIBCMT ref: 00703885

Strings

Unterminated string, xrefs: 0071EC0D
Bad directive syntax error, xrefs: 0071EBC6
EA06, xrefs: 0071E87B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0071E84A
>>>AUTOIT SCRIPT<<<, xrefs: 0071E8BF
Error opening the file, xrefs: 0071E866, 0071E8E1
AU3!, xrefs: 006E6CC1

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 3468ce13d45a6571b6f4162980c31dcfd7c383bf6fa94dd903261236b941f113
Instruction ID: e86fc4304f91b5346be42e3498e0b829aa1ea17d3f4855447bd0924c96d5dd47
Opcode Fuzzy Hash: 3468ce13d45a6571b6f4162980c31dcfd7c383bf6fa94dd903261236b941f113
Instruction Fuzzy Hash: A502A070109381DFC724EF29C881AAFBBE6BF94354F04491DF886972A2DB34D949CB46

Uniqueness

Uniqueness Score: -1.00%

Function 006E45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E45F9
GetMenuItemCount.USER32(007A6890), ref: 0071D7CD
GetMenuItemCount.USER32(007A6890), ref: 0071D87D
GetCursorPos.USER32(?), ref: 0071D8C1
SetForegroundWindow.USER32(00000000), ref: 0071D8CA
TrackPopupMenuEx.USER32(007A6890,00000000,?,00000000,00000000,00000000), ref: 0071D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0071D8E9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a9f311da9baddbd4c48a4eba22e3014b9b00da92b9f2344ab169532727ab18f4
Instruction ID: 1db5a8a8424267ce4a607a2c650a2b02a81089ee6d8845737fc0b76856cff404
Opcode Fuzzy Hash: a9f311da9baddbd4c48a4eba22e3014b9b00da92b9f2344ab169532727ab18f4
Instruction Fuzzy Hash: 61712570601305BAEB308F29DC89FEABF65FF05368F104216F525A61E1CBB96C60DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00758BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00758BEC
CoInitialize.OLE32(00000000), ref: 00758C19
CoUninitialize.OLE32 ref: 00758C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00758D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00758E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00772C0C), ref: 00758E84
CoGetObject.OLE32(?,00000000,00772C0C,?), ref: 00758EA7
SetErrorMode.KERNEL32(00000000), ref: 00758EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00758F3A
VariantClear.OLEAUT32(?), ref: 00758F4A

Strings

,,w, xrefs: 00758BD6

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,w
API String ID: 2395222682-960948647
Opcode ID: db0da34725a6ebc66a18f0dc04e1d678af3a073ab018ca78bd6d1304b38e5049
Instruction ID: ebd689559dce584361b1c24a0f4fcf69e50eec911551eb2aa8bdd77ac2bc216b
Opcode Fuzzy Hash: db0da34725a6ebc66a18f0dc04e1d678af3a073ab018ca78bd6d1304b38e5049
Instruction Fuzzy Hash: 8FC13671204305AFC740DF64C88496BB7E9FF88749F00495DF98AAB251DBB5ED09CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007610A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00760038,?,?), ref: 007610BC

Strings

HKCU, xrefs: 007611AC
HKEY_CURRENT_CONFIG, xrefs: 00761179
HKCC, xrefs: 0076118A
HKEY_LOCAL_MACHINE, xrefs: 00761125
HKLM, xrefs: 0076113A
HKU, xrefs: 007611CE
HKEY_USERS, xrefs: 007611BD
HKCR, xrefs: 00761164
HKEY_CLASSES_ROOT, xrefs: 0076114F
HKEY_CURRENT_USER, xrefs: 0076119B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 61e389cc9cd5b7f43e7e69008ec2f32cff713b296b65a61dd59bf547a376a2eb
Instruction ID: 3ecd9110b112d2f656404ce0552b1df97dde43733fb4b017f6d9a6de41550a58
Opcode Fuzzy Hash: 61e389cc9cd5b7f43e7e69008ec2f32cff713b296b65a61dd59bf547a376a2eb
Instruction Fuzzy Hash: 7341923024424ECFCF14EFA4ED996EA3361BF21310F944568FD525B291D738AD1AC7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00745569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

Part of subcall function 006E7A84: _memmove.LIBCMT ref: 006E7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007455D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007455E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007455F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0074560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0074561C

Strings

status PlayMe mode, xrefs: 007455CD
play PlayMe, xrefs: 00745617
close PlayMe, xrefs: 007455E3, 00745610
open , xrefs: 00745581
alias PlayMe, xrefs: 007455AB
play PlayMe wait, xrefs: 00745606

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a686fe6f26db66a03c33d3ab24f8f604775dc8847555dc91ddfb78660b6117e0
Instruction ID: d4d1416015dbbabac181c312319922c35e58a2732e121534ed91ae9fc42102bc
Opcode Fuzzy Hash: a686fe6f26db66a03c33d3ab24f8f604775dc8847555dc91ddfb78660b6117e0
Instruction Fuzzy Hash: C211C4605522A97ADB20B766DC4ADFFBB7DEF91F00F40042DB401A20D2EFA80D05C5E6

Uniqueness

Uniqueness Score: -1.00%

Function 007448F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0074490E
gethostname.WSOCK32(?,00000100), ref: 00744928
gethostbyname.WSOCK32(?), ref: 00744935
_wcscpy.LIBCMT ref: 0074495D
_memmove.LIBCMT ref: 00744970
inet_ntoa.WSOCK32(?), ref: 0074497B
_strcat.LIBCMT ref: 00744989
_wcscpy.LIBCMT ref: 007449A0
WSACleanup.WSOCK32 ref: 007449AE
_wcscpy.LIBCMT ref: 007449BC

Strings

0.0.0.0, xrefs: 00744957

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 904897585d1bca5277c99ef2f8edb65559ca17c81191aa17f48de153e48ec34d
Instruction ID: 9c68f0e037f75bd3e97266146d558f521c8057a2c968d9d51db69551c6806bb7
Opcode Fuzzy Hash: 904897585d1bca5277c99ef2f8edb65559ca17c81191aa17f48de153e48ec34d
Instruction Fuzzy Hash: 5511D832904216EBCB21EB24AC09FDB77ECDF40710F0442B6F44596091EFBCAA81A651

Uniqueness

Uniqueness Score: -1.00%

Function 00745217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0074521C

Part of subcall function 00700719: timeGetTime.WINMM(?,75C0B400,006F0FF9), ref: 0070071D

Sleep.KERNEL32(0000000A), ref: 00745248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0074526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0074528E
SetActiveWindow.USER32 ref: 007452AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007452BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 007452DA
Sleep.KERNEL32(000000FA), ref: 007452E5
IsWindow.USER32 ref: 007452F1
EndDialog.USER32(00000000), ref: 00745302

Strings

BUTTON, xrefs: 00745280

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 08390b81581439878ee4f5594198d1f734f14185fd7cbb40a3f31e0cc75f43ff
Instruction ID: b34f33c08f66d2358bf3ef44d12d77103bde7818f7b5684e4e11894206c30e2f
Opcode Fuzzy Hash: 08390b81581439878ee4f5594198d1f734f14185fd7cbb40a3f31e0cc75f43ff
Instruction Fuzzy Hash: 362181B0208704EFE7056F70FD89B263B69FB96786F049425F106811B2DBED9D60CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0074D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

CoInitialize.OLE32(00000000), ref: 0074D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0074D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0074D8FC
CoCreateInstance.OLE32(00772D7C,00000000,00000001,0079A89C,?), ref: 0074D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0074D9B7
CoTaskMemFree.OLE32(?,?), ref: 0074DA0F
_memset.LIBCMT ref: 0074DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0074DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0074DAAB
CoTaskMemFree.OLE32(00000000), ref: 0074DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0074DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0074DAEB

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: ab20626409542a968da1b3705658f0965f796e6e5c362d2db3e1394fa19f513d
Instruction ID: 6c57a074e20249c5c67a3eade48208de50ecdaab5319869513ddfd1b17d5caf7
Opcode Fuzzy Hash: ab20626409542a968da1b3705658f0965f796e6e5c362d2db3e1394fa19f513d
Instruction Fuzzy Hash: B8B10C75A00209AFDB14DF65C888DAEBBF9FF48314B1484A9F90AEB251DB34ED41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0074052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007405A7
SetKeyboardState.USER32(?), ref: 00740612
GetAsyncKeyState.USER32(000000A0), ref: 00740632
GetKeyState.USER32(000000A0), ref: 00740649
GetAsyncKeyState.USER32(000000A1), ref: 00740678
GetKeyState.USER32(000000A1), ref: 00740689
GetAsyncKeyState.USER32(00000011), ref: 007406B5
GetKeyState.USER32(00000011), ref: 007406C3
GetAsyncKeyState.USER32(00000012), ref: 007406EC
GetKeyState.USER32(00000012), ref: 007406FA
GetAsyncKeyState.USER32(0000005B), ref: 00740723
GetKeyState.USER32(0000005B), ref: 00740731

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ec8545078c515f4c486f4fdb36ce52e8629e8330f3fd8e1e5c57b8f479359fc5
Instruction ID: 729a0547174ced098dc1ffe456880bc71e0da38dee5218b055ce8a7d417c2cab
Opcode Fuzzy Hash: ec8545078c515f4c486f4fdb36ce52e8629e8330f3fd8e1e5c57b8f479359fc5
Instruction Fuzzy Hash: D851C920A0478859FB35EBB08454BEAFFB49F01380F484599D6C2561C2DB7CAA9CCF92

Uniqueness

Uniqueness Score: -1.00%

Function 0073C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0073C746
GetWindowRect.USER32(00000000,?), ref: 0073C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0073C7B6
GetDlgItem.USER32(?,00000002), ref: 0073C7C1
GetWindowRect.USER32(00000000,?), ref: 0073C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0073C827
GetDlgItem.USER32(?,000003E9), ref: 0073C835
GetWindowRect.USER32(00000000,?), ref: 0073C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0073C889
GetDlgItem.USER32(?,000003EA), ref: 0073C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0073C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0073C8C1

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 28a36391ab56670193f8735ea285e25edc86b75de78fd59a1dc45c060c28ea5c
Instruction ID: a4092214aa61ae2d90bb6572527d0875b031709e3277d113fa86d0d9877ba582
Opcode Fuzzy Hash: 28a36391ab56670193f8735ea285e25edc86b75de78fd59a1dc45c060c28ea5c
Instruction Fuzzy Hash: 02513071B00305AFDB19CF69DD89AAEBBB6FB88310F14812DF516E72A1D7B49D008B54

Uniqueness

Uniqueness Score: -1.00%

Function 006E201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E2036,?,00000000,?,?,?,?,006E16CB,00000000,?), ref: 006E1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006E20D3
KillTimer.USER32(-00000001,?,?,?,?,006E16CB,00000000,?,?,006E1AE2,?,?), ref: 006E216E
DestroyAcceleratorTable.USER32(00000000), ref: 0071BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006E16CB,00000000,?,?,006E1AE2,?,?), ref: 0071BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006E16CB,00000000,?,?,006E1AE2,?,?), ref: 0071BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006E16CB,00000000,?,?,006E1AE2,?,?), ref: 0071BF5A
DeleteObject.GDI32(00000000), ref: 0071BF6C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 41fcf40c87c94a85ce233236b6af2db64214d8d1614e2dc6ed63c90ba598d8be
Instruction ID: bf671d16cff7dfe469df48807620f62360ae880fefdbe308828f53dad1ceb4c9
Opcode Fuzzy Hash: 41fcf40c87c94a85ce233236b6af2db64214d8d1614e2dc6ed63c90ba598d8be
Instruction Fuzzy Hash: CD61BD31102751DFCB259F1ADD58B69B7FBFB81312F14852CE142866A0C77DA982DF44

Uniqueness

Uniqueness Score: -1.00%

Function 006E21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006E25DB: GetWindowLongW.USER32(?,000000EB), ref: 006E25EC

GetSysColor.USER32(0000000F), ref: 006E21D3

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4602aed01341fff501c3e4b9f506b760c49e5ff46f6dc9382b074ccb962e2f9c
Instruction ID: 04ad07f970a2ecc82cedb45fb3af995b75e836a81ac58ed6daadcc707544b375
Opcode Fuzzy Hash: 4602aed01341fff501c3e4b9f506b760c49e5ff46f6dc9382b074ccb962e2f9c
Instruction Fuzzy Hash: C441E431001285AEDB155F68EC58BB9376BEB06330F148265FE628A2E2C7758D82DB21

Uniqueness

Uniqueness Score: -1.00%

Function 0074AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0076F910), ref: 0074AB76
GetDriveTypeW.KERNEL32(00000061,0079A620,00000061), ref: 0074AC40
_wcscpy.LIBCMT ref: 0074AC6A

Strings

network, xrefs: 0074ABD4
fixed, xrefs: 0074ABBE
ramdisk, xrefs: 0074ABEA
cdrom, xrefs: 0074AB92
all, xrefs: 0074AB7C
unknown, xrefs: 0074AC01
removable, xrefs: 0074ABA8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 9afaeb7c36b17f3c372904cdfaa4d61b3af1323be2a1e589f1635f8ba0c9e26b
Instruction ID: def6cc382671433f78cd141cb9fae56c90302c3b2cf64fac1eff4b86addbce94
Opcode Fuzzy Hash: 9afaeb7c36b17f3c372904cdfaa4d61b3af1323be2a1e589f1635f8ba0c9e26b
Instruction Fuzzy Hash: D051CD70248341EBC710EF14D881AAEB7E6EF94300F54482DF496972A2DB39DD09CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0076C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

Part of subcall function 006E2344: GetCursorPos.USER32(?), ref: 006E2357
Part of subcall function 006E2344: ScreenToClient.USER32(007A67B0,?), ref: 006E2374
Part of subcall function 006E2344: GetAsyncKeyState.USER32(00000001), ref: 006E2399
Part of subcall function 006E2344: GetAsyncKeyState.USER32(00000002), ref: 006E23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0076C2E4
ImageList_EndDrag.COMCTL32 ref: 0076C2EA
ReleaseCapture.USER32 ref: 0076C2F0
SetWindowTextW.USER32(?,00000000), ref: 0076C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0076C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0076C48F

Strings

@GUI_DROPID, xrefs: 0076C3E1
@GUI_DRAGFILE, xrefs: 0076C424
prz, xrefs: 0076C438
prz, xrefs: 0076C3FD

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$prz$prz
API String ID: 1924731296-3455243443
Opcode ID: 8a917bfcb1da8f0a9e8c2d03a87d5e687a06f7204d15fd553c7b4ed107055b43
Instruction ID: a2805655dafded45dc4e337fdf64dfc7f53cde6f2f1fbe3068dee5f6cb363b0b
Opcode Fuzzy Hash: 8a917bfcb1da8f0a9e8c2d03a87d5e687a06f7204d15fd553c7b4ed107055b43
Instruction Fuzzy Hash: 2E51AE70204344AFD700DF24DC55F6A7BE5FB88310F04862DF9968B2E1DB78A948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 006E9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 006E99C2
__swprintf.LIBCMT ref: 006E9A0C
__i64tow.LIBCMT ref: 0071FA0F

Strings

True, xrefs: 0071F9D0
False, xrefs: 0071F9D7
0x%p, xrefs: 0071F9F1
%.15g, xrefs: 006E9A06

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: efe4df13ebb41ff59b5805dd3e1adec8f9223e79245295fd5af5df95c7b797a2
Instruction ID: 81ef3c0c37d911516f5f4e48b2bc8dff6f86c05d6c0a04b3f00deef27013b7c3
Opcode Fuzzy Hash: efe4df13ebb41ff59b5805dd3e1adec8f9223e79245295fd5af5df95c7b797a2
Instruction Fuzzy Hash: 77412471605305EFDB24AF39DC46FBA73E9EF04300F24446EE549D72D2EA79A8428B21

Uniqueness

Uniqueness Score: -1.00%

Function 007673C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007673D9
CreateMenu.USER32 ref: 007673F4
SetMenu.USER32(?,00000000), ref: 00767403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00767490
IsMenu.USER32(?), ref: 007674A6
CreatePopupMenu.USER32 ref: 007674B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007674DD
DrawMenuBar.USER32 ref: 007674E5

Strings

F, xrefs: 007674D1
0, xrefs: 007673CF

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 216aa198f7a87a87c2131da3f438325e53b7527539240a7987974488036d16f2
Instruction ID: 7bf760b1dd6af616fa29b726f9eaf2779df3429be3924178675ba6c064582d0e
Opcode Fuzzy Hash: 216aa198f7a87a87c2131da3f438325e53b7527539240a7987974488036d16f2
Instruction Fuzzy Hash: 93416774A01245EFDB14DF64E888E9ABBF9FF49344F188029ED1697360DB78AD20CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0076772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007677CD
CreateCompatibleDC.GDI32(00000000), ref: 007677D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007677E7
SelectObject.GDI32(00000000,00000000), ref: 007677EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 007677FA
DeleteDC.GDI32(00000000), ref: 00767803
GetWindowLongW.USER32(?,000000EC), ref: 0076780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00767821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0076782D

Strings

static, xrefs: 00767765

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b5f1e0bab7bbcba6bebff4110962f44e91ac42f0221e0b8beeb41eefa1f3a556
Instruction ID: 76225bca33f7f1f36985fd6d29264a165845676af3abf6f94cd4478df6bdfbbe
Opcode Fuzzy Hash: b5f1e0bab7bbcba6bebff4110962f44e91ac42f0221e0b8beeb41eefa1f3a556
Instruction Fuzzy Hash: A8319031105215FBDF159FB4EC08FDA3B69FF09365F104224FA16960A0C779D811DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00707040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0070707B

Part of subcall function 00708D68: __getptd_noexit.LIBCMT ref: 00708D68

__gmtime64_s.LIBCMT ref: 00707114
__gmtime64_s.LIBCMT ref: 0070714A
__gmtime64_s.LIBCMT ref: 00707167
__allrem.LIBCMT ref: 007071BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007071D9
__allrem.LIBCMT ref: 007071F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0070720E
__allrem.LIBCMT ref: 00707225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00707243
__invoke_watson.LIBCMT ref: 007072B4

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 100f454409d63ea6a6fadb16f9b853b62ae3d53ee5b1429e12c21619fdfc3829
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 50719171E04716EBE7189E69CC45B9AB3F8AF54724F14832AF514E62C1E778EA40C790

Uniqueness

Uniqueness Score: -1.00%

Function 00742A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00742A31
GetMenuItemInfoW.USER32(007A6890,000000FF,00000000,00000030), ref: 00742A92
SetMenuItemInfoW.USER32(007A6890,00000004,00000000,00000030), ref: 00742AC8
Sleep.KERNEL32(000001F4), ref: 00742ADA
GetMenuItemCount.USER32(?), ref: 00742B1E
GetMenuItemID.USER32(?,00000000), ref: 00742B3A
GetMenuItemID.USER32(?,-00000001), ref: 00742B64
GetMenuItemID.USER32(?,?), ref: 00742BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00742BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00742C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00742C24

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 82024edcf94b7abf744bd8ee731185c5f94d9f289ac23987e9c536f867050728
Instruction ID: ea3ce2f9461bde73addd59aa65b78bc0745df871cadea8df82f4b9b2c1dbd121
Opcode Fuzzy Hash: 82024edcf94b7abf744bd8ee731185c5f94d9f289ac23987e9c536f867050728
Instruction Fuzzy Hash: E761D2B0900249EFDB11CF64DC88EBEBBB8FB41304F944559F85293252E779AD26DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00767192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00767214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00767217
GetWindowLongW.USER32(?,000000F0), ref: 0076723B
_memset.LIBCMT ref: 0076724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0076725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007672D6

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4d27d2d54aa038e0f38b9ff30c9c8ae66e8da870e7fc44c94934ca7f2130336c
Instruction ID: 2d6b4a66fc2a97f47a757b06a1e092f88b90b0095a09d30e46fe221a3fe35d21
Opcode Fuzzy Hash: 4d27d2d54aa038e0f38b9ff30c9c8ae66e8da870e7fc44c94934ca7f2130336c
Instruction Fuzzy Hash: 0A618A70900248AFDB10DFA4CC81EEE77F8AB4A704F144159FE16A73A1D778AD41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0073710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00737135
SafeArrayAllocData.OLEAUT32(?), ref: 0073718E
VariantInit.OLEAUT32(?), ref: 007371A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 007371C0
VariantCopy.OLEAUT32(?,?), ref: 00737213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00737227
VariantClear.OLEAUT32(?), ref: 0073723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00737249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00737252
VariantClear.OLEAUT32(?), ref: 00737264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0073726F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c8fe995238a9f7d7151716ed0343bbf38e6e2574524e16107bcb94520599c522
Instruction ID: 41b2d48c927699a43b91160b08905d4021fa33b2510c34bdfc160d869f556d3e
Opcode Fuzzy Hash: c8fe995238a9f7d7151716ed0343bbf38e6e2574524e16107bcb94520599c522
Instruction Fuzzy Hash: 9E417171904219EFDF14DF69DC489AEBBB9FF48350F00C069F906A7262CB78A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 007586D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

CoInitialize.OLE32 ref: 00758718
CoUninitialize.OLE32 ref: 00758723
CoCreateInstance.OLE32(?,00000000,00000017,00772BEC,?), ref: 00758783
IIDFromString.OLE32(?,?), ref: 007587F6
VariantInit.OLEAUT32(?), ref: 00758890
VariantClear.OLEAUT32(?), ref: 007588F1

Strings

Failed to create object, xrefs: 0075878E, 00758844
Invalid parameter, xrefs: 0075880F
NULL Pointer assignment, xrefs: 007587C8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9cc73c7762d4f1fab221c5fafc3ab140c1addce8f8adcbf818407e1a15d8864f
Instruction ID: 6c151379e96ab1856e740911c43af8f693caf1e1a9c08d9cd422754794fc5bfe
Opcode Fuzzy Hash: 9cc73c7762d4f1fab221c5fafc3ab140c1addce8f8adcbf818407e1a15d8864f
Instruction Fuzzy Hash: 8D61AF70608701AFD750DF64C848BAABBE4EF48715F14481DF985AB291CBB8ED48CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00755A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00755AA6
inet_addr.WSOCK32(?,?,?), ref: 00755AEB
gethostbyname.WSOCK32(?), ref: 00755AF7
IcmpCreateFile.IPHLPAPI ref: 00755B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00755B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00755B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00755C00
WSACleanup.WSOCK32 ref: 00755C06

Strings

Ping, xrefs: 00755B29

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9f8a8f274a0655849170b5cdc253fca3d3ad77b5abef01efe8c035e26ea51e48
Instruction ID: 72893346212e2f144948f34d71cd37b86b088c4c77974f8519bdad08cb184675
Opcode Fuzzy Hash: 9f8a8f274a0655849170b5cdc253fca3d3ad77b5abef01efe8c035e26ea51e48
Instruction Fuzzy Hash: 1A51C171204701AFDB10EF25DC59B6ABBE0EF44710F14892AF956DB2A1DBB8E804CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0074B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0074B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0074B7B1
GetLastError.KERNEL32 ref: 0074B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0074B828

Strings

READY, xrefs: 0074B801
UNKNOWN, xrefs: 0074B7E0
INVALID, xrefs: 0074B7FA
READONLY, xrefs: 0074B7F3
NOTREADY, xrefs: 0074B7E7

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4de9925b45f1802ec64a05d8c4c7ffb12bcabe53714f2ecd87767df1e72d8c9d
Instruction ID: 3b200d99b929a609c7c9bec961d67c8911c567557a5644c6e1f710cedfca51f2
Opcode Fuzzy Hash: 4de9925b45f1802ec64a05d8c4c7ffb12bcabe53714f2ecd87767df1e72d8c9d
Instruction Fuzzy Hash: D7318135A01209AFDB01EF64D885EAE7BB9FF44750F14802AE40297291DB79DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00739471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 0073B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0073B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007394F6
GetDlgCtrlID.USER32 ref: 00739501
GetParent.USER32 ref: 0073951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00739520
GetDlgCtrlID.USER32(?), ref: 00739529
GetParent.USER32(?), ref: 00739545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00739548

Strings

ListBox, xrefs: 007394B3
ComboBox, xrefs: 0073947E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 573e21dc63a888179f617cbc4e7d9932a2cdf7e220ce13c08df973f730d5039d
Instruction ID: e2eb91f90e48d5db17493953e2854b31da0ca3f940b3352ca14465e85973225b
Opcode Fuzzy Hash: 573e21dc63a888179f617cbc4e7d9932a2cdf7e220ce13c08df973f730d5039d
Instruction Fuzzy Hash: 8321D670900204BBDF05AB65DC85DFEBB79EF49300F104129F662972E2DBB95919DB24

Uniqueness

Uniqueness Score: -1.00%

Function 0073955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 0073B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0073B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007395DF
GetDlgCtrlID.USER32 ref: 007395EA
GetParent.USER32 ref: 00739606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00739609
GetDlgCtrlID.USER32(?), ref: 00739612
GetParent.USER32(?), ref: 0073962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00739631

Strings

ListBox, xrefs: 0073959E
ComboBox, xrefs: 00739569

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 2077ac9edeefa73380258cd2c0da5001c580e69e346110d7d2dc2cdae5c28f38
Instruction ID: ec2098f60544eb80245a3d9923414b476d4917a46bbf4b6650303445d638fc36
Opcode Fuzzy Hash: 2077ac9edeefa73380258cd2c0da5001c580e69e346110d7d2dc2cdae5c28f38
Instruction Fuzzy Hash: D721D670901204BBEF04AB64CCC5EFEBB79EF48300F104019F662971E2DBB999199A24

Uniqueness

Uniqueness Score: -1.00%

Function 00739645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00739651
GetClassNameW.USER32(00000000,?,00000100), ref: 00739666
_wcscmp.LIBCMT ref: 00739678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007396F3

Strings

SHELLDLL_DefView, xrefs: 00739672
largeicons, xrefs: 00739687
smallicons, xrefs: 007396BB
details, xrefs: 007396A1
list, xrefs: 007396D5

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c6213b1d396fac7499531dc310548d928a559f615cf95d65fe1ec013f6a5cb47
Instruction ID: 10eaa7afd44455e75e52c623887de6805ae738edcc0ed9ad15c6b5f5dcea9235
Opcode Fuzzy Hash: c6213b1d396fac7499531dc310548d928a559f615cf95d65fe1ec013f6a5cb47
Instruction Fuzzy Hash: A611CA77649307FAFA012625FC0BDA7779C9B05760F20012AFB11A50D3FEDE59514558

Uniqueness

Uniqueness Score: -1.00%

Function 00744189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0074419D
__swprintf.LIBCMT ref: 007441AA

Part of subcall function 007038D8: __woutput_l.LIBCMT ref: 00703931

FindResourceW.KERNEL32(?,?,0000000E), ref: 007441D4
LoadResource.KERNEL32(?,00000000), ref: 007441E0
LockResource.KERNEL32(00000000), ref: 007441ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0074420D
LoadResource.KERNEL32(?,00000000), ref: 0074421F
SizeofResource.KERNEL32(?,00000000), ref: 0074422E
LockResource.KERNEL32(?), ref: 0074423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0074429B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 8341c0792961b11fce26295fec35e8d4c7032939a94bbd1dba372545c8e3c6be
Instruction ID: 2912d5e7528a2e3fa7f47fa8c30478cc17ca517a5b5d09da825612638fafbd49
Opcode Fuzzy Hash: 8341c0792961b11fce26295fec35e8d4c7032939a94bbd1dba372545c8e3c6be
Instruction Fuzzy Hash: B6316072A0521AAFDB119F60EC58EBF7BACFF05301F008525F916D2150E7B8D961DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007416DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00741700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00740778,?,00000001), ref: 00741714
GetWindowThreadProcessId.USER32(00000000), ref: 0074171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00740778,?,00000001), ref: 0074172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0074173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00740778,?,00000001), ref: 00741755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00740778,?,00000001), ref: 00741767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00740778,?,00000001), ref: 007417AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00740778,?,00000001), ref: 007417C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00740778,?,00000001), ref: 007417CC

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a01109fde7c60a9a663ac88d6bbf4ae0ad655b378d67cc69d48f7b233eed813b
Instruction ID: d3698484f1225815310381118a31803a0bd82b7cd7fc63f1df96fd5efddb53cb
Opcode Fuzzy Hash: a01109fde7c60a9a663ac88d6bbf4ae0ad655b378d67cc69d48f7b233eed813b
Instruction Fuzzy Hash: 0C31B175600304BFEB16AF14ED84B6937B9AB56722F508014F801D62A0E7BC9E82CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00759428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075947C
VariantInit.OLEAUT32(?), ref: 0075954D
VariantInit.OLEAUT32(?), ref: 0075964E
VariantClear.OLEAUT32(?), ref: 00759658
VariantClear.OLEAUT32(?), ref: 007596B5

Strings

,,w, xrefs: 007594FA
Null Object assignment in FOR..IN loop, xrefs: 007594DD, 0075960B, 007596C3
Incorrect Object type in FOR..IN loop, xrefs: 00759631

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,w$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-682374694
Opcode ID: d5d592a8a4a456973bf87bc77918e8fb248f16991d47000f7b4ce03888a27eb5
Instruction ID: b3857f5c07c022c29cdc77d5dc83ccad0622cb1ffdcfe2da1ec982e2268b1e30
Opcode Fuzzy Hash: d5d592a8a4a456973bf87bc77918e8fb248f16991d47000f7b4ce03888a27eb5
Instruction Fuzzy Hash: 8D918171A00215EBDF24DFA5D848FEEB7B8EF45711F108159FA15AB280D7B89909CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0073A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0073AA64), ref: 0073A9A2

Strings

NAME, xrefs: 0073A7D4
CLASS, xrefs: 0073A721
INSTANCE, xrefs: 0073A8B0
REGEXPCLASS, xrefs: 0073A767
TEXT, xrefs: 0073A8D9
CLASSNN, xrefs: 0073A744

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: ba8f12c650152a27389b5551fc5eaab727283b784a06775365deefaab9729953
Instruction ID: 7a4e95bf4669b9748d09da703ca0ad05278328120faa17c85bd2c5f58e95360b
Opcode Fuzzy Hash: ba8f12c650152a27389b5551fc5eaab727283b784a06775365deefaab9729953
Instruction Fuzzy Hash: 5E91A470600606FBEB08DF60C482BE9FBB5BF14314F108129D9DAA7192DF387959CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006E2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006E2EAE

Part of subcall function 006E1DB3: GetClientRect.USER32(?,?), ref: 006E1DDC
Part of subcall function 006E1DB3: GetWindowRect.USER32(?,?), ref: 006E1E1D
Part of subcall function 006E1DB3: ScreenToClient.USER32(?,?), ref: 006E1E45

GetDC.USER32 ref: 0071CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0071CF95
SelectObject.GDI32(00000000,00000000), ref: 0071CFA3
SelectObject.GDI32(00000000,00000000), ref: 0071CFB8
ReleaseDC.USER32(?,00000000), ref: 0071CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0071D04B

Strings

U, xrefs: 0071CF20

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6be2661002b0afa4b711586b2fe07b5135f87c971c9afb4bdb60c9385a53016b
Instruction ID: 38507b52fdcfb48c8816ba134692769e9ad7f8878b035f985365b27d2598937c
Opcode Fuzzy Hash: 6be2661002b0afa4b711586b2fe07b5135f87c971c9afb4bdb60c9385a53016b
Instruction Fuzzy Hash: BA71E431400245DFCF318F68C895AEA3BBAFF49350F148269ED565A2E6C7398C82DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00758F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0076F910), ref: 0075903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0076F910), ref: 00759071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007591EB
SysFreeString.OLEAUT32(?), ref: 00759215

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: bdd2833dd18460ccf1f0ee3fff508eca3d0643088d0a3c7645eb73bf2c299438
Instruction ID: 986d6e44925a5a15418465b63b82fd4e6ffff7264a9bd2e741db5b1ff9eb4cb8
Opcode Fuzzy Hash: bdd2833dd18460ccf1f0ee3fff508eca3d0643088d0a3c7645eb73bf2c299438
Instruction Fuzzy Hash: 11F14A71A00219EFDF04DF94C888EEEB7B9BF49315F108058F906AB290DB75AD49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0075F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0075FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0075FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0075FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0075FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0075FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0075FD90
CloseHandle.KERNEL32(?), ref: 0075FDBF
CloseHandle.KERNEL32(?), ref: 0075FE36

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: bdd6945a5706aca04dca6c3bf0de9e79615fed584ca4499692e8bfc1be7e8ec6
Instruction ID: 0bba02d97199cea8dd8acfe67ec05733bba91b177b1053828a6d3b0e514f0aaf
Opcode Fuzzy Hash: bdd6945a5706aca04dca6c3bf0de9e79615fed584ca4499692e8bfc1be7e8ec6
Instruction Fuzzy Hash: A7E1D331204341DFCB14EF24C895BAABBE1BF85314F14856DF89A9B2A2CB75DC45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00744F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007438D3,?), ref: 007448C7

Part of subcall function 007448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007438D3,?), ref: 007448E0

Part of subcall function 00744CD3: GetFileAttributesW.KERNEL32(?,00743947), ref: 00744CD4

lstrcmpiW.KERNEL32(?,?), ref: 00744FE2
_wcscmp.LIBCMT ref: 00744FFC
MoveFileW.KERNEL32(?,?), ref: 00745017

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 5db0325464dff6cad24875c3308f14e56095325145f715c8c667997d763685c9
Instruction ID: e6a22d26b8ee67ded1f297721bb46928404a912a5d192c409fb76e8425d60a4c
Opcode Fuzzy Hash: 5db0325464dff6cad24875c3308f14e56095325145f715c8c667997d763685c9
Instruction Fuzzy Hash: 095175B200C7859BC724DB64DC859DFB3ECAF85340F14492EF189D3192EF78A6898766

Uniqueness

Uniqueness Score: -1.00%

Function 007688B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0076896E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: cb36c8b40fd26af79736283c3cc66b4befdde2cf606483334b972739390be206
Instruction ID: 9ec1eeb2d5530ba59a44f0ce843899ba8b160bb1041fd41c663963c04014d737
Opcode Fuzzy Hash: cb36c8b40fd26af79736283c3cc66b4befdde2cf606483334b972739390be206
Instruction Fuzzy Hash: 2951B530500305FFDFA09F64CC89BA93B65BF05310F548216FE13E66A1DFB9A9809B96

Uniqueness

Uniqueness Score: -1.00%

Function 006E2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0071C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0071C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0071C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0071C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0071C5C0
DestroyIcon.USER32(00000000), ref: 0071C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0071C5EC
DestroyIcon.USER32(?), ref: 0071C5FB

Part of subcall function 0076A71E: DeleteObject.GDI32(00000000), ref: 0076A757

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: f2ee55e03ead6f5678e31e47eb69a12c13c7965690eb62797bbb7e18a432535b
Instruction ID: 4f9549f5116dda20e49e9709d138760428e871070ebf480e670cd66625bc0d9a
Opcode Fuzzy Hash: f2ee55e03ead6f5678e31e47eb69a12c13c7965690eb62797bbb7e18a432535b
Instruction Fuzzy Hash: 65518A7064034AAFDB20DF69DC55FAA37BAEB54710F204528F902972E0DBB8ED91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00739B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0073AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0073AE77
Part of subcall function 0073AE57: GetCurrentThreadId.KERNEL32 ref: 0073AE7E
Part of subcall function 0073AE57: AttachThreadInput.USER32(00000000,?,00739B65,?,00000001), ref: 0073AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00739B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00739B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00739B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00739B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00739BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00739BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00739BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00739BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00739BDD

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 7c4d6e57a72350f81621a27065f5c1cc5aeb094e12cddbaa1cf33bff5fbaee62
Instruction ID: 455a6d53da8444be34839c2df1b9f37f5eb4940ae418d8fb1cddd0d3e6bd4e90
Opcode Fuzzy Hash: 7c4d6e57a72350f81621a27065f5c1cc5aeb094e12cddbaa1cf33bff5fbaee62
Instruction Fuzzy Hash: B111E1B1550218FEF6106F60EC8EF6A7B2DEB4D791F104425F355AB0A1C9F65C10DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00738E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00738A84,00000B00,?,?), ref: 00738E0C
HeapAlloc.KERNEL32(00000000,?,00738A84,00000B00,?,?), ref: 00738E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00738A84,00000B00,?,?), ref: 00738E28
GetCurrentProcess.KERNEL32(?,00000000,?,00738A84,00000B00,?,?), ref: 00738E30
DuplicateHandle.KERNEL32(00000000,?,00738A84,00000B00,?,?), ref: 00738E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00738A84,00000B00,?,?), ref: 00738E43
GetCurrentProcess.KERNEL32(00738A84,00000000,?,00738A84,00000B00,?,?), ref: 00738E4B
DuplicateHandle.KERNEL32(00000000,?,00738A84,00000B00,?,?), ref: 00738E4E
CreateThread.KERNEL32(00000000,00000000,00738E74,00000000,00000000,00000000), ref: 00738E68

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 935c7adacedcc32a6e9dccedcb8bbe918c0f6b5b124e7e746dfb074ce526d326
Instruction ID: 4eab049f7c1ce652e5c90950d0523e1dd612d590590ebf7efb445c007e157e76
Opcode Fuzzy Hash: 935c7adacedcc32a6e9dccedcb8bbe918c0f6b5b124e7e746dfb074ce526d326
Instruction Fuzzy Hash: B901A8B5240308FFE610ABA5EC49F6B3BACEB89751F008421FA05DB1A1CAB59C008A24

Uniqueness

Uniqueness Score: -1.00%

Function 00759A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00737652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?,?,?,0073799D), ref: 0073766F
Part of subcall function 00737652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?,?), ref: 0073768A
Part of subcall function 00737652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?,?), ref: 00737698
Part of subcall function 00737652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?), ref: 007376A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00759B1B
_memset.LIBCMT ref: 00759B28
_memset.LIBCMT ref: 00759C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00759C97
CoTaskMemFree.OLE32(?), ref: 00759CA2

Strings

NULL Pointer assignment, xrefs: 00759CF0

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: b9a3cfb92432fa43a46f01fa4efa2f388fa148e6ff7affbdab3416d2e41ed3ef
Instruction ID: ecdfc3ccc65201a0de09ab3481e895540890440cbc389f439462ddebf475086e
Opcode Fuzzy Hash: b9a3cfb92432fa43a46f01fa4efa2f388fa148e6ff7affbdab3416d2e41ed3ef
Instruction Fuzzy Hash: B0912871D01319EBDF10DFA5DC84ADEBBB9AF08710F204169F919A7281DB759A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00766FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00767093
SendMessageW.USER32(?,00001036,00000000,?), ref: 007670A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007670C1
_wcscat.LIBCMT ref: 0076711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00767133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00767161

Strings

SysListView32, xrefs: 00767065

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 585fc40f98e61719ed66c6894608ffc0b2e6f4600f03ca43b75c093dc074ddc2
Instruction ID: 296bb4dae17278fd5166946d6dbca1daf847ac191c3e785181e4b652f9a5ee21
Opcode Fuzzy Hash: 585fc40f98e61719ed66c6894608ffc0b2e6f4600f03ca43b75c093dc074ddc2
Instruction Fuzzy Hash: 3741E270904308EFDB259FA4CC89BEE77E8EF08394F10452AF946E7192D6799D84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0075EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00743E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00743EB6
Part of subcall function 00743E91: Process32FirstW.KERNEL32(00000000,?), ref: 00743EC4
Part of subcall function 00743E91: CloseHandle.KERNEL32(00000000), ref: 00743F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075ECB8
GetLastError.KERNEL32 ref: 0075ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0075ED77
GetLastError.KERNEL32(00000000), ref: 0075ED82
CloseHandle.KERNEL32(00000000), ref: 0075EDB7

Strings

SeDebugPrivilege, xrefs: 0075ECD6

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5a3e5956f8509b7d281585a0217d1a45e4fee5829d527c1065ecc4eb2dc58716
Instruction ID: 5265305e52873413a02f2ae71b8d82609b92a00da4ac1945f570b24ed9453519
Opcode Fuzzy Hash: 5a3e5956f8509b7d281585a0217d1a45e4fee5829d527c1065ecc4eb2dc58716
Instruction Fuzzy Hash: 8841B1713003009FDB14EF15CC95FADB7A5AF40714F08845DF9429B2C2DBB9A908CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00743226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007432C5

Strings

blank, xrefs: 00743247
stop, xrefs: 00743296
warning, xrefs: 007432AE
question, xrefs: 0074327E
info, xrefs: 00743266

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 83b11d89c24da839f73d9ea10b4f0a7ccfa72c3d8b7cb437294b814f0c225a5b
Instruction ID: 4782d34bb7d5c2a4ce623c33769daf8fdc6095a5b524a2ad10b36bfe199a43f7
Opcode Fuzzy Hash: 83b11d89c24da839f73d9ea10b4f0a7ccfa72c3d8b7cb437294b814f0c225a5b
Instruction Fuzzy Hash: CC11D23124974AFAEB015B54EC43CAAB7ECFF19370F20002AF909A61C1E7ED5B4046A5

Uniqueness

Uniqueness Score: -1.00%

Function 00744534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0074454E
LoadStringW.USER32(00000000), ref: 00744555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0074456B
LoadStringW.USER32(00000000), ref: 00744572
_wprintf.LIBCMT ref: 00744598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007445B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00744593

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 1857dbb62fb4a8861b24ebf1a37c1b3c12e73baca9828aa8de00954e7f9eb509
Instruction ID: 39a203d2dd4a7842a70c421cf47cd8d765e1c79aabaa5860d1a499069a0c30b9
Opcode Fuzzy Hash: 1857dbb62fb4a8861b24ebf1a37c1b3c12e73baca9828aa8de00954e7f9eb509
Instruction Fuzzy Hash: 680144F2504308BFE7119794ED89EE6776CE708301F0045A5FB46D2051E6B85E954B74

Uniqueness

Uniqueness Score: -1.00%

Function 0076D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

GetSystemMetrics.USER32(0000000F), ref: 0076D78A
GetSystemMetrics.USER32(0000000F), ref: 0076D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0076D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0076DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0076DA24
ShowWindow.USER32(00000003,00000000), ref: 0076DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0076DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0076DA8B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7104087d63e8aaac12b19369aa2ef362c4601adc2aba0d64e7367ccda4fda344
Instruction ID: db5789d7dd25dd17a44a945ff74a7a6252967a76a87a9d4b05505c9e62c798cf
Opcode Fuzzy Hash: 7104087d63e8aaac12b19369aa2ef362c4601adc2aba0d64e7367ccda4fda344
Instruction Fuzzy Hash: 38B17771A04225EBDF24CF69C9897AD7BB1FF48701F08C169EC4A9B295D738AD50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006E2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0071C417,00000004,00000000,00000000,00000000), ref: 006E2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0071C417,00000004,00000000,00000000,00000000,000000FF), ref: 006E2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0071C417,00000004,00000000,00000000,00000000), ref: 0071C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0071C417,00000004,00000000,00000000,00000000), ref: 0071C4D6

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3d8739ac99f075293f7b747bbb66a5c2e43da83916da3505a12d414995f1abde
Instruction ID: 22e13f6941ae71e861b53c659dd00d6fbe083562d6b787a746c55737c8045c29
Opcode Fuzzy Hash: 3d8739ac99f075293f7b747bbb66a5c2e43da83916da3505a12d414995f1abde
Instruction Fuzzy Hash: 5841FB312097C19AC7368B2EDCBC7BB7B9BAB85310F58C43DE447466A0C67998C2D714

Uniqueness

Uniqueness Score: -1.00%

Function 00747368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0074737F

Part of subcall function 00700FF6: std::exception::exception.LIBCMT ref: 0070102C
Part of subcall function 00700FF6: __CxxThrowException@8.LIBCMT ref: 00701041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007473B6
EnterCriticalSection.KERNEL32(?), ref: 007473D2
_memmove.LIBCMT ref: 00747420
_memmove.LIBCMT ref: 0074743D
LeaveCriticalSection.KERNEL32(?), ref: 0074744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00747461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00747480

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 878aba3a9753cd78c487b548a421121bc66195b006b6c957da6ef1c549554f9d
Instruction ID: 453a4d627d9e1e39a84017bc066b79ac96b7db2f739387313588e86bd1573ed7
Opcode Fuzzy Hash: 878aba3a9753cd78c487b548a421121bc66195b006b6c957da6ef1c549554f9d
Instruction Fuzzy Hash: 2A31A131904205EFCF10DF54DC89AAE7BB8FF45710F1481A5F904EB286DB789A14DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00766442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0076645A
GetDC.USER32(00000000), ref: 00766462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0076646D
ReleaseDC.USER32(00000000,00000000), ref: 00766479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007664B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007664C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00769299,?,?,000000FF,00000000,?,000000FF,?), ref: 00766500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00766520

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 736be7a75c9119506336ff5147239c9516b6729192552c233448be83e5ce3adc
Instruction ID: 3edb728524ef7f04bb2c91e2f2818b8e09dec8c7fa12706592f445928c3cad97
Opcode Fuzzy Hash: 736be7a75c9119506336ff5147239c9516b6729192552c233448be83e5ce3adc
Instruction Fuzzy Hash: DC316D72201214BFEB118F50DC4AFEA3FA9EF09761F044065FE0ADA1A2D6B99851CB74

Uniqueness

Uniqueness Score: -1.00%

Function 0073C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0073C087
_memcmp.LIBCMT ref: 0073C0A9
_memcmp.LIBCMT ref: 0073C0C1
_memcmp.LIBCMT ref: 0073C0D4
_memcmp.LIBCMT ref: 0073C0EE
_memcmp.LIBCMT ref: 0073C101
_memcmp.LIBCMT ref: 0073C119
_memcmp.LIBCMT ref: 0073C134

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b2e497d231731c793a02d3d596647a5800eb886220aa941e7eb1add805a9b660
Instruction ID: 49823996393230da18ffe9f3842260056fa7ed8bfe9f3e5def6114fbe2b839af
Opcode Fuzzy Hash: b2e497d231731c793a02d3d596647a5800eb886220aa941e7eb1add805a9b660
Instruction Fuzzy Hash: 172153E1741209F7F62AA5219D56FBF239CAE203D4F444020FD09A6293EF5EDD12D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0074ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

Part of subcall function 006FFEC6: _wcscpy.LIBCMT ref: 006FFEE9

_wcstok.LIBCMT ref: 0074EEFF
_wcscpy.LIBCMT ref: 0074EF8E
_memset.LIBCMT ref: 0074EFC1

Strings

X, xrefs: 0074EFFE

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: ebbf6b3bdc138f56bf12a927378f1a6543f4bbaf2d4570e63b9ab4530143ae0b
Instruction ID: 95869f9fcf7124b9973ced5ebfa73b50c30d3a89aa3c4cdc665c45322f547663
Opcode Fuzzy Hash: ebbf6b3bdc138f56bf12a927378f1a6543f4bbaf2d4570e63b9ab4530143ae0b
Instruction Fuzzy Hash: 53C1BE71509340DFD764EF28C885A6AB7E1FF84310F10492DF89A9B2A2DB34ED45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 006E1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2176ccacc84865e81375099ce27f39dbf3156f9fbf6f355622d1dad9da1c4cbb
Instruction ID: 77b79fc09ef9d4829f42c067449f4246b528d548578fc78411acd5761bf4a965
Opcode Fuzzy Hash: 2176ccacc84865e81375099ce27f39dbf3156f9fbf6f355622d1dad9da1c4cbb
Instruction Fuzzy Hash: 75719E30901249EFCB04CF59CC44EFEBBBAFF86310F248159F915AA291D734AA52DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00756E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba51aaca9ea5a9ffb8cc94e567c354b98737c64548809f8ee6a615c89f1faae7
Instruction ID: 22cfe7e26aae6abd41d8c15fbdbeda6eaa956d5ea738c1e58b500419845a2b26
Opcode Fuzzy Hash: ba51aaca9ea5a9ffb8cc94e567c354b98737c64548809f8ee6a615c89f1faae7
Instruction Fuzzy Hash: D3610171108300ABC314EB25DC86EAFB3EAAF84714F50891DF94A972D2DBB49D08C792

Uniqueness

Uniqueness Score: -1.00%

Function 0076B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01215A10), ref: 0076B6A5
IsWindowEnabled.USER32(01215A10), ref: 0076B6B1
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0076B795
SendMessageW.USER32(01215A10,000000B0,?,?), ref: 0076B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0076B809
GetWindowLongW.USER32(01215A10,000000EC), ref: 0076B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0076B843

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 73827c4416f75bf5035a0cb72432df40ffaf256b16f55a157a21297ab502a21a
Instruction ID: e6173cd1bccb0d53d736927b314878fa52fec980a86ae96b1e025797f87d2d49
Opcode Fuzzy Hash: 73827c4416f75bf5035a0cb72432df40ffaf256b16f55a157a21297ab502a21a
Instruction Fuzzy Hash: A6718C34604204EFDB209F64C894FBABBB9EF9A300F14406AED57D72A1C739AD91CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0075F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075F75C
_memset.LIBCMT ref: 0075F825
ShellExecuteExW.SHELL32(?), ref: 0075F86A

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

Part of subcall function 006FFEC6: _wcscpy.LIBCMT ref: 006FFEE9

GetProcessId.KERNEL32(00000000), ref: 0075F8E1
CloseHandle.KERNEL32(00000000), ref: 0075F910

Strings

@, xrefs: 0075F839

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 7ca28ed8429092198a85088d5d512b0844959c47614e443525f9b0fa23a6aed1
Instruction ID: f4b04175b353410bfd7bfcb6421c11bd1e0a76e1383f0593544193fe6ea68ff8
Opcode Fuzzy Hash: 7ca28ed8429092198a85088d5d512b0844959c47614e443525f9b0fa23a6aed1
Instruction Fuzzy Hash: 6E61AA75A00759DFCB04EF65C4849AEBBF6FF48310B14846DE84AAB352CB74AD44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0074145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0074149C
GetKeyboardState.USER32(?), ref: 007414B1
SetKeyboardState.USER32(?), ref: 00741512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00741540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0074155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 007415A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007415C8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5db34787ca26e35b63189d23934b3b58d11ab2e9b308836226d88cb2610ef6f4
Instruction ID: e8fc53091003f971d7c0d99788121e6b68042ab5c5a5d65980e1e0718478348f
Opcode Fuzzy Hash: 5db34787ca26e35b63189d23934b3b58d11ab2e9b308836226d88cb2610ef6f4
Instruction Fuzzy Hash: 8151E0A0A047D53EFB3262288C45BBABFA96B46304F488489E1D6468C2D7DCECD4D761

Uniqueness

Uniqueness Score: -1.00%

Function 00741276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007412B5
GetKeyboardState.USER32(?), ref: 007412CA
SetKeyboardState.USER32(?), ref: 0074132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00741357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00741374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007413B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007413D9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 764743600f5fd572b022704d68ecb62df60d0ffcebf67a96834a868710fb6c5a
Instruction ID: 4fa37bd16b87a6c7e46f90718cab03a019fecfc9017fe8a16a999c42342352af
Opcode Fuzzy Hash: 764743600f5fd572b022704d68ecb62df60d0ffcebf67a96834a868710fb6c5a
Instruction Fuzzy Hash: CB5105A06447D57DFB32A7248C45B7ABFA96F06300F488589E1E9868C3D39CECD4D760

Uniqueness

Uniqueness Score: -1.00%

Function 0074589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007458AC
_wcsncpy.LIBCMT ref: 007458E1
_wcsncpy.LIBCMT ref: 00745913
_wcsncpy.LIBCMT ref: 00745946
_wcsncpy.LIBCMT ref: 00745988
_wcsncpy.LIBCMT ref: 007459C2
_wcsncpy.LIBCMT ref: 007459F1

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 851b7fd544a5cf7dd9eb45d351038906f3784c65a6387c73dccf0985bc85271f
Instruction ID: ece2850e5bb639bca8c4c29dec3958a94ffab41bbe9d6012450740b55e0cdad5
Opcode Fuzzy Hash: 851b7fd544a5cf7dd9eb45d351038906f3784c65a6387c73dccf0985bc85271f
Instruction Fuzzy Hash: C54161A6D20518F6CB10EBB4C88E9CF77A8AF04710F509656E518E3162F738E715C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0073DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0073DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0073DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0073DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0073DB8E

Strings

DllGetClassObject, xrefs: 0073DB01
,,w, xrefs: 0073DA69

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,w$DllGetClassObject
API String ID: 753597075-3320112890
Opcode ID: 2afdc8af23f836b6991a54154de7faabc549ef65df513b0f0635b3735a4eb6e0
Instruction ID: 66de92f0891f8c5aed0b5786a84fc4c30dd2a83fa7dd881596b12a2648d6f32f
Opcode Fuzzy Hash: 2afdc8af23f836b6991a54154de7faabc549ef65df513b0f0635b3735a4eb6e0
Instruction Fuzzy Hash: FF4194B1600208DFEF25CF54D884A9ABBB9EF44350F1580ADED059F206D7B9DD44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007438AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007438D3,?), ref: 007448C7

Part of subcall function 007448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007438D3,?), ref: 007448E0

lstrcmpiW.KERNEL32(?,?), ref: 007438F3
_wcscmp.LIBCMT ref: 0074390F
MoveFileW.KERNEL32(?,?), ref: 00743927
_wcscat.LIBCMT ref: 0074396F
SHFileOperationW.SHELL32(?), ref: 007439DB

Strings

\*.*, xrefs: 00743969

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: cb3092d1f796fa57f67729bc13407e5b15cf6f06f994e97e0686dc0242bb195d
Instruction ID: 0675b536b6d7a1f4adf94c90a4907b4bc934eb1f6936ea6a9348bb01aca2c646
Opcode Fuzzy Hash: cb3092d1f796fa57f67729bc13407e5b15cf6f06f994e97e0686dc0242bb195d
Instruction Fuzzy Hash: DA417FB240C3849AC751EF64D489ADBB7E8AF88344F54092EF49AC3191EB78E648C752

Uniqueness

Uniqueness Score: -1.00%

Function 00767500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00767519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007675C0
IsMenu.USER32(?), ref: 007675D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00767620
DrawMenuBar.USER32 ref: 00767633

Strings

0, xrefs: 0076750D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 38a611b309a55cccabb9415335d3e94174c4cd1f069f99ebce5499f36bf3d8d5
Instruction ID: 79a673620ca58eb70631d2bab48ac88864bac37b2bfba8082e9150a70d81df30
Opcode Fuzzy Hash: 38a611b309a55cccabb9415335d3e94174c4cd1f069f99ebce5499f36bf3d8d5
Instruction Fuzzy Hash: 1B416A70A04609EFDB10CF54D884E9ABBF9FF04368F148129ED1697290D738AD50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0076122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0076125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00761286
FreeLibrary.KERNEL32(00000000), ref: 0076133D

Part of subcall function 0076122D: RegCloseKey.ADVAPI32(?), ref: 007612A3
Part of subcall function 0076122D: FreeLibrary.KERNEL32(?), ref: 007612F5
Part of subcall function 0076122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00761318

RegDeleteKeyW.ADVAPI32(?,?), ref: 007612E0

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 548f8d54a8a9542c6f4c8e2c151319e7898670c88fc0cb4791316de0dd03413a
Instruction ID: ec65101053f9e23153aa1a654d493025979a42101a1dcf822fd7c7705e2f3d7e
Opcode Fuzzy Hash: 548f8d54a8a9542c6f4c8e2c151319e7898670c88fc0cb4791316de0dd03413a
Instruction Fuzzy Hash: AF312F71901209BFDB15DB91EC89AFEB7BCEF08340F444169E903E2251E6789E499BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0076653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0076655B
GetWindowLongW.USER32(01215A10,000000F0), ref: 0076658E
GetWindowLongW.USER32(01215A10,000000F0), ref: 007665C3
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007665F5
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0076661F
GetWindowLongW.USER32(?,000000F0), ref: 00766630
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0076664A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ad15e6ac5faa5172c5bc95f7cc2e01b9c4ec8f4e796ba4299a15d51b739dceea
Instruction ID: 02d52479ca72bf4b998fa1f7224cca9fec248ec58685c57c30c366e329ce4f03
Opcode Fuzzy Hash: ad15e6ac5faa5172c5bc95f7cc2e01b9c4ec8f4e796ba4299a15d51b739dceea
Instruction Fuzzy Hash: 0A310330604250AFDB20CF28EC86F553BE5FB4A710F584168F9238B2B6CB69EC50DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00756486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007580CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007564D9
WSAGetLastError.WSOCK32(00000000), ref: 007564E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00756521
connect.WSOCK32(00000000,?,00000010), ref: 0075652A
WSAGetLastError.WSOCK32 ref: 00756534
closesocket.WSOCK32(00000000), ref: 0075655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00756576

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 50796be32ae1b75b1e0c01d3a87c7e95b064b89abfc4c76c29af7fa2e54900f2
Instruction ID: b03234b8b89b3b78edd9be0167c95dfb8ea2c0e6b8b7fef703427fc3f8266cd1
Opcode Fuzzy Hash: 50796be32ae1b75b1e0c01d3a87c7e95b064b89abfc4c76c29af7fa2e54900f2
Instruction Fuzzy Hash: 50319571600218AFDB10AF14DC85BBE77A9EF44715F448069FD0697291DBB8AD08CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0073E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0073E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0073E120
SysAllocString.OLEAUT32(00000000), ref: 0073E123
SysAllocString.OLEAUT32 ref: 0073E144
SysFreeString.OLEAUT32 ref: 0073E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0073E167
SysAllocString.OLEAUT32(?), ref: 0073E175

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8e43b766ecf46c138406c5a8347b2d69ac9a4d100e8d91bb483b456a5eabc397
Instruction ID: 41c58cff52c246b4896799945d466079ee3a4bf03ce2dce905206807526dc072
Opcode Fuzzy Hash: 8e43b766ecf46c138406c5a8347b2d69ac9a4d100e8d91bb483b456a5eabc397
Instruction Fuzzy Hash: 51218336604208EFEB109FA8DC88DAB77ECEB09760F108135F955CB2A5DA78DC418B64

Uniqueness

Uniqueness Score: -1.00%

Function 0073FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0073FB81
__wcsnicmp.LIBCMT ref: 0073FBA2
__wcsnicmp.LIBCMT ref: 0073FBBC

Strings

#OnAutoItStartRegister, xrefs: 0073FBB6
#requireadmin, xrefs: 0073FB9C
#notrayicon, xrefs: 0073FB79

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 38f8f4102db03cec2478192ece95992471705f45c08c7439c17ad2ea95edfeaa
Instruction ID: 2bc2aace13d435b4a0bd80a638cc5632d2e9e3912e6a219823798ceaf00f67e6
Opcode Fuzzy Hash: 38f8f4102db03cec2478192ece95992471705f45c08c7439c17ad2ea95edfeaa
Instruction Fuzzy Hash: 012167F2A44654E6E230A630DC16EA7B3DCDF11380F148036F885C6183EB5DAD82C2B5

Uniqueness

Uniqueness Score: -1.00%

Function 0076783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006E1D73
Part of subcall function 006E1D35: GetStockObject.GDI32(00000011), ref: 006E1D87
Part of subcall function 006E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006E1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007678A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007678AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007678B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007678C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007678D4

Strings

Msctls_Progress32, xrefs: 00767872

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 6c759d05ec58e320983805a132da460bfc2ec563864ffde76f1077443ab82776
Instruction ID: 772e073aaccbaf952ef5cb6f6efa2579b254d756b740e7f19a0cbc4291873e5e
Opcode Fuzzy Hash: 6c759d05ec58e320983805a132da460bfc2ec563864ffde76f1077443ab82776
Instruction Fuzzy Hash: 5F1190B211021ABFEF159F60CC85EE77F6DEF087A8F014115FA05A60A0C7769C21DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007041C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00704292,?), ref: 007041E3
GetProcAddress.KERNEL32(00000000), ref: 007041EA
EncodePointer.KERNEL32(00000000), ref: 007041F6
DecodePointer.KERNEL32(00000001,00704292,?), ref: 00704213

Strings

combase.dll, xrefs: 007041DE
RoInitialize, xrefs: 007041D2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: f39e05827083998dcf61906fbf0371cde2ad832263c7da21840a807362f9ba6b
Instruction ID: 138dcf58075a80bbe0698069a6a6bd4c01dc609e4e52bec51cc98d79b1481566
Opcode Fuzzy Hash: f39e05827083998dcf61906fbf0371cde2ad832263c7da21840a807362f9ba6b
Instruction Fuzzy Hash: 6DE0E5B0691308EEEF205BB1EC09B043AA5B7A2B42F10C424F522E51E0DAFE40928E08

Uniqueness

Uniqueness Score: -1.00%

Function 0070429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007041B8), ref: 007042B8
GetProcAddress.KERNEL32(00000000), ref: 007042BF
EncodePointer.KERNEL32(00000000), ref: 007042CA
DecodePointer.KERNEL32(007041B8), ref: 007042E5

Strings

combase.dll, xrefs: 007042B3
RoUninitialize, xrefs: 007042A7

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 11e9740556be961f55f9c737b052d03ece2a3972f6c656f1b5cfa0cb80062877
Instruction ID: 94968c22260b007842833b6abde90e86b28ed9b5dd99b8ccddd28b6777910ed4
Opcode Fuzzy Hash: 11e9740556be961f55f9c737b052d03ece2a3972f6c656f1b5cfa0cb80062877
Instruction Fuzzy Hash: 01E0B6B8781304EFEB109B61FD0EB143AA4B7A5B86F20C124F112E11A0CBFE4540CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 0074675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007468AD
_memmove.LIBCMT ref: 007467E8

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

_memmove.LIBCMT ref: 0074685B
_memmove.LIBCMT ref: 00746942
_memmove.LIBCMT ref: 0074695B
_memmove.LIBCMT ref: 00746977

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9878d26070b011936cad77e1676243b9e2a31e5d9705435f175891a5af6f413f
Instruction ID: 2c9ece0ea9d1b232bdd9f69e97d833d4b6c9be03bf74b0a06e0b63f422ca3131
Opcode Fuzzy Hash: 9878d26070b011936cad77e1676243b9e2a31e5d9705435f175891a5af6f413f
Instruction Fuzzy Hash: 4D61BC3050169ADBDF11EF21CC86EFE37A9AF05308F04451DF89A5B292DB38AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0076046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 007610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00760038,?,?), ref: 007610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00760548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00760588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007605AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007605D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00760617
RegCloseKey.ADVAPI32(00000000), ref: 00760624

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: b127b98293ebcd79b9ba1a1b0cbf92a74afb66c629ae872aeab5e0c7197b150f
Instruction ID: 7196fe426aa8c713903765903135d715119ebb603fb303b518f4da7bb61b19c6
Opcode Fuzzy Hash: b127b98293ebcd79b9ba1a1b0cbf92a74afb66c629ae872aeab5e0c7197b150f
Instruction Fuzzy Hash: DF516B31108340EFCB14EB24D885E6BBBE9FF88314F04892DF946871A2DB75E914CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00765A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00765A82
GetMenuItemCount.USER32(00000000), ref: 00765AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00765AE1
GetMenuItemID.USER32(?,?), ref: 00765B50
GetSubMenu.USER32(?,?), ref: 00765B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00765BAF

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: bc2b5a71c89a18693c79dc937937e2d3cb3ebb4ac7c177fc5f6d8770100eb8d5
Instruction ID: 087d1f81ec699509796c5ea3c213e270e5dd52abc88110163d7bb6432f13fd05
Opcode Fuzzy Hash: bc2b5a71c89a18693c79dc937937e2d3cb3ebb4ac7c177fc5f6d8770100eb8d5
Instruction Fuzzy Hash: BA51A071A00615EFCF10DFA4C845AAEBBB5EF48310F108469EC06B7351CB78AE41DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0073F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0073F3F7
VariantClear.OLEAUT32(00000013), ref: 0073F469
VariantClear.OLEAUT32(00000000), ref: 0073F4C4
_memmove.LIBCMT ref: 0073F4EE
VariantClear.OLEAUT32(?), ref: 0073F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0073F569

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 67b34fe8793d1d9ef767d9fd7ff726e61030479931318d2abbfb1d9392480ea5
Instruction ID: 6344632301db5e905cc0d8a04d9f406fae3ef9ea522ae7b39219fea6aa027e53
Opcode Fuzzy Hash: 67b34fe8793d1d9ef767d9fd7ff726e61030479931318d2abbfb1d9392480ea5
Instruction Fuzzy Hash: BD5157B5A00249EFDB10CF58D884AAABBB8FF48354F15816AED59DB301D735E911CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 007426F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00742747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00742792
IsMenu.USER32(00000000), ref: 007427B2
CreatePopupMenu.USER32 ref: 007427E6
GetMenuItemCount.USER32(000000FF), ref: 00742844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00742875

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 06b2b3cf0cc37e6b8fbb7136b72b7e9c80fae3ea5660bce46c98cab2b18cb98a
Instruction ID: 6477d631f89ea5d1d4245647d3736df6e8dcf49729ab363641c65938a72573e2
Opcode Fuzzy Hash: 06b2b3cf0cc37e6b8fbb7136b72b7e9c80fae3ea5660bce46c98cab2b18cb98a
Instruction Fuzzy Hash: C551D270A00305DFDF25CF68D888BADBBF9AF45314F504169F4119B292D7789926CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006E1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 006E179A
GetWindowRect.USER32(?,?), ref: 006E17FE
ScreenToClient.USER32(?,?), ref: 006E181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006E182C
EndPaint.USER32(?,?), ref: 006E1876

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: d8a7f082d874416f233f9ad961c38ef581c88f97311a02e442f989060cd5ab93
Instruction ID: 9f2ceb0998186e48c9c97665109fe7b1ceff287a7718713c179235c037014df8
Opcode Fuzzy Hash: d8a7f082d874416f233f9ad961c38ef581c88f97311a02e442f989060cd5ab93
Instruction Fuzzy Hash: 9D41CF70101340AFC710DF25DC84FBB7BE9EB4A724F148628F9A58B2A1C7789C45EB66

Uniqueness

Uniqueness Score: -1.00%

Function 0076B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007A67B0,00000000,01215A10,?,?,007A67B0,?,0076B862,?,?), ref: 0076B9CC
EnableWindow.USER32(?,00000000), ref: 0076B9F0
ShowWindow.USER32(007A67B0,00000000,01215A10,?,?,007A67B0,?,0076B862,?,?), ref: 0076BA50
ShowWindow.USER32(?,00000004,?,0076B862,?,?), ref: 0076BA62
EnableWindow.USER32(?,00000001), ref: 0076BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0076BAA9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b9fa363074e1d637451ec63350bfb42e1a1d79469fbe5fad2c97d88d2d3b1248
Instruction ID: 13c257788e85cdf61ea936f7b9fb77298ce18b6edfbb9dcfa1e8260e3a21225c
Opcode Fuzzy Hash: b9fa363074e1d637451ec63350bfb42e1a1d79469fbe5fad2c97d88d2d3b1248
Instruction Fuzzy Hash: 81416230600241EFDB26CF64D489B957BE1FF06314F1882B9EE4ACF2A2C775A885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007573B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00755134,?,?,00000000,00000001), ref: 007573BF

Part of subcall function 00753C94: GetWindowRect.USER32(?,?), ref: 00753CA7

GetDesktopWindow.USER32 ref: 007573E9
GetWindowRect.USER32(00000000), ref: 007573F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00757422

Part of subcall function 007454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0074555E

GetCursorPos.USER32(?), ref: 0075744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007574AC

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 26dbb39022eb61ee8a3ed42bda7b85c7c0cb07d7e65740745be9c177219eb7c5
Instruction ID: de46277144292f8bf8660d6467c7d40d186357e401f49b925a1387cb1d1ece31
Opcode Fuzzy Hash: 26dbb39022eb61ee8a3ed42bda7b85c7c0cb07d7e65740745be9c177219eb7c5
Instruction Fuzzy Hash: AF310672508345ABC724DF14E849F9BBBE9FF88344F004919F88997191C7B4ED08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00738D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007385F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00738608
Part of subcall function 007385F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00738612
Part of subcall function 007385F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00738621
Part of subcall function 007385F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00738628
Part of subcall function 007385F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0073863E

GetLengthSid.ADVAPI32(?,00000000,00738977), ref: 00738DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00738DB8
HeapAlloc.KERNEL32(00000000), ref: 00738DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00738DD8
GetProcessHeap.KERNEL32(00000000,00000000,00738977), ref: 00738DEC
HeapFree.KERNEL32(00000000), ref: 00738DF3

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: aab58580b481ee616bb4271e68b12f51284421f48217cf73efd3e16912bf6350
Instruction ID: dbebf24431e93fe930f18ccbf3d27d3afd74b37e6355d60a078bc5167f0e106f
Opcode Fuzzy Hash: aab58580b481ee616bb4271e68b12f51284421f48217cf73efd3e16912bf6350
Instruction Fuzzy Hash: 7211E131611704FFEB589F64DC08BAE7769FF49355F10802AF84697252CB3AAD04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00738AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00738B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00738B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00738B40
CloseHandle.KERNEL32(00000004), ref: 00738B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00738B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00738B8E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 9eab42dd1240c8232705c1a8e88169f39b68d9e84d33b6f6ceef645cd40c9f41
Instruction ID: 0bd8f5a8c159ad0a5ec4b491a45a2060fff1fba69c2395bd76e77f610fe0f34d
Opcode Fuzzy Hash: 9eab42dd1240c8232705c1a8e88169f39b68d9e84d33b6f6ceef645cd40c9f41
Instruction Fuzzy Hash: C6112CB250134AEBEF018FA4ED49FDEBBA9EF08304F144065FE05A2161C7799D649B61

Uniqueness

Uniqueness Score: -1.00%

Function 0076C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006E12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E134D
Part of subcall function 006E12F3: SelectObject.GDI32(?,00000000), ref: 006E135C
Part of subcall function 006E12F3: BeginPath.GDI32(?), ref: 006E1373
Part of subcall function 006E12F3: SelectObject.GDI32(?,00000000), ref: 006E139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0076C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0076C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0076C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0076C1F6
EndPath.GDI32(00000000), ref: 0076C206
StrokePath.GDI32(00000000), ref: 0076C216

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a30fff0777ae33352ca698da46aff52bb479b20c9946ad078f5b492730e3e010
Instruction ID: 1c02f095206537fcc4e5c66e7121f6663f7dc2a29dad84f8a3d382082590186d
Opcode Fuzzy Hash: a30fff0777ae33352ca698da46aff52bb479b20c9946ad078f5b492730e3e010
Instruction Fuzzy Hash: FC115B7600020CBFDF029F90EC88EAA3FADFB09390F048021FE194A161C7B59E54DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007003A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007003D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 007003DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007003E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007003F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007003F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00700401

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 033d7ebbe87ccb3e7bd262aef1086989c479ff53cbeb30c454d2b6fd442c202a
Instruction ID: 66398fd461a70b1c3d41982304493109b76395e493a7c4afb3d68d1a5e110dcd
Opcode Fuzzy Hash: 033d7ebbe87ccb3e7bd262aef1086989c479ff53cbeb30c454d2b6fd442c202a
Instruction Fuzzy Hash: D0016CB0901759BDE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0074568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0074569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007456B1
GetWindowThreadProcessId.USER32(?,?), ref: 007456C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007456CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007456D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007456E0

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3cb670cebcda07622b5bb549978724e452b67e8626cc2b54c8c667fdd0f1d3bb
Instruction ID: 777c8e66d8992f908ee6199ca00eb68c5092492267b96d344b67b7cd5e03d804
Opcode Fuzzy Hash: 3cb670cebcda07622b5bb549978724e452b67e8626cc2b54c8c667fdd0f1d3bb
Instruction Fuzzy Hash: 86F01D32241259BBE7215BA2EC0DEAB7E7CEBC6B51F004169FA06D105197E91A0186B9

Uniqueness

Uniqueness Score: -1.00%

Function 007474D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007474E5
EnterCriticalSection.KERNEL32(?,?,006F1044,?,?), ref: 007474F6
TerminateThread.KERNEL32(00000000,000001F6,?,006F1044,?,?), ref: 00747503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,006F1044,?,?), ref: 00747510

Part of subcall function 00746ED7: CloseHandle.KERNEL32(00000000,?,0074751D,?,006F1044,?,?), ref: 00746EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00747523
LeaveCriticalSection.KERNEL32(?,?,006F1044,?,?), ref: 0074752A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c5c20b37f1987a8f7149ca46d176f17a51a5bcaf879db97264ee208c8b09044e
Instruction ID: d422e1f5f5a1b7e5cd3811f7a4b73f6c26a9411e672a3ec1eb1073f7b549794f
Opcode Fuzzy Hash: c5c20b37f1987a8f7149ca46d176f17a51a5bcaf879db97264ee208c8b09044e
Instruction Fuzzy Hash: 27F03A3A144712EFDB152B64FC9C9EE772ABF45302B004531F203A50A0CBB95811CE54

Uniqueness

Uniqueness Score: -1.00%

Function 00738E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00738E7F
UnloadUserProfile.USERENV(?,?), ref: 00738E8B
CloseHandle.KERNEL32(?), ref: 00738E94
CloseHandle.KERNEL32(?), ref: 00738E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00738EA5
HeapFree.KERNEL32(00000000), ref: 00738EAC

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 08b0ff021f66f5004aae30ef016d11953775a558cf6970828772a1029ae5e41f
Instruction ID: fff124882372e6cccebc8d2190cde6c970714c06608c314b6974ae9a187deaf4
Opcode Fuzzy Hash: 08b0ff021f66f5004aae30ef016d11953775a558cf6970828772a1029ae5e41f
Instruction Fuzzy Hash: C8E0C236004205FBDA011FE2FC0C90ABF69FB8A362B508230F21A81170CBBA9820DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00737A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00772C7C,?), ref: 00737C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00772C7C,?), ref: 00737C4A
CLSIDFromProgID.OLE32(?,?,00000000,0076FB80,000000FF,?,00000000,00000800,00000000,?,00772C7C,?), ref: 00737C6F
_memcmp.LIBCMT ref: 00737C90

Strings

,,w, xrefs: 00737A85

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,w
API String ID: 314563124-960948647
Opcode ID: e0c182c139411ee62452dcb4cb911840ee79de22beeb34a5621617ea55b57feb
Instruction ID: cd1ac0979ba7ac228453c002bc186609c72fb3b4c8b8cc5fdc95b99fc132f3b9
Opcode Fuzzy Hash: e0c182c139411ee62452dcb4cb911840ee79de22beeb34a5621617ea55b57feb
Instruction Fuzzy Hash: B0813DB1A00209EFDB14DF94C984DEEB7B9FF89315F204198F506AB251DB75AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00758902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00758928
CharUpperBuffW.USER32(?,?), ref: 00758A37
VariantClear.OLEAUT32(?), ref: 00758BAF

Part of subcall function 00747804: VariantInit.OLEAUT32(00000000), ref: 00747844
Part of subcall function 00747804: VariantCopy.OLEAUT32(00000000,?), ref: 0074784D
Part of subcall function 00747804: VariantClear.OLEAUT32(00000000), ref: 00747859

Strings

Incorrect Parameter format, xrefs: 00758960, 00758B22
AUTOIT.ERROR, xrefs: 00758A3D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 3f5dfeaa88e7434ba425a1539d363bac9ed4c842b32a73734b07cf6977632bbb
Instruction ID: f06ab1358faaed62a98a5e75b0a12693c5e926c52aab23755c0dfdb0fee08754
Opcode Fuzzy Hash: 3f5dfeaa88e7434ba425a1539d363bac9ed4c842b32a73734b07cf6977632bbb
Instruction Fuzzy Hash: 0091A1B0604341DFC740DF29C4859ABBBE5EF88315F04896EF8869B362DB74E909CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00742F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006FFEC6: _wcscpy.LIBCMT ref: 006FFEE9

_memset.LIBCMT ref: 00743077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007430A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00743159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00743187

Strings

0, xrefs: 00743063

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: b5f7825a4ea93c304e04c4df4836586f294adde1dfb65ae36767ab6c313c7783
Instruction ID: c1c099e000efd3e656bf03c27baa7a404dcbfe65b371f4aa3b6b37b8e34c6a83
Opcode Fuzzy Hash: b5f7825a4ea93c304e04c4df4836586f294adde1dfb65ae36767ab6c313c7783
Instruction Fuzzy Hash: B351D2316083049BE7259F28D849A6BB7E9EF95320F044A2EF899D31E1DB78CE44C756

Uniqueness

Uniqueness Score: -1.00%

Function 00742C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00742CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00742CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00742D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007A6890,00000000), ref: 00742D5A

Strings

0, xrefs: 00742CA4

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: bbd58c73645c2a56a2ed218acc12139c6d93ab7ebd91dc48dca1d362dac4dcf0
Instruction ID: 0847199e0e5cce78cede5aafeef0b377703f1de3482b5656abcf25289db28e76
Opcode Fuzzy Hash: bbd58c73645c2a56a2ed218acc12139c6d93ab7ebd91dc48dca1d362dac4dcf0
Instruction Fuzzy Hash: FB41C2306043019FD720DF24CC45B1AB7E8EF85320F444A5EF96697292DB74E916CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0075DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0075DAD9

Part of subcall function 006E79AB: _memmove.LIBCMT ref: 006E79F9

Strings

cdecl, xrefs: 0075DB30
none, xrefs: 0075DBB4
stdcall, xrefs: 0075DB5B
winapi, xrefs: 0075DB4A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 60178dcdb66044c2ab89ffc4c42ef0d768955e8120dee7a3c576dcac6722d9aa
Instruction ID: b9d9cba1d44da1df8327b27ddc1fc6668b42bc99c651f11478216808e85f54fe
Opcode Fuzzy Hash: 60178dcdb66044c2ab89ffc4c42ef0d768955e8120dee7a3c576dcac6722d9aa
Instruction Fuzzy Hash: C13165B0504619DBCF20EF59CC819EEB3B6FF15310B10862DE866976D1DBB5AD09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00739372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 0073B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0073B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007393F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00739409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00739439

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

Strings

ListBox, xrefs: 007393B5
ComboBox, xrefs: 00739380

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 079a6f6a6f4afe8404aa21cbb0ec907b089ee39d11805cf2302094a726c6c53d
Instruction ID: 6acfc09d5d83ac6d672433f41bce1cdcb966c5c057498532a79ac4fd8e5ac088
Opcode Fuzzy Hash: 079a6f6a6f4afe8404aa21cbb0ec907b089ee39d11805cf2302094a726c6c53d
Instruction Fuzzy Hash: 322104B1901244BEEB14AB74DC858FFB769DF05360F10412DFA22972E2DB7C0A0A9620

Uniqueness

Uniqueness Score: -1.00%

Function 00751B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00751B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00751B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00751B96
InternetCloseHandle.WININET(00000000), ref: 00751BDD

Part of subcall function 00752777: GetLastError.KERNEL32(?,?,00751B0B,00000000,00000000,00000001), ref: 0075278C
Part of subcall function 00752777: SetEvent.KERNEL32(?,?,00751B0B,00000000,00000000,00000001), ref: 007527A1

Strings

, xrefs: 00751B87

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 7a96f3817cc3bf7367343af180ffca64937d282a59938d7eee5773eb56196af2
Instruction ID: 0be676da0bbf73453d1d1f80ed2e19e65dff30c01e955bf2e291e61877bf03d3
Opcode Fuzzy Hash: 7a96f3817cc3bf7367343af180ffca64937d282a59938d7eee5773eb56196af2
Instruction Fuzzy Hash: 7E2192B1500208BFEB119F609CC5FFF77ECEB4974AF50412AF905A6240EBA89D099771

Uniqueness

Uniqueness Score: -1.00%

Function 00766656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006E1D73
Part of subcall function 006E1D35: GetStockObject.GDI32(00000011), ref: 006E1D87
Part of subcall function 006E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006E1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007666D0
LoadLibraryW.KERNEL32(?), ref: 007666D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007666EC
DestroyWindow.USER32(?), ref: 007666F4

Strings

SysAnimate32, xrefs: 007666AB

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b7146de12ed8cfe2150957b27a5078e59e4a5d4d7867f79312c5a4546101772a
Instruction ID: f7a73600b37cc27524f4285f6f7905e01d4fc7cc5111531ae101856bb7395a66
Opcode Fuzzy Hash: b7146de12ed8cfe2150957b27a5078e59e4a5d4d7867f79312c5a4546101772a
Instruction Fuzzy Hash: 16219AB1200206EBEF104F64FC84EBB77AEEF59368F944629FD12921A0D7B9CC519764

Uniqueness

Uniqueness Score: -1.00%

Function 0074703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0074705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00747091
GetStdHandle.KERNEL32(0000000C), ref: 007470A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007470DD

Strings

nul, xrefs: 007470D8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a01d083dc458720572e99482621635b18270b92209c65b4668ff4ded9973b2e0
Instruction ID: 8168c8a712361e72dd2e2c777bfc09dc24e05b1ee5e5db9cfdbafcd728c3e41b
Opcode Fuzzy Hash: a01d083dc458720572e99482621635b18270b92209c65b4668ff4ded9973b2e0
Instruction Fuzzy Hash: 12218174605309AFDF249F78DC05AAA77A8BF45720F208A19FCA1D72E0D7B49840CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0074710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0074712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0074715D
GetStdHandle.KERNEL32(000000F6), ref: 0074716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007471A8

Strings

nul, xrefs: 007471A3

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a3cb89d2b5e57d910704dd7dccc5c65de57dae6b10963d57b771d712938dfeb9
Instruction ID: 4beb0398a2f23b09062756896c2c0f4a562657212ad4fa7617148feb1a17e461
Opcode Fuzzy Hash: a3cb89d2b5e57d910704dd7dccc5c65de57dae6b10963d57b771d712938dfeb9
Instruction Fuzzy Hash: 2321C575504309EBDF249F689C04AAAB7E8BF95730F204A19FDB1D32D0D7749841CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0074AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0074AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0074AF13
__swprintf.LIBCMT ref: 0074AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0076F910), ref: 0074AF6A

Strings

%lu, xrefs: 0074AF26

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 8bc2a40743e35bd5b01b0ce26c13960c4cac73679dd6ac95db84b33e846990f4
Instruction ID: a21f3eef08f847be77829b64d8ac21f1a297e507cafda2b7ca3341f6eb6c5689
Opcode Fuzzy Hash: 8bc2a40743e35bd5b01b0ce26c13960c4cac73679dd6ac95db84b33e846990f4
Instruction Fuzzy Hash: C7219070A00208AFCB10DF65DC85DAE7BB8EF49704B1080A9F909EB251DB75EA41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0073A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

Part of subcall function 0073A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0073A399
Part of subcall function 0073A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0073A3AC
Part of subcall function 0073A37C: GetCurrentThreadId.KERNEL32 ref: 0073A3B3
Part of subcall function 0073A37C: AttachThreadInput.USER32(00000000), ref: 0073A3BA

GetFocus.USER32 ref: 0073A554

Part of subcall function 0073A3C5: GetParent.USER32(?), ref: 0073A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0073A59D
EnumChildWindows.USER32(?,0073A615), ref: 0073A5C5
__swprintf.LIBCMT ref: 0073A5DF

Strings

%s%d, xrefs: 0073A5D9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: fe7b23d955a86cca7ae8f5ea1c33bbaa0e4c1364a7a22e99f9b823752b873920
Instruction ID: a49e0f5f4bd0c5dcdf7a18947ad342cbb44658597799f1cc0b67068a2cec42d7
Opcode Fuzzy Hash: fe7b23d955a86cca7ae8f5ea1c33bbaa0e4c1364a7a22e99f9b823752b873920
Instruction Fuzzy Hash: 07119D71204308BBEF11BF64EC8AFAA3779AF49700F044079F949AA193CA7959458B76

Uniqueness

Uniqueness Score: -1.00%

Function 00742017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00742048

Strings

APPEND, xrefs: 00742081
KEYS, xrefs: 0074205F
EXISTS, xrefs: 00742070
REMOVE, xrefs: 0074204E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: cef7d9d986052f2c676a77f61f920f3eaed876042a6c4175e8536910e74bc0e9
Instruction ID: 64f8ede57b6403637db596d010deab126862613fec125b133e02850cf0de9dfc
Opcode Fuzzy Hash: cef7d9d986052f2c676a77f61f920f3eaed876042a6c4175e8536910e74bc0e9
Instruction Fuzzy Hash: 02115B30951209DFCF00EFA4D8415EEB7F4FF26304F608568E856A72A2EB366917CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0075EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0075EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0075EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0075F07E
CloseHandle.KERNEL32(?), ref: 0075F0FF

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 595a156c36a87626d5955f361a3bf005a360f297680e1bba0df2974a76ca5aa4
Instruction ID: 6194963cc0a3a5393ee566918839663a9c93df07963742239e12a1780d3f5a8e
Opcode Fuzzy Hash: 595a156c36a87626d5955f361a3bf005a360f297680e1bba0df2974a76ca5aa4
Instruction Fuzzy Hash: 558195716013009FD760DF29C846F6AB7E6AF48710F14882DF99AD73D2DBB4AC048B55

Uniqueness

Uniqueness Score: -1.00%

Function 007602C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 007610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00760038,?,?), ref: 007610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00760388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007603C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0076040E
RegCloseKey.ADVAPI32(?,?), ref: 0076043A
RegCloseKey.ADVAPI32(00000000), ref: 00760447

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 9428b92d9bf6bd8a148da60c020c5a59a1c33deff87e2d9d663f6fc1e4012b16
Instruction ID: 8ee5b7ea47bdce8060aa64a9b5963a8c04d0f6c2a0abf76ab665102e609ce689
Opcode Fuzzy Hash: 9428b92d9bf6bd8a148da60c020c5a59a1c33deff87e2d9d663f6fc1e4012b16
Instruction Fuzzy Hash: F3515B31208344AFD704EF65D885E6BB7E9FF88304F04892DF99687292DB74E904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0075DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0075DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0075DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0075DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0075DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0075DD35

Part of subcall function 006E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00747B20,?,?,00000000), ref: 006E5B8C
Part of subcall function 006E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00747B20,?,?,00000000,?,?), ref: 006E5BB0

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 5dfbbddbdb15d19223cf4db81c10c1ba977da9b87c5c29e5bcf9da85732f9646
Instruction ID: 9e97df19cfe746b581f153bd2ca7acfdce45034ee609e9a6bd46265b1168ed8d
Opcode Fuzzy Hash: 5dfbbddbdb15d19223cf4db81c10c1ba977da9b87c5c29e5bcf9da85732f9646
Instruction Fuzzy Hash: 9B513735A01309DFDB20EF69C4849ADB7F5FF09315B14C0A9E816AB312DBB4AD49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0074E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0074E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0074E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0074E8F2

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0074E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0074E91F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e94c864116198d9e8627becb9c2d553952177744635e1386df048b25fc81d745
Instruction ID: d61506eaa82c7fa0bc4eaeeafc5740f7c3ff50a5aabe11cd143b3e7850eb7d7b
Opcode Fuzzy Hash: e94c864116198d9e8627becb9c2d553952177744635e1386df048b25fc81d745
Instruction Fuzzy Hash: 60512D35A00205DFCF41EF65C98196DBBF5FF08314B1480A9E849AB362CB35ED11DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0076A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776d8ccbd6994c3bec73c33fac99b6125202b53c8430771c5ce2e60753e7e552
Instruction ID: 357db6d6ee447d90c54ea766dabda74c226872c64bad2d346b83272f58adff60
Opcode Fuzzy Hash: 776d8ccbd6994c3bec73c33fac99b6125202b53c8430771c5ce2e60753e7e552
Instruction Fuzzy Hash: 8E41EF35900204BBC720DF28DC48BA9BBA9EB09310F184165EC27B72E1DB78AD418E51

Uniqueness

Uniqueness Score: -1.00%

Function 006E2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006E2357
ScreenToClient.USER32(007A67B0,?), ref: 006E2374
GetAsyncKeyState.USER32(00000001), ref: 006E2399
GetAsyncKeyState.USER32(00000002), ref: 006E23A7

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 311e3ce9aef34c863fecc93d48bab73a602e3d99b9cc5dad326d79ee69533e50
Instruction ID: 54453ae1bdf3d9fdbd14628bc3ac5c97dd445f3071bf7aa7e6b6094e83b9cb28
Opcode Fuzzy Hash: 311e3ce9aef34c863fecc93d48bab73a602e3d99b9cc5dad326d79ee69533e50
Instruction Fuzzy Hash: 5441A23150425AFBDF169FA9C844AEDBB7AFB05320F20431AF929922D0C7785D90DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00736920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0073695D
TranslateAcceleratorW.USER32(?,?,?), ref: 007369A9
TranslateMessage.USER32(?), ref: 007369D2
DispatchMessageW.USER32(?), ref: 007369DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007369EB

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: d07cae03526bb3fd416a4aff52c06ffad6f06ae1b0826387a353390dd9d4a0de
Instruction ID: f7d73f82ee20308945a54164568158c8208ca31c61d0da23951c524fc26d921d
Opcode Fuzzy Hash: d07cae03526bb3fd416a4aff52c06ffad6f06ae1b0826387a353390dd9d4a0de
Instruction Fuzzy Hash: 8C31F271904246BAEB21CF70DC44FB67BBCAB02300F18C169E422D71A2D77DA885DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00738F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00738F12
PostMessageW.USER32(?,00000201,00000001), ref: 00738FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00738FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00738FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00738FDA

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 71a9a44ca9a7024ecb000a1554728ebefb0a3465769a0617857a24d209d93f60
Instruction ID: 786d2fbc49c37fe70697a6b3eb6e2b01db4326bdefc291f4c3d65e32719f9092
Opcode Fuzzy Hash: 71a9a44ca9a7024ecb000a1554728ebefb0a3465769a0617857a24d209d93f60
Instruction Fuzzy Hash: BD31DF7150031AEBEB04CF68D94CA9E7BB6EB04315F108229F925AA2D1C7B89D10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0073B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0073B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0073B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0073B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0073B742
_wcsstr.LIBCMT ref: 0073B74C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 8bd69160a1028056301e3ba7bd0b8520ebcfcdc255efe7d567e158c252498939
Instruction ID: 1d955edb6e16eaa0e30a160b0eb4dd243ac73391d61c0f5d35e77db220e91f3d
Opcode Fuzzy Hash: 8bd69160a1028056301e3ba7bd0b8520ebcfcdc255efe7d567e158c252498939
Instruction Fuzzy Hash: 4E21DA32604204FAFB155B35DC4DE7B7B98DF49750F10812AF905CA1A2EB69DC4096A0

Uniqueness

Uniqueness Score: -1.00%

Function 0076B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

GetWindowLongW.USER32(?,000000F0), ref: 0076B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0076B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0076B489
GetSystemMetrics.USER32(00000004), ref: 0076B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00751184,00000000), ref: 0076B4D0

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ac418b966ef20dd3c79578303195c3f530b3bb4b3e2f490f7f44a884ae9a62f3
Instruction ID: 256e284a620a140367522692a27bcd309fb9252076cabb15f320dd558a650ecd
Opcode Fuzzy Hash: ac418b966ef20dd3c79578303195c3f530b3bb4b3e2f490f7f44a884ae9a62f3
Instruction Fuzzy Hash: 72217171514295AFCB109F38DC04A6A3BA4FB06760F148739FD27D61E2EB389CA0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007397E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00739802

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00739834
__itow.LIBCMT ref: 0073984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00739874
__itow.LIBCMT ref: 00739885

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 276b281d9ce6abc9ff4d6137a3316a9446ec3d9f8f2d8f123c766ef3e04306a4
Instruction ID: b6dfd1c49cca27ee5ca4ea672395432ff5695e06f01a1596818e85480b7ec21e
Opcode Fuzzy Hash: 276b281d9ce6abc9ff4d6137a3316a9446ec3d9f8f2d8f123c766ef3e04306a4
Instruction Fuzzy Hash: 4B21DA71701344EBFB109A65DC8AEEE7BADDF89710F044029FF05DB292D6B48D418791

Uniqueness

Uniqueness Score: -1.00%

Function 006E12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E134D
SelectObject.GDI32(?,00000000), ref: 006E135C
BeginPath.GDI32(?), ref: 006E1373
SelectObject.GDI32(?,00000000), ref: 006E139C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c7363c2041451b25d6e49c47fdae59361eb4c1f4af929560f3e9838d997da28a
Instruction ID: cc86adb925826ae9e971cd1ee1f7aeba1315fe88af071d5fa1e33510ec54c762
Opcode Fuzzy Hash: c7363c2041451b25d6e49c47fdae59361eb4c1f4af929560f3e9838d997da28a
Instruction Fuzzy Hash: F0215170801348DFDB108F26EC047A97BBDEB42711F18C226E4119A1E0D37D9995DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0073C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0073C176
_memcmp.LIBCMT ref: 0073C194
_memcmp.LIBCMT ref: 0073C1A7
_memcmp.LIBCMT ref: 0073C1BF
_memcmp.LIBCMT ref: 0073C1D7

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 255c17b4b0fef5dd2c833c906f01c2821f3cf5f3ec87aac73588095befce1c7f
Instruction ID: f761cad342c685531b98a68110721b7073a30d63cec64c6a3a655ea6f2d693a7
Opcode Fuzzy Hash: 255c17b4b0fef5dd2c833c906f01c2821f3cf5f3ec87aac73588095befce1c7f
Instruction Fuzzy Hash: 560196E2604209BBF616A6205D56E7B639C9B21394F448121FD14A6283EE5D9E11E3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00744D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00744D5C
__beginthreadex.LIBCMT ref: 00744D7A
MessageBoxW.USER32(?,?,?,?), ref: 00744D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00744DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00744DAC

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 4a12cac6d308f3958c245af89e09b630d81402ec11892475d4559f1bb3fb0682
Instruction ID: 882c01c9043a21401dcaab7b12fcafaee6e39af2501f50d35c696226d7fbabd4
Opcode Fuzzy Hash: 4a12cac6d308f3958c245af89e09b630d81402ec11892475d4559f1bb3fb0682
Instruction Fuzzy Hash: C911CCB6D04248BBC7119FA8DC04B9A7FACFB45320F148365F915D3291D7BD8D448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0073874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00738766
GetLastError.KERNEL32(?,0073822A,?,?,?), ref: 00738770
GetProcessHeap.KERNEL32(00000008,?,?,0073822A,?,?,?), ref: 0073877F
HeapAlloc.KERNEL32(00000000,?,0073822A,?,?,?), ref: 00738786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073879D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: da9ba4a022066cc7fe2285d09119062bcf6bfd34a2de61267f78289a9698e96d
Instruction ID: 404c5408123da296269d006ed8dd8a1f7ff114af11633bf6e35da9605105b4e7
Opcode Fuzzy Hash: da9ba4a022066cc7fe2285d09119062bcf6bfd34a2de61267f78289a9698e96d
Instruction Fuzzy Hash: F4016271200304FFEB104FA6EC48D677B6DFF86355B204439F84AC6260DA798C10CA60

Uniqueness

Uniqueness Score: -1.00%

Function 007454E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00745502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00745510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00745518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00745522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0074555E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ec75a335994ade17d9d8d613554e2a1932a3f70fadd37e1dfeea92577d16ff65
Instruction ID: 927c087640663dc346637d404285018fa919686863195d081fae2238aff76107
Opcode Fuzzy Hash: ec75a335994ade17d9d8d613554e2a1932a3f70fadd37e1dfeea92577d16ff65
Instruction Fuzzy Hash: 4F012D36D00A1DDBCF04DFE8E8485EDFB79FB09711F014156E906B2141DB785964C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00737652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?,?,?,0073799D), ref: 0073766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?,?), ref: 0073768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?,?), ref: 00737698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?), ref: 007376A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0073758C,80070057,?,?), ref: 007376B4

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0cb7db44c704b49bdf0200fd8b18102a76e60d8076e3455beb74c6945a4abfdb
Instruction ID: b12e8a1967120ea9a439390b55da351d785ebd8866e23aa455bcc7e81248ec8d
Opcode Fuzzy Hash: 0cb7db44c704b49bdf0200fd8b18102a76e60d8076e3455beb74c6945a4abfdb
Instruction Fuzzy Hash: 6C01B1B2604705EBEB204F59EC05AAA7BECEB44761F104068FD05D3212E779DD00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 007385F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00738608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00738612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00738621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00738628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0073863E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7e324b52f046500ea7649e92a3d00458cb7f3fb6646f61fe0c73fbc7c5c3bc3e
Instruction ID: d1890c3b42a06585931aaa643a7a31c998dddbe8d2ef1a5f37032b2988978084
Opcode Fuzzy Hash: 7e324b52f046500ea7649e92a3d00458cb7f3fb6646f61fe0c73fbc7c5c3bc3e
Instruction Fuzzy Hash: 8BF0AF30200314EFEB100FA5EC8AE6B3BACEF8A754F044029F906C3152CBB99C41DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00738652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00738669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00738673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00738682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00738689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0073869F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d519935dc8e90cc02b89ee1cdc7d9609e921a34195516ebccf375312023d1168
Instruction ID: 093c27b11711f6cf1401a4ba400beb2d73d2685e3c974c8d6455297f627e9220
Opcode Fuzzy Hash: d519935dc8e90cc02b89ee1cdc7d9609e921a34195516ebccf375312023d1168
Instruction Fuzzy Hash: 48F0C2B0200304EFEB111FA5EC89E673BACFF8A754F100025F906C6152CBB9DC00DA61

Uniqueness

Uniqueness Score: -1.00%

Function 0073C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0073C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0073C6D1
MessageBeep.USER32(00000000), ref: 0073C6E9
KillTimer.USER32(?,0000040A), ref: 0073C705
EndDialog.USER32(?,00000001), ref: 0073C71F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 043bff0cd464de2a312de5ad3cb3c4f4fba1223799931de7412aec886a84daf2
Instruction ID: 6af549f31390fc59d475fd69bd5b5bc583a2bfff2d1150b2c96424b728301f43
Opcode Fuzzy Hash: 043bff0cd464de2a312de5ad3cb3c4f4fba1223799931de7412aec886a84daf2
Instruction Fuzzy Hash: A6016230500708ABFB22AB24ED4EF9677B8FF00745F004669F543B14E1DBE9A9548F95

Uniqueness

Uniqueness Score: -1.00%

Function 006E13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006E13BF
StrokeAndFillPath.GDI32(?,?,0071BAD8,00000000,?), ref: 006E13DB
SelectObject.GDI32(?,00000000), ref: 006E13EE
DeleteObject.GDI32 ref: 006E1401
StrokePath.GDI32(?), ref: 006E141C

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9c03b65ec8a5748dc29011f259c17cba7952c65f263cc77e0108c64b1ed6b5c0
Instruction ID: c2d02497617380e2b4f5c5c96ca70088638c8a77b0e2a57d275da859f7b554a9
Opcode Fuzzy Hash: 9c03b65ec8a5748dc29011f259c17cba7952c65f263cc77e0108c64b1ed6b5c0
Instruction Fuzzy Hash: 8FF0EC34005348EBDB155F26EC0C7983FA9A742726F08C225E42A491F1D77D89A9EF5A

Uniqueness

Uniqueness Score: -1.00%

Function 006F2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00700FF6: std::exception::exception.LIBCMT ref: 0070102C
Part of subcall function 00700FF6: __CxxThrowException@8.LIBCMT ref: 00701041

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 006E7BB1: _memmove.LIBCMT ref: 006E7C0B

__swprintf.LIBCMT ref: 006F302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 006F2EC6

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 3ef276c7120c888da4c4e853d15d1f3ed4f63900fb2bab36d85a9b57d9a7bc34
Instruction ID: ce267e7ef7f36674cc9ed1167ea4512a6a8dd1314a6eadb7b3a3b6a95cc8b6a9
Opcode Fuzzy Hash: 3ef276c7120c888da4c4e853d15d1f3ed4f63900fb2bab36d85a9b57d9a7bc34
Instruction Fuzzy Hash: E291AD71109355DFCB18EF24D985C7EB7E6EF84740F00491EF5829B2A1DA24EE04CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0073B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0073B981

Strings

AutoIt3GUI, xrefs: 0073B8F9
Container, xrefs: 0073B8FE
%w, xrefs: 0073BA24

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%w
API String ID: 3565006973-1006644425
Opcode ID: 5fa44c642ddabaf455b1423b2fa595cb76ede0bdfc54bc1a90cfbc98e2f4a416
Instruction ID: 52892eea3398ea0de674ec314f335b28be27f97ab519f1ddcf2cab77a064d1d3
Opcode Fuzzy Hash: 5fa44c642ddabaf455b1423b2fa595cb76ede0bdfc54bc1a90cfbc98e2f4a416
Instruction Fuzzy Hash: 36914A70600605DFEB24DF68C884B6AB7E9FF48710F14856DFA4ADB292DB74E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0070524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007052DD

Part of subcall function 00710340: __87except.LIBCMT ref: 0071037B

Strings

pow, xrefs: 007052B5, 007052D2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 9a02465bd580225ed99a17b4a8f1788cffbd93420a923f12016b5f39b5a3860d
Instruction ID: 5893fd7a2f9312ec95558bededbc1637659d61e6879c0247c04a3c0628063049
Opcode Fuzzy Hash: 9a02465bd580225ed99a17b4a8f1788cffbd93420a923f12016b5f39b5a3860d
Instruction Fuzzy Hash: F0516B61A0D601C7CB15771CC9813BF6BD4AF41790F208E58E499862E5EEBC8CD4DEC6

Uniqueness

Uniqueness Score: -1.00%

Function 0070023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00700280
+, xrefs: 00700277

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: adbb86b1b96c9b5bd6576a784ef80decd82454e0e7e2e93d2a9dc77f9843deab
Instruction ID: 8b7e06e1b444765e4cc4d95caea212c1926f16da4014d615e76f88e54a89b072
Opcode Fuzzy Hash: adbb86b1b96c9b5bd6576a784ef80decd82454e0e7e2e93d2a9dc77f9843deab
Instruction Fuzzy Hash: D5514374605646CFEF15DF28C8886FABBA4EF15320F144159FC919B2E1D7789C42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 006F3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F33D7
_memmove.LIBCMT ref: 006F3470
_free.LIBCMT ref: 006F3496
_memmove.LIBCMT ref: 006F3549

Strings

Oao, xrefs: 006F3482

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove$_free
String ID: Oao
API String ID: 2620147621-627848640
Opcode ID: d33bff6aa3d6d6e3fa9f95fa790effbae656b195ab4b45a13e76a5641a222121
Instruction ID: d89bd0891082fc49c55b4a8b096600b75b403454394d0f848f335d50f2386fa1
Opcode Fuzzy Hash: d33bff6aa3d6d6e3fa9f95fa790effbae656b195ab4b45a13e76a5641a222121
Instruction Fuzzy Hash: 4F5138B1608355DFDB24CF28C541B6ABBE2BF89314F44492DEA89C7351DB35E901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 006F62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F63A8
_memmove.LIBCMT ref: 006F6446
_memset.LIBCMT ref: 006F646A

Strings

ERCP, xrefs: 006F6313

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: ca959c286cbe3bafaa531812675477098f61b083e9cbd5016616ce0320e0343b
Instruction ID: cce8db72330a0ff2c2833c2dde2a0c6a516ef81d0ccf898372659ca2c528093f
Opcode Fuzzy Hash: ca959c286cbe3bafaa531812675477098f61b083e9cbd5016616ce0320e0343b
Instruction Fuzzy Hash: 5A519F7190030DDBDB24DF65C885BEABBF5EF04714F20856EEA4ACB281E7759985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00767BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0076F910,00000000,?,?,?,?), ref: 00767C4E
GetWindowLongW.USER32 ref: 00767C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00767C7B

Strings

SysTreeView32, xrefs: 00767C20

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 5d4acf63e56ce0ca92cab51526e657f110978b4ba03fdcefdcace4aeaba20ef5
Instruction ID: d8f6a0138393f9b9c12c0725bc8d69d3804a5ba94fb376b060757d43099d5c00
Opcode Fuzzy Hash: 5d4acf63e56ce0ca92cab51526e657f110978b4ba03fdcefdcace4aeaba20ef5
Instruction Fuzzy Hash: C431D071204206ABDB158F38DC41BEA77A9EF49368F244725F876932E0C739E851DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00767648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007676D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007676E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00767708

Strings

SysMonthCal32, xrefs: 0076769B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: dd9cdf6f6cfa6df5160b7fd2d883b0df1a958404e079a31197004ad6f466ec37
Instruction ID: 1607e501c3e32c6b202e648af412b6fc7f5c5cac6618be193b40feb54b793b70
Opcode Fuzzy Hash: dd9cdf6f6cfa6df5160b7fd2d883b0df1a958404e079a31197004ad6f466ec37
Instruction Fuzzy Hash: 0321E232504219BBDF15CFA4DC46FEA3B79EF48758F110214FE166B1D0DAB9A850CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00766F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00766FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00766FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00766FDF

Strings

Listbox, xrefs: 00766F77

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: cbe3a7d9b5d814817524c9993e88453cdb964ac3bd76be8d2b55efeb2f71f1ec
Instruction ID: 3ba66a9442e84901ff6feafc8cf74a54d3b4af93b057e6e007d592b8aae16160
Opcode Fuzzy Hash: cbe3a7d9b5d814817524c9993e88453cdb964ac3bd76be8d2b55efeb2f71f1ec
Instruction Fuzzy Hash: 3921A472610118BFDF118F54EC85FEB37AAEF89754F418124F9169B190C675AC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007679E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007679F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00767A03

Strings

msctls_trackbar32, xrefs: 007679B8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: cd8ab16af7e358a488f903a65c0a0e7255e6f2795748434d44e8abd0ea38c89d
Instruction ID: b27cadd3c62d68f29c8ae2e7eb5e9fe4c778f669864cb2b1387ea02f36aea2cb
Opcode Fuzzy Hash: cd8ab16af7e358a488f903a65c0a0e7255e6f2795748434d44e8abd0ea38c89d
Instruction Fuzzy Hash: CF110672244208BBEF149FB4CC05FEB37A9EF897A8F114519FA42A60A0D275E851DB60

Uniqueness

Uniqueness Score: -1.00%

Function 006E4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006E4C2E), ref: 006E4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006E4CB5

Strings

GetNativeSystemInfo, xrefs: 006E4CAF
kernel32.dll, xrefs: 006E4C9E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 69fadc37f9850dc003f5bc47049891ffbc82e40de749dd4340e142456063b427
Instruction ID: a5eec2b35f781e30918f0213099de34461ad43a9c1b5a8cd678574e154a030a6
Opcode Fuzzy Hash: 69fadc37f9850dc003f5bc47049891ffbc82e40de749dd4340e142456063b427
Instruction Fuzzy Hash: C3D012B0511727CFD7209F31E91864676D6AF05B91B21CC39D887D6650DAB8D880C650

Uniqueness

Uniqueness Score: -1.00%

Function 006E4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006E4D2E,?,006E4F4F,?,007A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006E4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006E4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 006E4D7B
kernel32.dll, xrefs: 006E4D6A

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f663b4ef23ec3a01fff904e952ae061431c24a82f4c9bc27bf2f3abd0ab00ba6
Instruction ID: f496be75b4943075a7ad2ae23629b150e3070062d80a5c716ea80d73026b9fec
Opcode Fuzzy Hash: f663b4ef23ec3a01fff904e952ae061431c24a82f4c9bc27bf2f3abd0ab00ba6
Instruction Fuzzy Hash: 76D05B70511753CFD7249F35EC0869676E9BF15392B11D83DD487D6750DBB8D880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 006E4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006E4CE1,?), ref: 006E4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006E4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 006E4DAE
kernel32.dll, xrefs: 006E4D9D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 0367c5f2d6f33e5f74959e25ee69751855f4a53988ff63e4f6439851a61fb795
Instruction ID: 252bd48e878417370e4766dab89ba1215565b2c802cfe32f590066a6542a4182
Opcode Fuzzy Hash: 0367c5f2d6f33e5f74959e25ee69751855f4a53988ff63e4f6439851a61fb795
Instruction Fuzzy Hash: 71D017B1551713CFDB249F36EC08B8676E6AF06395B11C83AD8C6D6650EBB8D880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00761072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007612C1), ref: 00761080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00761092

Strings

RegDeleteKeyExW, xrefs: 0076108C
advapi32.dll, xrefs: 0076107B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f901b24349c6502cf4e2c16dc674f8972d97ac6ddc5560d597d30f1037265213
Instruction ID: 9159efa29776a393857da463de9a3fd713520a656632a4ce35585063f746011e
Opcode Fuzzy Hash: f901b24349c6502cf4e2c16dc674f8972d97ac6ddc5560d597d30f1037265213
Instruction Fuzzy Hash: 72D01770510712CFDB249F35F918A1A76E4EF067A1B15DC3AE88BDA550E7B8C8C0CA50

Uniqueness

Uniqueness Score: -1.00%

Function 007593F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00759009,?,0076F910), ref: 00759403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00759415

Strings

kernel32.dll, xrefs: 007593FE
GetModuleHandleExW, xrefs: 0075940F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 6627376e532d35128021f36b8e27fe1e875d4c6dd0c8294605c0f8797fa2cdb8
Instruction ID: 12b7145f5db94b9aae4e1bae9db5beaf093b42b6e0086e871e5dabe902aa8571
Opcode Fuzzy Hash: 6627376e532d35128021f36b8e27fe1e875d4c6dd0c8294605c0f8797fa2cdb8
Instruction Fuzzy Hash: 46D017B4514717DFDB209F31E90864776E6AF06392B21C83AE986D6950E6B8C884DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00721B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00721B42
__swprintf.LIBCMT ref: 00721B73

Strings

%.3d, xrefs: 00721B4D
WIN_XPe, xrefs: 00721BB2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: f8b49c25e9eb1950bd8bb22bd4941ad6968ec3607f64036f8799e854d5826149
Instruction ID: 4625ae33b52cb243baed056303d696797f9d619c7f64706349db3fb6a57a94cf
Opcode Fuzzy Hash: f8b49c25e9eb1950bd8bb22bd4941ad6968ec3607f64036f8799e854d5826149
Instruction Fuzzy Hash: 3ED017F1C08268EACB049B90AC448FE737CBB28311F9046D2F902A2040F27C9B85AB25

Uniqueness

Uniqueness Score: -1.00%

Function 007376C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15a7f83467f6786345ca09c1f4a5c7f2e0c47ff03100af6594dd5dcd70dbc45
Instruction ID: e6dc485c9ed97fe7a4d0f47bb81933b8614f2e9791f21424c957ea975b408d00
Opcode Fuzzy Hash: a15a7f83467f6786345ca09c1f4a5c7f2e0c47ff03100af6594dd5dcd70dbc45
Instruction Fuzzy Hash: 73C150B5A04216EFDB28CFA4C884EAEB7B5FF48714F118598E805EB252D734ED41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0075E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0075E3D2
CharLowerBuffW.USER32(?,?), ref: 0075E415

Part of subcall function 0075DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0075DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0075E615
_memmove.LIBCMT ref: 0075E628

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 56986efb926d991db6dcbbe17114cf112696be65bcfbaa8558db66d706952c87
Instruction ID: 0a642f9ddf48ce2e2bc649fa72a26af2a533342d54b1a338ec77e3e6c92122ec
Opcode Fuzzy Hash: 56986efb926d991db6dcbbe17114cf112696be65bcfbaa8558db66d706952c87
Instruction Fuzzy Hash: 01C16A71A08341CFC754DF28C48096ABBE5FF88314F14896DF89A9B351D774EA4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 007583A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007583D8
CoUninitialize.OLE32 ref: 007583E3

Part of subcall function 0073DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0073DAC5

VariantInit.OLEAUT32(?), ref: 007583EE
VariantClear.OLEAUT32(?), ref: 007586BF

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 8298f85f1231fcb99f89581ac047fb47128a84ead9b3e09bbc9cc468fee8db94
Instruction ID: 5a802cf91a27d7036f0cba7264da55b88ec8a88b63ba7f53181b370706a8b23c
Opcode Fuzzy Hash: 8298f85f1231fcb99f89581ac047fb47128a84ead9b3e09bbc9cc468fee8db94
Instruction Fuzzy Hash: D4A15775204741DFCB90DF15C485A6AB7E5BF88314F18845CF99AAB3A2CB74EC04CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00736DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00736E04
SysAllocString.OLEAUT32(00000000), ref: 00736EAD
VariantCopy.OLEAUT32 ref: 00736EDC
VariantClear.OLEAUT32(?), ref: 00736F03

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 667ea755264b4c9c7ebe0a53f12212401658104939d2f51d592150df10bb9fc6
Instruction ID: 02f495d386481e08b9b98004a4c79ee70d339925539624ec059386602e35a84a
Opcode Fuzzy Hash: 667ea755264b4c9c7ebe0a53f12212401658104939d2f51d592150df10bb9fc6
Instruction Fuzzy Hash: AC51EC75604302EEEB38AF65D895A3DB3E5AF44310F20C81FE556DB293EB789840DB15

Uniqueness

Uniqueness Score: -1.00%

Function 007497E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 006E5045: _fseek.LIBCMT ref: 006E505D

Part of subcall function 007499BE: _wcscmp.LIBCMT ref: 00749AAE
Part of subcall function 007499BE: _wcscmp.LIBCMT ref: 00749AC1

_free.LIBCMT ref: 0074992C
_free.LIBCMT ref: 00749933
_free.LIBCMT ref: 0074999E

Part of subcall function 00702F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00709C64), ref: 00702FA9
Part of subcall function 00702F95: GetLastError.KERNEL32(00000000,?,00709C64), ref: 00702FBB

_free.LIBCMT ref: 007499A6

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 25d1d93bc3f8275e64c9e484e40f464445bf957f0d73f79295273d4ee98e746c
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: BA516EB1904358EFDF249F65CC85A9EBBB9EF48300F1004AEB209A7281DB755E80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00769A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00769AD2
ScreenToClient.USER32(00000002,00000002), ref: 00769B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00769B72

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 325fb1907ba1e298d59e2ba4ef410c7862a98b3bb6c9709ebd518e23320d0269
Instruction ID: e734022f4d4c4f4d081e94562132f63cf88d635fd474d306dc42618e57802107
Opcode Fuzzy Hash: 325fb1907ba1e298d59e2ba4ef410c7862a98b3bb6c9709ebd518e23320d0269
Instruction Fuzzy Hash: FF512D74A00209EFCF14DF68E8809AE7BBAFB55360F148169FD2A9B290D774AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00756CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00756CE4
WSAGetLastError.WSOCK32(00000000), ref: 00756CF4

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00756D58
WSAGetLastError.WSOCK32(00000000), ref: 00756D64

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 981a106d718e6556bf3fc49c3eed3132c0ce323eaf967a1ffb1eea1148fa938b
Instruction ID: 123394e37b0e21e0be0ed5139509b42acfba9a91b4fc82c0ff60c33b222ee147
Opcode Fuzzy Hash: 981a106d718e6556bf3fc49c3eed3132c0ce323eaf967a1ffb1eea1148fa938b
Instruction Fuzzy Hash: C741A074740300AFEB60AF25DC86F7A77E6AF44B10F44C45CFA599B2D2DAB59C008B95

Uniqueness

Uniqueness Score: -1.00%

Function 0075672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0076F910), ref: 007567BA
_strlen.LIBCMT ref: 007567EC

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 75b36cbfc1fdf55d1403e48b3652eccada04c4bda16b8ccadb7ccdb09106dd0a
Instruction ID: 7f3008eca10a370a147063f8edbaed25abd4a15107e0e18a296301cf72c835f1
Opcode Fuzzy Hash: 75b36cbfc1fdf55d1403e48b3652eccada04c4bda16b8ccadb7ccdb09106dd0a
Instruction Fuzzy Hash: 0F41E431A00204EFCB14EB65DCC5FEEB3A9AF48314F548169FC169B292DBB8AD04C754

Uniqueness

Uniqueness Score: -1.00%

Function 0074BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0074BB09
GetLastError.KERNEL32(?,00000000), ref: 0074BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0074BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0074BB80

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 18973d812a6d573ee563951dc333b5326c7088c964968e8ec434c47780a57188
Instruction ID: e1fe59a8a45c38a97fe1b15af89a8c31529fe3b1aaa3577c750eb96cc9beefdb
Opcode Fuzzy Hash: 18973d812a6d573ee563951dc333b5326c7088c964968e8ec434c47780a57188
Instruction Fuzzy Hash: C6411939201650DFCB11EF1AC585A5DBBE2EF49710B19C498EC4A9B762CB38FD01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00768AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00768B4D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 381c55b705e88f380a5e610ce43024d0de6db0e28505676492d023af4915811e
Instruction ID: 7642681ed440729c3eb6069587eefe57f0143f3eb2698724d127f176e40d8655
Opcode Fuzzy Hash: 381c55b705e88f380a5e610ce43024d0de6db0e28505676492d023af4915811e
Instruction Fuzzy Hash: 4731B3F4600204BEEFA09E58DC59FA93765EB0A310F148716FE5BD62A1CE3899409757

Uniqueness

Uniqueness Score: -1.00%

Function 0076ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0076AE1A
GetWindowRect.USER32(?,?), ref: 0076AE90
PtInRect.USER32(?,?,0076C304), ref: 0076AEA0
MessageBeep.USER32(00000000), ref: 0076AF11

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fe08c5866c6f870a4615d7de95eecb8563e02e3a27ae5c39e6eced9c55c6c4c7
Instruction ID: 35dc61cf5e2bc5bdfa11ccb8e4a7b529d8814902bfa29fb08110b18bbc95fe16
Opcode Fuzzy Hash: fe08c5866c6f870a4615d7de95eecb8563e02e3a27ae5c39e6eced9c55c6c4c7
Instruction Fuzzy Hash: BD41BF70600209EFCB11DF58D885BA97BF5FF89710F1881A9E816EB251C739E801DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00740FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00741037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00741053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007410B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0074110B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 14a8dac82b453ab443f35c63fc7c596716464f0957c826caf56e8a3ec7956169
Instruction ID: 3aa345cafcd78809ae67cdf7ff5da4f8ef1383b0b93cc62b5136b1fc40ec20da
Opcode Fuzzy Hash: 14a8dac82b453ab443f35c63fc7c596716464f0957c826caf56e8a3ec7956169
Instruction Fuzzy Hash: E5315A30E40688AEFF34EB658C09BF9BBA9AB45310F88421AE591521F1C37C8DD0D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00741121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00741176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00741192
PostMessageW.USER32(00000000,00000101,00000000), ref: 007411F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00741243

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a30b4fa5d40ac0153ab2a4eb56ab8f88b60ad69585cf6d230acabab77812c2c1
Instruction ID: 8f2f4ebd1c7b6176a4b37a03839bc3658651d45e3ef27611b9bc01b7ebb5e20d
Opcode Fuzzy Hash: a30b4fa5d40ac0153ab2a4eb56ab8f88b60ad69585cf6d230acabab77812c2c1
Instruction Fuzzy Hash: 3C312830A4071C9AEF20EB65CC087FA7BAAAB49310F84835AE691921D1C37C4DD59795

Uniqueness

Uniqueness Score: -1.00%

Function 00716415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0071644B
__isleadbyte_l.LIBCMT ref: 00716479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007164A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007164DD

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 791a82a95e3eff4b449004fa56b8ed012ac0febc4cca1deded7e2730e5d49af7
Instruction ID: 126083c02847631ca56407fecd2a698daf3d0d0b9d64bae5b5f7d66aaccd2839
Opcode Fuzzy Hash: 791a82a95e3eff4b449004fa56b8ed012ac0febc4cca1deded7e2730e5d49af7
Instruction Fuzzy Hash: D831DE31600296EFDB218F69C844BFA7BA9FF41350F154169EC64871E1EB39DA90DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00765175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00765189

Part of subcall function 0074387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00743897
Part of subcall function 0074387D: GetCurrentThreadId.KERNEL32 ref: 0074389E
Part of subcall function 0074387D: AttachThreadInput.USER32(00000000,?,007452A7), ref: 007438A5

GetCaretPos.USER32(?), ref: 0076519A
ClientToScreen.USER32(00000000,?), ref: 007651D5
GetForegroundWindow.USER32 ref: 007651DB

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b0014e262ffb8988d018f64373b4a48ee0fb16139371db0cbad30da1580bad28
Instruction ID: b7a27aa221b14eb2874eeea05292c7dfa7400f6d70b4320c8edb065a8b0842b6
Opcode Fuzzy Hash: b0014e262ffb8988d018f64373b4a48ee0fb16139371db0cbad30da1580bad28
Instruction Fuzzy Hash: 5A3112B1901248AFDB40EFA6CC459EFB7FDEF58300F10406AE416E7251EA759E45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0076C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

GetCursorPos.USER32(?), ref: 0076C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0071BBFB,?,?,?,?,?), ref: 0076C7D7
GetCursorPos.USER32(?), ref: 0076C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0071BBFB,?,?,?), ref: 0076C85E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4a01482ab80b0c76a4d55ac2d9c22bea8735663a944b9b5742838f4cfbf18d05
Instruction ID: d8bfebf3dfdcea33e7f63ed52b706116a942becbad9d370b235e4a01c531897d
Opcode Fuzzy Hash: 4a01482ab80b0c76a4d55ac2d9c22bea8735663a944b9b5742838f4cfbf18d05
Instruction Fuzzy Hash: BB31B435600118AFCB26CF59C898EFA7BBAEB49710F048169FD468B261C7399D50DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00700BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00700BF2

Part of subcall function 006E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00747B20,?,?,00000000), ref: 006E5B8C
Part of subcall function 006E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00747B20,?,?,00000000,?,?), ref: 006E5BB0

_fprintf.LIBCMT ref: 00700C29
OutputDebugStringW.KERNEL32(?), ref: 00736331

Part of subcall function 00704CDA: _flsall.LIBCMT ref: 00704CF3

__setmode.LIBCMT ref: 00700C5E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: b2424bf078a42fe3f76a799f7e42c29f273b2c204c3371b6d207d8774f6aa06a
Instruction ID: 455d3b6a7171d27cc4b058a9565654f7c137a23c643b6c4a048318fbe1f3050e
Opcode Fuzzy Hash: b2424bf078a42fe3f76a799f7e42c29f273b2c204c3371b6d207d8774f6aa06a
Instruction Fuzzy Hash: 81113AB1904208FEDB0477B59C4BAFE7BAA9F41320F14425AF205971D2DF681D4547E5

Uniqueness

Uniqueness Score: -1.00%

Function 00738B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00738652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00738669
Part of subcall function 00738652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00738673
Part of subcall function 00738652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00738682
Part of subcall function 00738652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00738689
Part of subcall function 00738652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0073869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00738BEB
_memcmp.LIBCMT ref: 00738C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00738C44
HeapFree.KERNEL32(00000000), ref: 00738C4B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3b4b622ee1c87b0eca81497d943127dce6f1fa9d3006840ff7c16e551e721ab7
Instruction ID: db74e15fa94f2c9053278b54695fa61d91ee7ce5e89af057cf4df7674e4d242e
Opcode Fuzzy Hash: 3b4b622ee1c87b0eca81497d943127dce6f1fa9d3006840ff7c16e551e721ab7
Instruction Fuzzy Hash: D921A171D01209EFEB00CFA4C955BEEB7B8EF40340F044099E455A7242DB79AE05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00751A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00751A97

Part of subcall function 00751B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00751B40
Part of subcall function 00751B21: InternetCloseHandle.WININET(00000000), ref: 00751BDD

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 74f9155bc6022eeef35c9fc71dec0aa65aa141ec73ba2328b4cc36af4f91e904
Instruction ID: 57989b8f0ff62472ebed7b21751810ac11ec91e5434669f46b2b302f8cb8f853
Opcode Fuzzy Hash: 74f9155bc6022eeef35c9fc71dec0aa65aa141ec73ba2328b4cc36af4f91e904
Instruction Fuzzy Hash: 5E21CF71200700BFDB129F608C04FFAB7A9FF48703F90401AFE1296651EBB998199BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0073E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0073F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0073E1C4,?,?,?,0073EFB7,00000000,000000EF,00000119,?,?), ref: 0073F5BC
Part of subcall function 0073F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0073F5E2
Part of subcall function 0073F5AD: lstrcmpiW.KERNEL32(00000000,?,0073E1C4,?,?,?,0073EFB7,00000000,000000EF,00000119,?,?), ref: 0073F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0073EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0073E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0073E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0073EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0073E237

Strings

cdecl, xrefs: 0073E22E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 92a019a34035eaf4490d33b099d73a3ece94bbcc82677b5dffe5e6e81825db42
Instruction ID: 9030406f40c73e0ff9ed9cec6e62df737f8439f5bd3bd16c5433b4101ebecac8
Opcode Fuzzy Hash: 92a019a34035eaf4490d33b099d73a3ece94bbcc82677b5dffe5e6e81825db42
Instruction Fuzzy Hash: 5B11D336200345EFEB25AF64DC49D7A77A8FF45350F40802AF806CB2A1EB799850D790

Uniqueness

Uniqueness Score: -1.00%

Function 00715332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00715351

Part of subcall function 0070594C: __FF_MSGBANNER.LIBCMT ref: 00705963
Part of subcall function 0070594C: __NMSG_WRITE.LIBCMT ref: 0070596A
Part of subcall function 0070594C: RtlAllocateHeap.NTDLL(01200000,00000000,00000001,00000000,?,?,?,00701013,?), ref: 0070598F

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 773c6a28dc50f6d42ce009d643934eddbf0a58056c8f5ae1f9fae230ed1eae8e
Instruction ID: 60fcdfac6cb0de312991d514b78e226c73966da46e70bd7362a7841e71d8ab02
Opcode Fuzzy Hash: 773c6a28dc50f6d42ce009d643934eddbf0a58056c8f5ae1f9fae230ed1eae8e
Instruction Fuzzy Hash: 90112732504A05EFCB292F78AC0869E37D86F947E4B20472AF855971D0DFBD89809750

Uniqueness

Uniqueness Score: -1.00%

Function 006E4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E4560

Part of subcall function 006E410D: _memset.LIBCMT ref: 006E418D
Part of subcall function 006E410D: _wcscpy.LIBCMT ref: 006E41E1
Part of subcall function 006E410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006E41F1

KillTimer.USER32(?,00000001,?,?), ref: 006E45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006E45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0071D6CE

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 2e40abf927bdb0c018da1d40d591e6499b57ea2b87fc7d80681e1c42a440beb9
Instruction ID: 0dcffc3ad9135edcf8b1ab8e8d8c5e651c55d593616232de7f51d00d714a24ef
Opcode Fuzzy Hash: 2e40abf927bdb0c018da1d40d591e6499b57ea2b87fc7d80681e1c42a440beb9
Instruction Fuzzy Hash: B021D770905794AFEB328B34DC55BE7BBED9F01304F04009DE69E56285C7B85E848F51

Uniqueness

Uniqueness Score: -1.00%

Function 007440B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007440D1
_memset.LIBCMT ref: 007440F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00744144
CloseHandle.KERNEL32(00000000), ref: 0074414D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 7afb61a72211271fee02157d9702baf917401584fb80660575c1a3ffd6aab96c
Instruction ID: f79f8e929adeb55b4bccb3303a90041aaa828eddbe18ee93e0c524483b946fee
Opcode Fuzzy Hash: 7afb61a72211271fee02157d9702baf917401584fb80660575c1a3ffd6aab96c
Instruction Fuzzy Hash: 6A11AB7590132CBAD7305BA5AC4DFABBB7CEF45760F104196F908D7190D6744E808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0075667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00747B20,?,?,00000000), ref: 006E5B8C
Part of subcall function 006E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00747B20,?,?,00000000,?,?), ref: 006E5BB0

gethostbyname.WSOCK32(?,?,?), ref: 007566AC
WSAGetLastError.WSOCK32(00000000), ref: 007566B7
_memmove.LIBCMT ref: 007566E4
inet_ntoa.WSOCK32(?), ref: 007566EF

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e78085b000605b56c69c92ea7f63a3da5ff2520410d74c2c6846aadb6e0508e3
Instruction ID: 816448ac7f1b3ff4eba0292d721f4432e3d2418d2b6d28342799ff756bf932e3
Opcode Fuzzy Hash: e78085b000605b56c69c92ea7f63a3da5ff2520410d74c2c6846aadb6e0508e3
Instruction Fuzzy Hash: 69119035500609AFCB00EBA5DD86DEEB7B9FF44314B148069F903A71A1DF74AE04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00739023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00739043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00739055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0073906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00739086

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7c3fb180fffdf2c6e18d6b83685acf82087197d6fb93a6e816df6aae3ca34c3e
Instruction ID: 353326e33bc685869c331f46983cbf0ef3fff085f81c5fe682f619ddc11e16db
Opcode Fuzzy Hash: 7c3fb180fffdf2c6e18d6b83685acf82087197d6fb93a6e816df6aae3ca34c3e
Instruction Fuzzy Hash: 17115E79900219FFEB10DFA5CC84EADFB74FB48310F204095EA04B7250D6716E10DB94

Uniqueness

Uniqueness Score: -1.00%

Function 006E1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 006E2612: GetWindowLongW.USER32(?,000000EB), ref: 006E2623

DefDlgProcW.USER32(?,00000020,?), ref: 006E12D8
GetClientRect.USER32(?,?), ref: 0071B84B
GetCursorPos.USER32(?), ref: 0071B855
ScreenToClient.USER32(?,?), ref: 0071B860

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7fb8b235b02b6c037f0ee53d677aeb3b59708e56f77e3900e4a5a8c6b7e64cb2
Instruction ID: 39613852d2afdff0c010a6c4094aa902912b3a4666b5433d8c83cbff523d6eb5
Opcode Fuzzy Hash: 7fb8b235b02b6c037f0ee53d677aeb3b59708e56f77e3900e4a5a8c6b7e64cb2
Instruction Fuzzy Hash: B8113A35901259EFCB00DFA9DC859FE77B9FB06300F004455FA12EB251C774BA919BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00741652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007401FD,?,00741250,?,00008000), ref: 0074166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,007401FD,?,00741250,?,00008000), ref: 00741694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007401FD,?,00741250,?,00008000), ref: 0074169E
Sleep.KERNEL32(?,?,?,?,?,?,?,007401FD,?,00741250,?,00008000), ref: 007416D1

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 16bb2864926fad33a582e725cffe96e6aa28dac7dde077855ac9597801348729
Instruction ID: d98cda62a044649ab760ed74ddbac80cf00eb0c611d88a1d7d6062492051f633
Opcode Fuzzy Hash: 16bb2864926fad33a582e725cffe96e6aa28dac7dde077855ac9597801348729
Instruction Fuzzy Hash: CC118E31C0061CDBCF04AFA5E948AEEBB78FF0A751F468055E951B2240CF7895A08BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00717207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0071722B

Part of subcall function 00717912: __fltout2.LIBCMT ref: 0071793B

__cftog_l.LIBCMT ref: 00717251
__cftoe_l.LIBCMT ref: 00717283

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6da15074d7906e88512ad6d3fa3a3b287b20f535f9a4c5b9ec1df47fc8e0a9d7
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: FB01833204414AFBCF1A5E88DC058EE3F72BF29350B548515FA1858071C23BC9B2EB81

Uniqueness

Uniqueness Score: -1.00%

Function 0076B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0076B59E
ScreenToClient.USER32(?,?), ref: 0076B5B6
ScreenToClient.USER32(?,?), ref: 0076B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0076B5F5

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4f0f369457afa9757181094bad34c789a76ccb49b7bf40e263de77bfaff9b2d5
Instruction ID: 8f4c136cecd8ea865f56178ca4e3eee06b274f88a2464c46289f931977cc1391
Opcode Fuzzy Hash: 4f0f369457afa9757181094bad34c789a76ccb49b7bf40e263de77bfaff9b2d5
Instruction Fuzzy Hash: 7D1146B5D00209EFDB41DF99D4449EEFBB9FB08310F108166E915E3220D775AA658F54

Uniqueness

Uniqueness Score: -1.00%

Function 0076B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076B8FE
_memset.LIBCMT ref: 0076B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007A7F20,007A7F64), ref: 0076B93C
CloseHandle.KERNEL32 ref: 0076B94E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: c99cd090acd2c538a70caaaeac55c5599c30de54129c0bec24667cad06a1eeb2
Instruction ID: bbbb0d9010863c169dc01d51108d7142deaa44a088da48d82150b86c4241feca
Opcode Fuzzy Hash: c99cd090acd2c538a70caaaeac55c5599c30de54129c0bec24667cad06a1eeb2
Instruction Fuzzy Hash: D7F05EB2544300BFE2102761AC0AFBB3A9CEB4A354F008030FA09D5292E77D5A11C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00746E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00746E88

Part of subcall function 0074794E: _memset.LIBCMT ref: 00747983

_memmove.LIBCMT ref: 00746EAB
_memset.LIBCMT ref: 00746EB8
LeaveCriticalSection.KERNEL32(?), ref: 00746EC8

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 4b30597857efc8adce7c85519f10cfafcf1fb7456ff965f76498b0145dda93fa
Instruction ID: dcbda344a21dbae091d7aec6b8bebb10c2ed384c49c7e1727e450f4d77cae057
Opcode Fuzzy Hash: 4b30597857efc8adce7c85519f10cfafcf1fb7456ff965f76498b0145dda93fa
Instruction Fuzzy Hash: F1F0543A104204EBCF016F55EC89E49BB6AFF45320B04C061FE095E256C775A911CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0076C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006E12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E134D
Part of subcall function 006E12F3: SelectObject.GDI32(?,00000000), ref: 006E135C
Part of subcall function 006E12F3: BeginPath.GDI32(?), ref: 006E1373
Part of subcall function 006E12F3: SelectObject.GDI32(?,00000000), ref: 006E139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0076C030
LineTo.GDI32(00000000,?,?), ref: 0076C03D
EndPath.GDI32(00000000), ref: 0076C04D
StrokePath.GDI32(00000000), ref: 0076C05B

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a858a88ec91ec8ddb8c83e3ddd102506608c7b3daeceefbfb33fde170203cc09
Instruction ID: 971815a60123336eeec931d82889d471d5a6fdd1b48a8bc1f0e701a935dcd7a2
Opcode Fuzzy Hash: a858a88ec91ec8ddb8c83e3ddd102506608c7b3daeceefbfb33fde170203cc09
Instruction Fuzzy Hash: B0F05E35005359BBDB126F55AC09FDE3F59AF06311F188000FA12650E287BD5651DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0073A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0073A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0073A3AC
GetCurrentThreadId.KERNEL32 ref: 0073A3B3
AttachThreadInput.USER32(00000000), ref: 0073A3BA

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d436bba2d5e0a7b7c6360f297c17cc0d90070bcd4f3b1381840b6a9a899c9a5f
Instruction ID: a2c7172a38659afa89d8d48de0014ccd3df18107def77ab6efc93aa452793085
Opcode Fuzzy Hash: d436bba2d5e0a7b7c6360f297c17cc0d90070bcd4f3b1381840b6a9a899c9a5f
Instruction Fuzzy Hash: CAE0ED31545328BAEB205FA2EC0DED77F6CFF167A1F008025F54A95061C6B9C540DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006E2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006E2231
SetTextColor.GDI32(?,000000FF), ref: 006E223B
SetBkMode.GDI32(?,00000001), ref: 006E2250
GetStockObject.GDI32(00000005), ref: 006E2258
GetWindowDC.USER32(?,00000000), ref: 0071C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0071C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0071C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0071C112
GetPixel.GDI32(00000000,?,?), ref: 0071C132
ReleaseDC.USER32(?,00000000), ref: 0071C13D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 86883679c96ecfd47d5d83c4cefe21a3d611be5cad9fc938ff5ce14e3e03080e
Instruction ID: bb7a9046f67312489717bf07869bb5ab15c9033100453f47ba8505f55b9bf55b
Opcode Fuzzy Hash: 86883679c96ecfd47d5d83c4cefe21a3d611be5cad9fc938ff5ce14e3e03080e
Instruction Fuzzy Hash: 13E03932544248EADB265FA8FC097D83B25AB06336F00C366FA6A880E187B54990DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00738C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00738C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0073882E), ref: 00738C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0073882E), ref: 00738C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0073882E), ref: 00738C7E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d30563fbde882cb487bddbc548dba2543f96bf38106fda13847c018f446dbfcb
Instruction ID: b7b69b3b2260f7ea42778e05cde098e142aaa079dc09d62050a55e87179eebd2
Opcode Fuzzy Hash: d30563fbde882cb487bddbc548dba2543f96bf38106fda13847c018f446dbfcb
Instruction Fuzzy Hash: 3EE04F36646311ABE7605FB1BE0CB563BA8AF50792F148868F246D9041DA7884418B65

Uniqueness

Uniqueness Score: -1.00%

Function 00722187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00722187
GetDC.USER32(00000000), ref: 00722191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007221B1
ReleaseDC.USER32(?), ref: 007221D2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cec526395e55c205619b542fd437b62430dce81073da8ca34928f94c1a72ba0e
Instruction ID: 284045e581914bc6be9f764f292735a55f540ed6c067278ac6dd5757dafba8ec
Opcode Fuzzy Hash: cec526395e55c205619b542fd437b62430dce81073da8ca34928f94c1a72ba0e
Instruction Fuzzy Hash: 06E0E5B5800314EFDB419F61E808A9D7BB2FF4C351F10C429F95A97260CBB881429F45

Uniqueness

Uniqueness Score: -1.00%

Function 0072219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0072219B
GetDC.USER32(00000000), ref: 007221A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 007221B1
ReleaseDC.USER32(?), ref: 007221D2

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ce3d9cdf7fcf5e615785858a9d4aa325457f30b7a3f10fc354e1a47baf7a0a7e
Instruction ID: 8cd0fd713180a34e6153f84711b4e1ef7221b4166c4b8b873ee9593fdcab6474
Opcode Fuzzy Hash: ce3d9cdf7fcf5e615785858a9d4aa325457f30b7a3f10fc354e1a47baf7a0a7e
Instruction Fuzzy Hash: 78E0EEB5800304AFCB01AFA1E80869D7BA2FF4C361F10C029F95AA7260CBB891429F48

Uniqueness

Uniqueness Score: -1.00%

Function 006E63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%w, xrefs: 006E63AE

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID:
String ID: %w
API String ID: 0-3265503460
Opcode ID: be8678cc891e61760a3ac4172f6ee3d808be75e0701a88cf04071406521f4215
Instruction ID: ee4f98fd64e8b622bd39cbbef873bb72407d61dbe03e77678fba353d2bfb3387
Opcode Fuzzy Hash: be8678cc891e61760a3ac4172f6ee3d808be75e0701a88cf04071406521f4215
Instruction Fuzzy Hash: 56B1F7719023899BCF14DF9AC4859FEB7B6FF24380F10412AF902A7295DB349E86CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0075B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0075B2C3

Strings

xrz, xrefs: 0075B325
xrz, xrefs: 0075B2F9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __itow_s
String ID: xrz$xrz
API String ID: 3653519197-1862833985
Opcode ID: 31c0d7eac00846d659ee1c920db353450b906acb571bef7fb471d9c1d59619dd
Instruction ID: 2b3c0ba903c9eb7bebcc907380ea8a3f54735d15663289e128b251a827c47ef9
Opcode Fuzzy Hash: 31c0d7eac00846d659ee1c920db353450b906acb571bef7fb471d9c1d59619dd
Instruction Fuzzy Hash: E1B18E70A00249AFCB24DF54C880EFAB7B9FF58301F148059FD459B292EB78EA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0074B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006FFEC6: _wcscpy.LIBCMT ref: 006FFEE9

Part of subcall function 006E9997: __itow.LIBCMT ref: 006E99C2
Part of subcall function 006E9997: __swprintf.LIBCMT ref: 006E9A0C

__wcsnicmp.LIBCMT ref: 0074B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0074B361

Strings

LPT, xrefs: 0074B292

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 2aabad2c9afbdf62846bee5ccfc0caa2b88ec7854aef84fb3cbdf10393e376a3
Instruction ID: 7a75fb129f65e402d80e0fde914bd9c07c7c7b08f403f4baeae568a3cea25b0b
Opcode Fuzzy Hash: 2aabad2c9afbdf62846bee5ccfc0caa2b88ec7854aef84fb3cbdf10393e376a3
Instruction Fuzzy Hash: 57619275A00215EFCB14DF99C885EAEB7F5EF08310F15806AF946AB291DB74EE40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00728A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00728B1E
_memmove.LIBCMT ref: 00728B78

Strings

Oao, xrefs: 00728BF2, 0072E39A, 0072E3B6

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _memmove
String ID: Oao
API String ID: 4104443479-627848640
Opcode ID: 5ab228cecc162c51cb779f31682f66d63e4276a303d8ded9760ed98357093a48
Instruction ID: cb0b0e58fcf44b27f361556f9045a6b89f14b7e9579dffc072a159daa6f35f29
Opcode Fuzzy Hash: 5ab228cecc162c51cb779f31682f66d63e4276a303d8ded9760ed98357093a48
Instruction Fuzzy Hash: AA517FB0A01619DFCF64CF68D880AAEBBF1FF44304F24852AE85AD7340EB35A955CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006F2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006F2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 006F2AE1

Strings

@, xrefs: 006F2AD5

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cecef390a8ee8218d61eeee357c277f6635bdfbf5367cc401cba84cb7d64bbf8
Instruction ID: 5d065d38ba1347a39d6d26b918b3555057bb394bd039fd9ec895eb521dfe5afc
Opcode Fuzzy Hash: cecef390a8ee8218d61eeee357c277f6635bdfbf5367cc401cba84cb7d64bbf8
Instruction Fuzzy Hash: E551AFB14197859BD360AF15DC85BAFBBF8FF84310F82885DF1D9411A1DB708929CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 007499BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 006E506B: __fread_nolock.LIBCMT ref: 006E5089

_wcscmp.LIBCMT ref: 00749AAE
_wcscmp.LIBCMT ref: 00749AC1

Strings

FILE, xrefs: 007499FA

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 27f8ef8b19544c95cffec1d390192f5a43d1ca4a1d38b67e45b4f6efae42fd6b
Instruction ID: 974467aba3540086db1e0840995531ce8394fb63fe6f64b23a29c18fb9be9ab9
Opcode Fuzzy Hash: 27f8ef8b19544c95cffec1d390192f5a43d1ca4a1d38b67e45b4f6efae42fd6b
Instruction Fuzzy Hash: 6741F8B1A00749BADF209EA1DC45FEFB7BEDF45714F000069BA01A7181D7799A04C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0072099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 007209A9

Strings

Dtz, xrefs: 006EA477
Dtz, xrefs: 006EA2B1

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClearVariant
String ID: Dtz$Dtz
API String ID: 1473721057-2914582536
Opcode ID: b5640bb1ab035356ef44581dbe2d5a960c7abd3482a22f5ece17c89e0a196b84
Instruction ID: e68bc419a3cbb4d36b5cc3540b23ff9da58ceda63eea34286de791b20ab0ea49
Opcode Fuzzy Hash: b5640bb1ab035356ef44581dbe2d5a960c7abd3482a22f5ece17c89e0a196b84
Instruction Fuzzy Hash: CA51F4B8609381CFC754CF5AC480A5ABBF2BF99344F54895CE9858B361D335EC81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00752882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00752892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007528C8

Strings

|, xrefs: 00752899

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: ff55ac2e6fa342c789a2ea03c2b095ff14ba582baaf9b842e221426fc378ae51
Instruction ID: 241786b58182cbe785ab672ccbcf278302282e7420c1be2b6e3a9371ba9eabd6
Opcode Fuzzy Hash: ff55ac2e6fa342c789a2ea03c2b095ff14ba582baaf9b842e221426fc378ae51
Instruction Fuzzy Hash: C7314C71801219AFDF41EFA1CC85EEEBFB9FF19300F104029F815A6266DB355A16DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00766CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00766D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00766DC2

Strings

static, xrefs: 00766D22

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f6d52ad1d639ee0aeed9c1c37151d630b4f22237bc17ff4e654e3b60f2fc44e6
Instruction ID: ad82339b1822e06abc97b6dbc940aff49f695badcad49720a6e0d0ec8826cca0
Opcode Fuzzy Hash: f6d52ad1d639ee0aeed9c1c37151d630b4f22237bc17ff4e654e3b60f2fc44e6
Instruction Fuzzy Hash: 93319C71200604AADB109F68CC80AFB73A9FF48720F50962DFCA6C7190DB39AC91DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00742D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00742E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00742E3B

Strings

0, xrefs: 00742DF9

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a3b42e8b0373011e63cd6bd832a8d90d85c538bccaa8455d3cd3bc6296e5e927
Instruction ID: d21c7a148631ee3ed2216fb072b96c9fe0eaaae2a923193ed5e5dfbdf307f294
Opcode Fuzzy Hash: a3b42e8b0373011e63cd6bd832a8d90d85c538bccaa8455d3cd3bc6296e5e927
Instruction Fuzzy Hash: AA313631A00315EBEB248F48C84CBAEBBF9FF05300F64402AF981D71A2E7789952CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00766943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007669D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007669DB

Strings

Combobox, xrefs: 0076699D

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6184a158e57f9e0610aa3c202951cab8e2d8c6d7540b1a2035d0834ed930e59e
Instruction ID: 2b59e957553c2c36bd10dd1cb63c58046922467729d2d07675ae2e0cfb64c4d5
Opcode Fuzzy Hash: 6184a158e57f9e0610aa3c202951cab8e2d8c6d7540b1a2035d0834ed930e59e
Instruction Fuzzy Hash: 3F1108713003087FEF118F24DC80EBB376AEB853A4F504128FD5997290D679AC5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00766E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006E1D73
Part of subcall function 006E1D35: GetStockObject.GDI32(00000011), ref: 006E1D87
Part of subcall function 006E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006E1D91

GetWindowRect.USER32(00000000,?), ref: 00766EE0
GetSysColor.USER32(00000012), ref: 00766EFA

Strings

static, xrefs: 00766EBD

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b169a1e89fe6749595324f389879aeaf0e7be8a44f36a8e7f693a27ef821f8a3
Instruction ID: 2cd5e2515239fc2451420de7e0c45cb04ca781f78fccd6757ceae28b8cb3d5db
Opcode Fuzzy Hash: b169a1e89fe6749595324f389879aeaf0e7be8a44f36a8e7f693a27ef821f8a3
Instruction Fuzzy Hash: B521377261020AAFDB04DFA8DD45AFA7BB8FB08314F044629FD56D3250E779E861DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00766B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00766C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00766C20

Strings

edit, xrefs: 00766BF5

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dcf62f66b0a28f2721b84529e0a724bc675075d049ac19948bbc0179372ee4b9
Instruction ID: 0df5913e9db1088f877268859bd0f6792eace3055c6ba493f04cc11bf9d80bd9
Opcode Fuzzy Hash: dcf62f66b0a28f2721b84529e0a724bc675075d049ac19948bbc0179372ee4b9
Instruction Fuzzy Hash: 5211BCB1100208ABEB108F64DC45AEB376AEB05378FA04724FD66D71E0C779EC91AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00742E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00742F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00742F30

Strings

0, xrefs: 00742F07

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f6827498a0519e376ce6a5aa3407672da62831f95e44371682c0b270ff6a120e
Instruction ID: d20cc1311fe4143f6c7ffd3cfcc774687789662c6031e27000321e0cecac3546
Opcode Fuzzy Hash: f6827498a0519e376ce6a5aa3407672da62831f95e44371682c0b270ff6a120e
Instruction Fuzzy Hash: ED110831901124ABCB20DB98DC08F9977B9EB11310F8841B1F855A72A2DBB8ED1AC795

Uniqueness

Uniqueness Score: -1.00%

Function 007524CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00752520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00752549

Strings

<local>, xrefs: 00752511

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8219c2ed298b05a4c3c285b20d31197ac26b6ef29df1fabfbb1bd859196fa834
Instruction ID: 6b2f70f7b7f9faf37b40252d6d27369ff7f33d4e69a42d3a1cd57a6691043df2
Opcode Fuzzy Hash: 8219c2ed298b05a4c3c285b20d31197ac26b6ef29df1fabfbb1bd859196fa834
Instruction Fuzzy Hash: 0E11E370601225BADB248F518C94EFBFF68FB07352F10816AFD4542041E2B8595AD6E0

Uniqueness

Uniqueness Score: -1.00%

Function 007580A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0075830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007580C8,?,00000000,?,?), ref: 00758322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007580CB
htons.WSOCK32(00000000,?,00000000), ref: 00758108

Strings

255.255.255.255, xrefs: 007580E3

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 5c4fd8411606e36ab539bc6cf3a9620a571bdcd5c8828bf303013c118799290d
Instruction ID: d36aeafde41fcf8e0b2958e595dd223c4cf52ada31105749c09c169735e24f5b
Opcode Fuzzy Hash: 5c4fd8411606e36ab539bc6cf3a9620a571bdcd5c8828bf303013c118799290d
Instruction Fuzzy Hash: F911A574600309ABDB10AF64DC86FFDB374FF04321F10852AED16A72D1DAB6A819C796

Uniqueness

Uniqueness Score: -1.00%

Function 006F0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,006E3C26,007A62F8,?,?,?), ref: 006F0ACE

Part of subcall function 006E7D2C: _memmove.LIBCMT ref: 006E7D66

_wcscat.LIBCMT ref: 007250E1

Strings

cz, xrefs: 006F0B0E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: cz
API String ID: 257928180-439432410
Opcode ID: e39ca0e396ee6d664fb2d814cd38bf30ec5a933b6cb1b6cddd80e7f68efb6cf2
Instruction ID: fff097f1e6e33f44b2ed1ff1ee09bca5980b8aa1bb264de89c3d4fcebb2d5b75
Opcode Fuzzy Hash: e39ca0e396ee6d664fb2d814cd38bf30ec5a933b6cb1b6cddd80e7f68efb6cf2
Instruction Fuzzy Hash: 5311A57590520CDA8B51EBA4DD01EED73FAEF08340B0041A5FA49D7292EA74DB898B15

Uniqueness

Uniqueness Score: -1.00%

Function 007392E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 0073B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0073B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00739355

Strings

ListBox, xrefs: 0073931F
ComboBox, xrefs: 007392F4

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3e70764393cda63c50a8459dbafad2db44202c7fc2bc10a990d6187d177ba91e
Instruction ID: dd80b2ce4970b799e43c8268f08a2884299a2c62e35e2783e4485b01e4ddcde7
Opcode Fuzzy Hash: 3e70764393cda63c50a8459dbafad2db44202c7fc2bc10a990d6187d177ba91e
Instruction Fuzzy Hash: D201F5B1A05314ABEB04EB68CC918FE7369FF06320F10061DFA73572D2DB7959088650

Uniqueness

Uniqueness Score: -1.00%

Function 007391DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 0073B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0073B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0073924D

Strings

ListBox, xrefs: 00739217
ComboBox, xrefs: 007391EC

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 119fb3e96879823e8623519ebe1f00018b6341a145b175fcbb40062ca04be349
Instruction ID: ad4bd359c6a34eba25e3afcbcfbd8ea088c15f8cd53f8421cd11562f07baa222
Opcode Fuzzy Hash: 119fb3e96879823e8623519ebe1f00018b6341a145b175fcbb40062ca04be349
Instruction Fuzzy Hash: 3E0184B1A41204BBEB08EBA4C996DFF73A9AF45300F14002DBA13672D2EA595F1C9675

Uniqueness

Uniqueness Score: -1.00%

Function 00739264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E7F41: _memmove.LIBCMT ref: 006E7F82

Part of subcall function 0073B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0073B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 007392D0

Strings

ListBox, xrefs: 0073929C
ComboBox, xrefs: 00739271

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3920619611bdbc5006f6a20176dd843a71d8a966e94e4a6950ace557cc64e3dd
Instruction ID: 79a043c59e0a46c34927d9910d700e0c37c0d00f954b8eb10f45a10eeaa67e56
Opcode Fuzzy Hash: 3920619611bdbc5006f6a20176dd843a71d8a966e94e4a6950ace557cc64e3dd
Instruction Fuzzy Hash: 8C01A772A41204B7EF04E6A4C982DFF77ADAF15300F140119BA52672C2DA595F189675

Uniqueness

Uniqueness Score: -1.00%

Function 00706DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00706DD0
__calloc_crt.LIBCMT ref: 00706DE9

Strings

@Rz, xrefs: 00706E00

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: __calloc_crt
String ID: @Rz
API String ID: 3494438863-3079074598
Opcode ID: 99080af9d80229e0048d8f4915e4ca46560f3b70fdf0de455582d7e80e62fd26
Instruction ID: 2adab1175d1b7b9311a70477af92c691933da6b692f6aea346bd25f6a26edae9
Opcode Fuzzy Hash: 99080af9d80229e0048d8f4915e4ca46560f3b70fdf0de455582d7e80e62fd26
Instruction Fuzzy Hash: 12F062B1708717DBFB24DF18FD297A127D5FB82730B148636E105CA2D0EB3C88918699

Uniqueness

Uniqueness Score: -1.00%

Function 007451CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007451E8
_wcscmp.LIBCMT ref: 007451FA

Strings

#32770, xrefs: 007451F4

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 6b8afb975f6d7172c1b58d058f734d80bd7b8a6815053a306833a8e4fe5e5e23
Instruction ID: 64f2feb55611e33de28d49f86e02a641e6216ff80e4c6c6cc6024798e40fb2a8
Opcode Fuzzy Hash: 6b8afb975f6d7172c1b58d058f734d80bd7b8a6815053a306833a8e4fe5e5e23
Instruction Fuzzy Hash: E2E0617290432C67D710A795AC49F97F7ECFB41731F000157FD10D3040D564990487E0

Uniqueness

Uniqueness Score: -1.00%

Function 007381BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007381CA

Part of subcall function 00703598: _doexit.LIBCMT ref: 007035A2

Strings

Error allocating memory., xrefs: 007381C3
AutoIt, xrefs: 007381BE

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: ac125085a81e5018d0e1e8d83db2cf7dfb3aefd680ba24c731d5f1b5a0a7a14a
Instruction ID: 1f77cce53ee4592786b1598de8ab83d1f2e832f1589f7f95bd3859f1f7b980d0
Opcode Fuzzy Hash: ac125085a81e5018d0e1e8d83db2cf7dfb3aefd680ba24c731d5f1b5a0a7a14a
Instruction Fuzzy Hash: D0D02B323C5358B2E61133F97C0BFC635884B05B51F00402AFB48550E38DDD449142ED

Uniqueness

Uniqueness Score: -1.00%

Function 0071B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0071B564: _memset.LIBCMT ref: 0071B571

Part of subcall function 00700B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0071B540,?,?,?,006E100A), ref: 00700B89

IsDebuggerPresent.KERNEL32(?,?,?,006E100A), ref: 0071B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006E100A), ref: 0071B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0071B54E

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 0b1a5d4a85661c9bc32b7eb04bc409e2d895ddc987707cee54b5675c5c369459
Instruction ID: 75c66c61355edbd468bc3ae7d3c27653583d1665806d24c848f70d65cf0a861e
Opcode Fuzzy Hash: 0b1a5d4a85661c9bc32b7eb04bc409e2d895ddc987707cee54b5675c5c369459
Instruction Fuzzy Hash: B8E06DB0200351CFD320EF29E8083827BE1AB04715F04892CE446C2691E7BCD484CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00765BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00765BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00765C08

Part of subcall function 007454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0074555E

Strings

Shell_TrayWnd, xrefs: 00765BEE

Memory Dump Source

Source File: 00000000.00000002.1667287704.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1667264461.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667363761.0000000000795000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667421238.000000000079F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667442639.00000000007B8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_ABT-57809267-57236090890_____________________________________.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: abf9fb4f82506e8b22ed890b04656c33910a609a8d7a49486b8046de28d9b6e4
Instruction ID: 40d59f031f735b1b11119f9136bef31d67e8723b48d6ff41a30818b74ff27982
Opcode Fuzzy Hash: abf9fb4f82506e8b22ed890b04656c33910a609a8d7a49486b8046de28d9b6e4
Instruction Fuzzy Hash: DAD0C931388311B7E764AB70BC0FF976A24AB40B51F004825F646AA1D1D9E85800C658

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ABT-57809267-57236090890_____________________________________.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut8218.tmp

C:\Users\user\AppData\Local\Temp\aut8276.tmp

C:\Users\user\AppData\Local\Temp\caulds

C:\Users\user\AppData\Local\Temp\drawlingly

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
ABT-57809267-57236090890_____________________________________.exe

Function 006E3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 006E4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 006E4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 007493DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 006E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Function 006E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 006E71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 006E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 006E3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 006E3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 006EF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 006E39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 006E410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 0070564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Function 006E69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre