Edit tour

Windows Analysis Report
RFQ-HL51L05.exe

Overview

General Information

Sample name:	RFQ-HL51L05.exe
Analysis ID:	1430806
MD5:	29f5c71635b9edb6929e77b5f5462136
SHA1:	6daa3b1f5cc828e4ab95d2ebb48e11d9e7791cf0
SHA256:	89d7f5ebd276fd6f53eacfef8377c6756a4da4c964da2bb51e059d5f04001b2c
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RFQ-HL51L05.exe (PID: 1968 cmdline: "C:\Users\user\Desktop\RFQ-HL51L05.exe" MD5: 29F5C71635B9EDB6929E77B5F5462136)

RegSvcs.exe (PID: 1988 cmdline: "C:\Users\user\Desktop\RFQ-HL51L05.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.cmcapama.top", "Username": "bangalee@cmcapama.top", "Password": "EVEitDp@^lu~                    "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3210387790.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3210387790.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3210387790.0000000002C41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33737:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RFQ-HL51L05.exe PID: 1968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ-HL51L05.exe PID: 1968	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 1988	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1988	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RFQ-HL51L05.exe.ed0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ-HL51L05.exe.ed0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RFQ-HL51L05.exe.ed0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3173f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3185b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31937:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33737:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33737:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 194.36.191.196, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 1988, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.cmcapama.top", "Username": "bangalee@cmcapama.top", "Password": "EVEitDp@^lu~ "}

Multi AV Scanner detection for submitted file

Source: RFQ-HL51L05.exe	ReversingLabs: Detection: 47%
Source: RFQ-HL51L05.exe	Virustotal: Detection: 29%			Perma Link

Machine Learning detection for sample

Source: RFQ-HL51L05.exe

Joe Sandbox ML: detected

Source: RFQ-HL51L05.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: RFQ-HL51L05.exe, 00000000.00000003.1977085404.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, RFQ-HL51L05.exe, 00000000.00000003.1977994007.0000000003940000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ-HL51L05.exe, 00000000.00000003.1977085404.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, RFQ-HL51L05.exe, 00000000.00000003.1977994007.0000000003940000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00474696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00474696
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047C93C FindFirstFileW,FindClose,	0_2_0047C93C
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0047C9C7
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0047F200
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0047F35D
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0047F65E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00473A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00473A2B
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00473D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00473D4E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0047BF27

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 194.36.191.196:587

Source: Joe Sandbox View

IP Address: 194.36.191.196 194.36.191.196

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 194.36.191.196:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_004825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004825E2

Source: unknown

DNS traffic detected: queries for: mail.cmcapama.top

Source: RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cmcapama.top
Source: RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.cmcapama.top
Source: RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.
Source: RegSvcs.exe, 00000002.00000002.3209862719.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3209862719.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.000000000609E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.000000000609E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RFQ-HL51L05.exe, 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, cPKWk.cs

.Net Code: aQrPdLx

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0048425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0048425A

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00484458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00484458

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

0_2_0048425A

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00470219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00470219

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0049CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0049CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.RFQ-HL51L05.exe.ed0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00413B4C
Source: RFQ-HL51L05.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RFQ-HL51L05.exe, 00000000.00000000.1967305315.00000000004C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_08102c8b-f
Source: RFQ-HL51L05.exe, 00000000.00000000.1967305315.00000000004C5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_df8ee515-f
Source: RFQ-HL51L05.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2e80412a-5
Source: RFQ-HL51L05.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_482be466-3

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ-HL51L05.exe

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00474021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00474021

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00468858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00468858

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0047545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0047545F

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0041E800	0_2_0041E800
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0043DBB5	0_2_0043DBB5
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0049804A	0_2_0049804A
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0041E060	0_2_0041E060
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00424140	0_2_00424140
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00432405	0_2_00432405
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00446522	0_2_00446522
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00490665	0_2_00490665
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0044267E	0_2_0044267E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00426843	0_2_00426843
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0043283A	0_2_0043283A
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_004489DF	0_2_004489DF
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00428A0E	0_2_00428A0E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00490AE2	0_2_00490AE2
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00446A94	0_2_00446A94
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0046EB07	0_2_0046EB07
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00478B13	0_2_00478B13
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0043CD61	0_2_0043CD61
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00447006	0_2_00447006
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0042710E	0_2_0042710E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00423190	0_2_00423190
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00411287	0_2_00411287
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_004333C7	0_2_004333C7
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0043F419	0_2_0043F419
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_004316C4	0_2_004316C4
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00425680	0_2_00425680
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_004258C0	0_2_004258C0
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_004378D3	0_2_004378D3
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00431BB8	0_2_00431BB8
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00449D05	0_2_00449D05
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0041FE40	0_2_0041FE40
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00431FD0	0_2_00431FD0
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0043BFE6	0_2_0043BFE6
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EB3660	0_2_00EB3660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A34A98	2_2_02A34A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A39B30	2_2_02A39B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A33E80	2_2_02A33E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A3CE68	2_2_02A3CE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A341C8	2_2_02A341C8

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: String function: 00438B40 appears 42 times
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: String function: 00417F41 appears 35 times
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: String function: 00430D27 appears 70 times

Source: RFQ-HL51L05.exe, 00000000.00000003.1976310140.00000000038C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ-HL51L05.exe
Source: RFQ-HL51L05.exe, 00000000.00000003.1976827525.0000000003A6D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ-HL51L05.exe
Source: RFQ-HL51L05.exe, 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2476821b-522d-4413-ae7d-3517dfb022e4.exe4 vs RFQ-HL51L05.exe

Source: RFQ-HL51L05.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.RFQ-HL51L05.exe.ed0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0047A2D5 GetLastError,FormatMessageW,

0_2_0047A2D5

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00468713 AdjustTokenPrivileges,CloseHandle,		0_2_00468713
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00468CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00468CC3

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0047B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0047B59E

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0048F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0048F121

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0047C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047C602

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00414FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00414FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

File created: C:\Users\user\AppData\Local\Temp\aut31DC.tmp

Jump to behavior

Source: RFQ-HL51L05.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ-HL51L05.exe	ReversingLabs: Detection: 47%
Source: RFQ-HL51L05.exe	Virustotal: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ-HL51L05.exe "C:\Users\user\Desktop\RFQ-HL51L05.exe"
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-HL51L05.exe"
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-HL51L05.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: RFQ-HL51L05.exe

Static file information: File size 1113600 > 1048576

Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RFQ-HL51L05.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: RFQ-HL51L05.exe, 00000000.00000003.1977085404.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, RFQ-HL51L05.exe, 00000000.00000003.1977994007.0000000003940000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ-HL51L05.exe, 00000000.00000003.1977085404.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, RFQ-HL51L05.exe, 00000000.00000003.1977994007.0000000003940000.00000004.00001000.00020000.00000000.sdmp

Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0048C304 LoadLibraryA,GetProcAddress,

0_2_0048C304

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00438B85 push ecx; ret	0_2_00438B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A30698 push eax; ret	2_2_02A30712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A30698 push eax; ret	2_2_02A30722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A306C8 push eax; ret	2_2_02A306F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A306C8 push eax; ret	2_2_02A30702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A30728 push eax; ret	2_2_02A30732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A30708 push eax; ret	2_2_02A30712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A30718 push eax; ret	2_2_02A30722

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00414A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00414A35
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_004955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004955FD

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_004333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004333C7

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1372			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8148			Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-98986

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

API coverage: 5.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00474696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00474696
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047C93C FindFirstFileW,FindClose,	0_2_0047C93C
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0047C9C7
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0047F200
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0047F35D
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0047F65E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00473A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00473A2B
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00473D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00473D4E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0047BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0047BF27

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00414AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00414AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96915	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95045	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94936	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	API call chain: ExitProcess graph end node			graph_0-98344
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	API call chain: ExitProcess graph end node			graph_0-97915

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_004841FD BlockInput,

0_2_004841FD

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00413B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00413B4C

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00445CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00445CCC

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0048C304 LoadLibraryA,GetProcAddress,

0_2_0048C304

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EB34F0 mov eax, dword ptr fs:[00000030h]	0_2_00EB34F0
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EB3550 mov eax, dword ptr fs:[00000030h]	0_2_00EB3550
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EB1ED0 mov eax, dword ptr fs:[00000030h]	0_2_00EB1ED0

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_004681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_004681F7

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0043A364 SetUnhandledExceptionFilter,		0_2_0043A364
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_0043A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0043A395

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BC4008

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00468C93 LogonUserW,

0_2_00468C93

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00413B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00413B4C

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00414A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00414A35

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00474EC9 mouse_event,

0_2_00474EC9

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-HL51L05.exe"

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

0_2_004681F7

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00474C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00474C03

Source: RFQ-HL51L05.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RFQ-HL51L05.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0043886B cpuid

0_2_0043886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_004450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004450D7

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00452230 GetUserNameW,

0_2_00452230

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_0044418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0044418A

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00414AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00414AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3210387790.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3210387790.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ-HL51L05.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1988, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: RFQ-HL51L05.exe	Binary or memory string: WIN_81
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_XP
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_XPe
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_VISTA
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_7
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_8
Source: RFQ-HL51L05.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3210387790.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ-HL51L05.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1988, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3210387790.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3210387790.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ-HL51L05.exe PID: 1968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1988, type: MEMORYSTR

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00486596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00486596
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00486A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00486A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ-HL51L05.exe	47%	ReversingLabs	Win32.Trojan.Strab
RFQ-HL51L05.exe	30%	Virustotal		Browse
RFQ-HL51L05.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://cmcapama.top	0%	Avira URL Cloud	safe
http://mail.cmcapama.top	0%	Avira URL Cloud	safe
http://r3.i.lencr.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cmcapama.top	194.36.191.196	true	false		unknown
mail.cmcapama.top	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	RegSvcs.exe, 00000002.00000002.3209862719.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.i.lencr.	RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	RFQ-HL51L05.exe, 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://mail.cmcapama.top	RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.000000000609E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.000000000609E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cmcapama.top	RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.3209862719.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3211824610.0000000006080000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.36.191.196	cmcapama.top	Netherlands		60117	HSAE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430806
Start date and time:	2024-04-24 08:06:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ-HL51L05.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 267
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 1988 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:06:53	API Interceptor	47x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.36.191.196	http://store.avast.com/store?SiteID=avast&Action=DisplayRedirectCustomPage&Locale=en_US&v=1&t=event&tid=UA-58120669-65&cid=725399894.1568213989&ec=Emailing_Digital%20River&aip=1&cm10=1&ds=Avast&ul=en_US&cs=Digital%20River&cm=email&cd2=Paid&cd3=725399894.1568213989&cd4=Business&cd5=BMG-00-001-36-AR&cd7=13306019910&cd6=22895593139&cd8=0&cd9=4871168000&cd10=USD&cd11=44&cd12=1659005853297&ea=Click&el=http://0gjysc.wildlifewalkabout.com/am9lbC5uYXNzaWZAYXJuLmFl	Get hash	malicious	Unknown	Browse	0gjysc.wildlifewalkabout.com/am9lbC5uYXNzaWZAYXJuLmFl
	#U6025-146102220896 BSIU2505935-Remitance Advise.xlsx	Get hash	malicious	FormBook	Browse	www.firstflightmdelivery.services/inug/?LJBd06wP=my5vzthd/gf6h+YfXGHF51EmCUBukXLQvdzfbkPp7mscRjHMsb7qcEfg2/kZIm7kG7WZ0g==&-ZcxnF=8p74g4BxA
	jun.exe	Get hash	malicious	AZORult	Browse	squerad.com/cgi-sys/suspendedpage.cgi
	Player offer.exe	Get hash	malicious	AZORult	Browse	squerad.com/frank/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HSAE	Order Enquiry MX-M754N_20240207_114441.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	PDT_7367027738832_789257820__________________________.exe	Get hash	malicious	AgentTesla	Browse	185.244.151.84
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.1274.17126.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	WZM.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	z1RFQ20838_CMC_RITM50736681.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	https://doggygangers.com/YfMv2QsjpCQl845BWSYNfNOQitweyze_Z6lIlrRr43MRjX_HrM/downloadsdownloadfile/dwnl_standart.php	Get hash	malicious	LummaC, PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	194.36.191.196
	BOQ- AE20003 0084 20240408 .exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	a9wJzPSyH4.exe	Get hash	malicious	AgentTesla	Browse	185.198.59.26
	4938730).vbs	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	194.36.191.196

Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.660693222436368
Encrypted:	false
SSDEEP:	3072:DeCaV6bu4YUxeGu7DJ79KB1UNeY4cJqb4KbKOHdzRXSIsM70z5uEZsXDtSgimhtY:DMOXUNecpSLzXDxiP0g3iqPa0QjmZ28
MD5:	E99C13147F3DA74CBF86D1F3F71B2E42
SHA1:	EBD79632E32FF217617A2056F48911316ADE27B7
SHA-256:	C196A46EE90EF8AD533E8E39E5BD52C411E834E3DC3EF3D643494BF8671066A3
SHA-512:	AF661F6679A4B47843BE37C086ADADBFA579A370BBA0D233B4CFC7DED8EBF204065A5F589671EF2D3A45BECE3C24CC8FBDBFF2E11DFD274F8D6EA3D32E4699D6
Malicious:	false
Reputation:	low
Preview:	.c.K71T9T9BC..90.0DVISZ9rK41T9P9BCX290X0DVISZ92K41T9P9BCX290.0DVGL.72.=.u.Qu.b.ZPCx@69.!;T.(U_:V$. &x@L^xYv...._$PTz4]3fCX290X0..IS.81K..u_P9BCX290.0FWBRQ92.71T1P9BCX2'.[0DvISZ.1K41.9P.BCX090\0DVISZ96K41T9P9BC\292X0DVISX9r.41D9P)BCX2)0X DVISZ9"K41T9P9BCX2..[0.VISZ.1Kr4T9P9BCX290X0DVISZ92.71X9P9BCX290X0DVISZ92K41T9P9BCX290X0DVISZ92K41T9P9BCX29.X0LVISZ92K41T9X.BC.290X0DVISZ9.?QI 9P9f.[29.X0D.JSZ;2K41T9P9BCX290x0D6g!)KQK41.<P9B.[296X0D.JSZ92K41T9P9BC.29pvB!:&0Z9>K41T.S9BAX29.[0DVISZ92K41T9.9B.X290X0DVISZ92K41T.S9BCX2q0X0FVLS..0K..U9S9BCY296X0DVISZ92K41T9P9BCX290X0DVISZ92K41T9P9BCX290X0DVT.....\|..Dn3 D...W.3..Z..@..;pA.+-..t4....n&\.{K.>d...K...E.8A/H.....Q_H^Q.4w=X.E....n{Mr..7:....&..^^............6$g...F.;_)x(#UWegP2X"P.A.390X0........]I.c}:M]l Af..}A"o....9P9&CX2K0X0%VIS.92K[1T9>9BC&290&0DV.SZ9rK41c9P9gCX2T0X0`VIS$92K.L[6..+..0X0DV\|....&...f.....H.&k&n...]...kQj.6./quw..J.8..%._7ww.>CE\7;7\3HkG....j65P<R>F@T.7{..w.u.....%....9.N90X0DV.SZ.2K4..9.9BC.2.0.DVI.9.K.1..9

C:\Users\user\AppData\Local\Temp\aut31DC.tmp

Download File

Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
File Type:	data
Category:	dropped
Size (bytes):	151494
Entropy (8bit):	7.910924059043152
Encrypted:	false
SSDEEP:	3072:RLvpMtAZ1Sm4bLWKvHXSJe6v9tWPG1GfuXvltVobXD8ACFYmlzng:9vpZbrsHCJPs2GctSbDg1zg
MD5:	017E03C2B3B3AE7A268A8F4E1AB0162E
SHA1:	9B3E106F742386A5AA2BBB82685A3E8FF3A4AD6F
SHA-256:	2AB126820B66A477313141E66890946B740A9D5EA035B4928618D1CDB9E4BEA6
SHA-512:	E2C37370A7ADDD33DFA9CEB9A787A65777EFF5BAD0ADFC42C0FDE15B4C1D32D6D3A13D12025739B15F46FE85E39ACDC9B4630991F35D60BA923BD954AF9812D3
Malicious:	false
Reputation:	low
Preview:	EA06.......T...9.NhT=?6s0.L(.jMN.9.R...@.X.L.3....f@...`.X..<.y..{...j7\}..Z.P.....]!.."R..~uV.Fd.k...^.VeWhlr.....K..3..,f)....../].....5..Q...Fs2..M...lI........~f ..RsP........5.....)........4..'5.H..).V$.....cw...."u`..\..._6.o1...~@..DB.0...v..`D..;...i2.......TO..Z..,\|7...mg..iu..b%<..0`......R......sp.P.3.4.9...=...A.B3.....!9.@@,>L5L......j.2...L)}..Vr.,.@.......UO.....!..%.g .ab...fg..V...r.;.Pz..o;M..M>=nvKcn.W6W._.}d...6.....g..}#c...yp.~.^..f.y.c.E.r._.u.r.`f.....I..j.z)...~.H.Gm..F&.K<kq.u.3....(...{-..2.H.....f.4.t.......i1...uM..$..7.A...h2+~g...J.1.0.1K.,$...t.p..n....L..I.7.x..l`............H.Xm..{...J.`......w.m.K.f.C..,....Z.....].@<.....6.ce....C.u7...JK.....xD..E.M.sz..k..4..5.m5.OS.5.........uu..a\|.~.K....3.m8...j.kr..lz..x...nf........vT.\...Nb...B.U.Q%wi..SV.Oj1...i.L.U...vU...<.......!..Q.4.'S.Oy..$.;....e.aX.[....i..&..]J....'.J.ba@.Xh....6......af.<$.Z%Z.y.N.3.....N.3...s4.^..:MN...R..\.]8.ok1..b.0.W- ...)"..@..

C:\Users\user\AppData\Local\Temp\aut323A.tmp

Download File

Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
File Type:	data
Category:	dropped
Size (bytes):	9900
Entropy (8bit):	7.583246356690002
Encrypted:	false
SSDEEP:	192:C+cK50L02Jtyl2ftvwmziMVC6baopzBvq5tFfGMJFEGmf6taY68p:h750LRJtyl2ftLCghBmrGMJFEGm8aYHp
MD5:	10F11DD53E3089535AFEC549262C6C16
SHA1:	813096629A4DE999E662C8BA3D26FD9FAC83BBBA
SHA-256:	283D47877068C26F615EF22615C3C280CA0CEEF95132284E8A14278D97ACE825
SHA-512:	5B76A823A79FBEC446E43BA10903D5473439DCA5B2830E8AA3E972018FEBD4B70B5FBDF02BBA04C50843693EAD4130CE94B57BFD55D7D7AB5484F026AABBB9F7
Malicious:	false
Reputation:	low
Preview:	EA06..p0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\ophiolatrous

Download File

Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
File Type:	ASCII text, with very long lines (28720), with no line terminators
Category:	dropped
Size (bytes):	28720
Entropy (8bit):	3.5968659039837596
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if6S:wiTZ+2QoioGRk6ZklputwjpjBkCiw2R1
MD5:	5D53AEE01A558F1047803F8AD43CE740
SHA1:	7FDEA9AB5F03631557B731629F8DAA5C56F1889F
SHA-256:	E27A40A74A9F888434FCB0E56E6AB051E7F1486771AB7CCFC6AEA4A5967A72E2
SHA-512:	67E4871607F806CA543FB985C9BF050E1DEEE99CBD2F26F401654DEE56620C6AEEF39212A26DCB363CD87C0F9BD6D53FE82642954E2D1E824DB183DF899A71E9
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.958112069962754
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ-HL51L05.exe
File size:	1'113'600 bytes
MD5:	29f5c71635b9edb6929e77b5f5462136
SHA1:	6daa3b1f5cc828e4ab95d2ebb48e11d9e7791cf0
SHA256:	89d7f5ebd276fd6f53eacfef8377c6756a4da4c964da2bb51e059d5f04001b2c
SHA512:	1f82360b411e0599144a3c8e91b6ed0fee66ff87f1e72133f067cdae7057e504b5f491b8f465a84b188a399fbc4d90835235034680f31534808f36b4f2026f10
SSDEEP:	24576:OAHnh+eWsN3skA4RV1Hom2KXMmHaAe5iwefqWkVri5:5h+ZkldoPK8YaAeghirM
TLSH:	95359D3263918336FFAB9D73DB5DB20D56BC6D250123851FD29C2FB9A9F01B1122D262
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	1a5ada12a98c3689

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6627F6C2 [Tue Apr 23 17:58:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F7684ED53EDh
jmp 00007F7684EC81A4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7684EC832Ah
cmp edi, eax
jc 00007F7684EC868Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F7684EC8329h
rep movsb
jmp 00007F7684EC863Ch
cmp ecx, 00000080h
jc 00007F7684EC84F4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7684EC8330h
bt dword ptr [004BF324h], 01h
jc 00007F7684EC8800h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F7684EC84CDh
test edi, 00000003h
jne 00007F7684EC84DEh
test esi, 00000003h
jne 00007F7684EC84BDh
bt edi, 02h
jnc 00007F7684EC832Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7684EC8333h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7684EC8385h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x457c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10e000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x457c8	0x45800	f68711be26087aa632a3f98c6d10a5d4	False	0.7457951607464028	data	7.2937453328054485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10e000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.046891636105524666
RT_MENU	0xd8ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd9048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd95dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd9c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xda0f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xda6f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdad50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdb1b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdb310	0x31f6c	data			1.0003469303989212
RT_GROUP_ICON	0x10d27c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10d290	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10d2a4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10d2b8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10d2cc	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x10d3d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 08:06:55.005862951 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:55.306087017 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:55.307902098 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:55.765438080 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:55.766591072 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:56.071240902 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:56.071405888 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:56.381283998 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:56.389251947 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:56.704981089 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:56.705046892 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:56.705085993 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:56.705101013 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:56.745264053 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:57.047166109 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:57.070507050 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:57.371133089 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:57.372333050 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:57.673275948 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:57.674911022 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:57.993634939 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:57.993973970 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:58.296097994 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:58.296514988 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:58.605225086 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:58.605614901 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:58.907006979 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:58.907809019 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:58.907809019 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:58.907809019 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:58.907809019 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:06:59.208383083 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:59.208441973 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:59.208841085 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:59.208971024 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:59.244659901 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:06:59.290471077 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:08:34.748800993 CEST	49704	587	192.168.2.5	194.36.191.196
Apr 24, 2024 08:08:35.055345058 CEST	587	49704	194.36.191.196	192.168.2.5
Apr 24, 2024 08:08:35.059065104 CEST	49704	587	192.168.2.5	194.36.191.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 08:06:54.152251005 CEST	49976	53	192.168.2.5	1.1.1.1
Apr 24, 2024 08:06:54.996748924 CEST	53	49976	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 08:06:54.152251005 CEST	192.168.2.5	1.1.1.1	0xfa2	Standard query (0)	mail.cmcapama.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 08:06:54.996748924 CEST	1.1.1.1	192.168.2.5	0xfa2	No error (0)	mail.cmcapama.top	cmcapama.top		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 08:06:54.996748924 CEST	1.1.1.1	192.168.2.5	0xfa2	No error (0)	cmcapama.top		194.36.191.196	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 24, 2024 08:06:55.765438080 CEST	587	49704	194.36.191.196	192.168.2.5	220-hosting1.nl.hostsailor.com ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 08:06:55 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 24, 2024 08:06:55.766591072 CEST	49704	587	192.168.2.5	194.36.191.196	EHLO 585948
Apr 24, 2024 08:06:56.071240902 CEST	587	49704	194.36.191.196	192.168.2.5	250-hosting1.nl.hostsailor.com Hello 585948 [154.16.105.36] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Apr 24, 2024 08:06:56.071405888 CEST	49704	587	192.168.2.5	194.36.191.196	STARTTLS
Apr 24, 2024 08:06:56.381283998 CEST	587	49704	194.36.191.196	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	08:06:51
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\RFQ-HL51L05.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ-HL51L05.exe"
Imagebase:	0x410000
File size:	1'113'600 bytes
MD5 hash:	29F5C71635B9EDB6929E77B5F5462136
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1979105607.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:06:52
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ-HL51L05.exe"
Imagebase:	0x930000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3210387790.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3210387790.0000000002C8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3210387790.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3210387790.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3209598089.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	28

Executed Functions

Function 00413B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00413B7A
IsDebuggerPresent.KERNEL32 ref: 00413B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,004D62F8,004D62E0,?,?), ref: 00413BFD

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

Part of subcall function 00420A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00413C26,004D62F8,?,?,?), ref: 00420ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00413C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004C93F0,00000010), ref: 0044D4BC
SetCurrentDirectoryW.KERNEL32(?,004D62F8,?,?,?), ref: 0044D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004C5D40,004D62F8,?,?,?), ref: 0044D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0044D581

Part of subcall function 00413A58: GetSysColorBrush.USER32(0000000F), ref: 00413A62
Part of subcall function 00413A58: LoadCursorW.USER32(00000000,00007F00), ref: 00413A71
Part of subcall function 00413A58: LoadIconW.USER32(00000063), ref: 00413A88
Part of subcall function 00413A58: LoadIconW.USER32(000000A4), ref: 00413A9A
Part of subcall function 00413A58: LoadIconW.USER32(000000A2), ref: 00413AAC
Part of subcall function 00413A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00413AD2
Part of subcall function 00413A58: RegisterClassExW.USER32(?), ref: 00413B28

Part of subcall function 004139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00413A15
Part of subcall function 004139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00413A36
Part of subcall function 004139E7: ShowWindow.USER32(00000000,?,?), ref: 00413A4A
Part of subcall function 004139E7: ShowWindow.USER32(00000000,?,?), ref: 00413A53

Part of subcall function 004143DB: _memset.LIBCMT ref: 00414401
Part of subcall function 004143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004144A6

Strings

runas, xrefs: 0044D575
This is a third-party compiled AutoIt script., xrefs: 0044D4B4
%J, xrefs: 00413C56

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%J
API String ID: 529118366-1044932731
Opcode ID: f87b2ac434d7a38a282d402b383bd3f884000b1e326f6eef0f4f76917c9ce825
Instruction ID: bb42b31e6d7e4bf375b922fdce75fe3c72d935aae415b291538581095c2dfb13
Opcode Fuzzy Hash: f87b2ac434d7a38a282d402b383bd3f884000b1e326f6eef0f4f76917c9ce825
Instruction Fuzzy Hash: 8151F831A04248BADF11AFB5DC15EEE7B74AB05304B0041BFF851A22A2DB7C4685CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00414FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00414EEE,?,?,00000000,00000000), ref: 00414FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00414EEE,?,?,00000000,00000000), ref: 00415010
LoadResource.KERNEL32(?,00000000,?,?,00414EEE,?,?,00000000,00000000,?,?,?,?,?,?,00414F8F), ref: 0044DD60
SizeofResource.KERNEL32(?,00000000,?,?,00414EEE,?,?,00000000,00000000,?,?,?,?,?,?,00414F8F), ref: 0044DD75
LockResource.KERNEL32(NA,?,?,00414EEE,?,?,00000000,00000000,?,?,?,?,?,?,00414F8F,00000000), ref: 0044DD88

Strings

SCRIPT, xrefs: 00415006
NA, xrefs: 0044DD85

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$NA
API String ID: 3051347437-3824802586
Opcode ID: 25d8ef56c96b725b952e26dec09d13bbf87c025c15356b759fa298d56ae6bd32
Instruction ID: 2046b434317a7b0672c4062aecd9ff1746f9df176a532b0c386e4ad99634d48d
Opcode Fuzzy Hash: 25d8ef56c96b725b952e26dec09d13bbf87c025c15356b759fa298d56ae6bd32
Instruction Fuzzy Hash: D2117075240700BFD7218B65EC58FA77BBAEBC9B11F20417EF405C6260DB72EC448669

Uniqueness

Uniqueness Score: -1.00%

Function 00414AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00414B2B

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

GetCurrentProcess.KERNEL32(?,0049FAEC,00000000,00000000,?), ref: 00414BF8
IsWow64Process.KERNEL32(00000000), ref: 00414BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00414C45
FreeLibrary.KERNEL32(00000000), ref: 00414C50
GetSystemInfo.KERNEL32(00000000), ref: 00414C81
GetSystemInfo.KERNEL32(00000000), ref: 00414C8D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 5926a2f1cf357a6fc3ab6a80954fba43715c99ac8261a65c8f965b0ddcb1e439
Instruction ID: 6acb9517487681c9a24a92d2ed0be085855bd6675205644d8129898b1cbc965b
Opcode Fuzzy Hash: 5926a2f1cf357a6fc3ab6a80954fba43715c99ac8261a65c8f965b0ddcb1e439
Instruction Fuzzy Hash: 7E91A63194A7C0DED731CB6895511EBBFE4AF66300B4449AFD0CA93B41D228F988C76E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DtM, xrefs: 00453F58
DtM, xrefs: 00453F1F
DtM, xrefs: 0041EC21
Variable must be of type 'Object'., xrefs: 0045428C
DtM, xrefs: 0041EC1A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: DtM$DtM$DtM$DtM$Variable must be of type 'Object'.
API String ID: 0-488983264
Opcode ID: 1063f7b53083080621cabe46eddbe4dece8a193442cf597c133a44c9b0ab78f5
Instruction ID: 73b495567048293c841029c56ba3de1af459d19f8ee299b5fb086503c4db1f84
Opcode Fuzzy Hash: 1063f7b53083080621cabe46eddbe4dece8a193442cf597c133a44c9b0ab78f5
Instruction Fuzzy Hash: 46A26D78A04205DBCB14CF55C580AEAB7B1FF48304F64806BED16AB352D739AD86CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00474696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0044E7C1), ref: 004746A6
FindFirstFileW.KERNELBASE(?,?), ref: 004746B7
FindClose.KERNEL32(00000000), ref: 004746C7

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: b8fc3f096c337951ec1a874131cccbcb2c8b927335548e9019eca98ec02db972
Instruction ID: 029b39953e268ba5a090f7059df42bbb5fa7ec18c889df9fc4afbc460d9d77fa
Opcode Fuzzy Hash: b8fc3f096c337951ec1a874131cccbcb2c8b927335548e9019eca98ec02db972
Instruction Fuzzy Hash: DCE0DF328104006B8610A738EC4D8FB779C9E56335F104777FC39C21E0EBB8A9688A9E

Uniqueness

Uniqueness Score: -1.00%

Function 00420B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00420BBB
timeGetTime.WINMM ref: 00420E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00420FB3
TranslateMessage.USER32(?), ref: 00420FC7
DispatchMessageW.USER32(?), ref: 00420FD5
Sleep.KERNEL32(0000000A), ref: 00420FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0042105A
DestroyWindow.USER32 ref: 00421066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00421080
Sleep.KERNEL32(0000000A,?,?), ref: 004552AD
TranslateMessage.USER32(?), ref: 0045608A
DispatchMessageW.USER32(?), ref: 00456098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004560AC

Strings

prM, xrefs: 004553D8
prM, xrefs: 00455383
prM, xrefs: 0045542D
@COM_EVENTOBJ, xrefs: 0045591A
prM, xrefs: 00455BDE
@GUI_CTRLHANDLE, xrefs: 0045540E
@TRAY_ID, xrefs: 00455BB9
@GUI_WINHANDLE, xrefs: 004553B9
@GUI_CTRLID, xrefs: 00455364

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prM$prM$prM$prM
API String ID: 4003667617-3356098226
Opcode ID: 929beab173ebb06662da0bf1d387287ef65be8454dbbfec8c38ff366f0c4d98c
Instruction ID: e698bdad51b0425fb65bf9ab18ab15a1ecd3ef891512a59906c57b0fd474b37e
Opcode Fuzzy Hash: 929beab173ebb06662da0bf1d387287ef65be8454dbbfec8c38ff366f0c4d98c
Instruction Fuzzy Hash: 2CB2B570608741DFD724DF24D894BAAB7E5BF84304F54492FE849873A2D778E889CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 004793DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004791E9: __time64.LIBCMT ref: 004791F3

Part of subcall function 00415045: _fseek.LIBCMT ref: 0041505D

__wsplitpath.LIBCMT ref: 004794BE

Part of subcall function 0043432E: __wsplitpath_helper.LIBCMT ref: 0043436E

_wcscpy.LIBCMT ref: 004794D1
_wcscat.LIBCMT ref: 004794E4
__wsplitpath.LIBCMT ref: 00479509
_wcscat.LIBCMT ref: 0047951F
_wcscat.LIBCMT ref: 00479532

Part of subcall function 0047922F: _memmove.LIBCMT ref: 00479268
Part of subcall function 0047922F: _memmove.LIBCMT ref: 00479277

_wcscmp.LIBCMT ref: 00479479

Part of subcall function 004799BE: _wcscmp.LIBCMT ref: 00479AAE
Part of subcall function 004799BE: _wcscmp.LIBCMT ref: 00479AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004796DC
_wcsncpy.LIBCMT ref: 0047974F
DeleteFileW.KERNEL32(?,?), ref: 00479785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0047979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004797AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004797BE

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: d5621e29d5ca6cb5d36c412fda59779a9affe3cd9c2890d876ef1ca5dac5c07b
Instruction ID: 0f3e75ab786e17f7fd9ee09b88416fdbe994e41bc8d2163df02d61dcbacb0f54
Opcode Fuzzy Hash: d5621e29d5ca6cb5d36c412fda59779a9affe3cd9c2890d876ef1ca5dac5c07b
Instruction Fuzzy Hash: FBC14DB1D00129AADF11DF95CC85EDEBBBDAF49304F0040ABF609E6251DB749E848F69

Uniqueness

Uniqueness Score: -1.00%

Function 00413015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00413074
RegisterClassExW.USER32(00000030), ref: 0041309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004130AF
InitCommonControlsEx.COMCTL32(?), ref: 004130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004130DC
LoadIconW.USER32(000000A9), ref: 004130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00413101

Strings

AutoIt v3 GUI, xrefs: 00413090
TaskbarCreated, xrefs: 004130A4
+, xrefs: 0041305D
0, xrefs: 00413056

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d375340e0c9c7f0819bd7cf5aa2dfe2dcb3e410b5d2f125bd8bd3b8f608fc9da
Instruction ID: 7f0f755d7d4f519364b8df406e65bc74d5e767f075fc5d4de996d8263d443b2b
Opcode Fuzzy Hash: d375340e0c9c7f0819bd7cf5aa2dfe2dcb3e410b5d2f125bd8bd3b8f608fc9da
Instruction Fuzzy Hash: 553146B1902308AFDB10DFA4D888AD9BBF4FB09310F14417BE580E62A1D7B64545CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00413074
RegisterClassExW.USER32(00000030), ref: 0041309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004130AF
InitCommonControlsEx.COMCTL32(?), ref: 004130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004130DC
LoadIconW.USER32(000000A9), ref: 004130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00413101

Strings

AutoIt v3 GUI, xrefs: 00413090
TaskbarCreated, xrefs: 004130A4
+, xrefs: 0041305D
0, xrefs: 00413056

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 32a60db79cd17528384a248ee3c8efb2082edc30fbcafacbe9ab5ab20e3f1055
Instruction ID: 5765d88c81b4e1985a574e808b678038f432d38487ce262907cee87446b118a6
Opcode Fuzzy Hash: 32a60db79cd17528384a248ee3c8efb2082edc30fbcafacbe9ab5ab20e3f1055
Instruction Fuzzy Hash: 2721A3B1952218AFDB00AFE4E849A9DBBF8FB08700F10417BF510E62A0D7B545589F99

Uniqueness

Uniqueness Score: -1.00%

Function 004171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00414864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004D62F8,?,004137C0,?), ref: 00414882

Part of subcall function 0043074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004172C5), ref: 00430771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00417308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0044ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0044ED32
RegCloseKey.ADVAPI32(?), ref: 0044ED70
_wcscat.LIBCMT ref: 0044EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 004172FE
Include, xrefs: 0044ECE8, 0044ED29
\Include\, xrefs: 004172C5
\, xrefs: 0044EDEC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: db92fc871ca7869e91c506d5ae62315b1601e04a7e6e1e92b6e8b4c17771b92d
Instruction ID: 7786bdabd8b6bbb20deaa5169bc602c0e2c2fb9ab4c20ee5263f5cd6ee94db0f
Opcode Fuzzy Hash: db92fc871ca7869e91c506d5ae62315b1601e04a7e6e1e92b6e8b4c17771b92d
Instruction Fuzzy Hash: 93717A715093419AC314EF26E88189BBBF8FF99344F40457FF445832A1EB749988CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00413633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004136D2
KillTimer.USER32(?,00000001), ref: 004136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0041371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0041372A
CreatePopupMenu.USER32 ref: 0041373E
PostQuitMessage.USER32(00000000), ref: 0041375F

Strings

TaskbarCreated, xrefs: 00413725
%J, xrefs: 0044D2D1, 0044D31F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%J
API String ID: 129472671-3728053688
Opcode ID: e71951c307ba399d69f96c57b0aab0450a2c46f134c497a52abcf88a3344b9ae
Instruction ID: 5cda5184f2a7fb66e3d848cb8eeaff570a2cd03238554771eab0023d6cfed7b0
Opcode Fuzzy Hash: e71951c307ba399d69f96c57b0aab0450a2c46f134c497a52abcf88a3344b9ae
Instruction Fuzzy Hash: 9C4124B1201105BBEB246F64EC09BFE3755EB15302F14413BF902C23E1DBAC9E95A66E

Uniqueness

Uniqueness Score: -1.00%

Function 00413A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00413A62
LoadCursorW.USER32(00000000,00007F00), ref: 00413A71
LoadIconW.USER32(00000063), ref: 00413A88
LoadIconW.USER32(000000A4), ref: 00413A9A
LoadIconW.USER32(000000A2), ref: 00413AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00413AD2
RegisterClassExW.USER32(?), ref: 00413B28

Part of subcall function 00413041: GetSysColorBrush.USER32(0000000F), ref: 00413074
Part of subcall function 00413041: RegisterClassExW.USER32(00000030), ref: 0041309E
Part of subcall function 00413041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004130AF
Part of subcall function 00413041: InitCommonControlsEx.COMCTL32(?), ref: 004130CC
Part of subcall function 00413041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004130DC
Part of subcall function 00413041: LoadIconW.USER32(000000A9), ref: 004130F2
Part of subcall function 00413041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00413101

Strings

#, xrefs: 00413B0D
AutoIt v3, xrefs: 00413B17
0, xrefs: 00413B06

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b6b1bccc3af1154abf1ffa7ce4838ffd30ff2e4a55d62077f24e83f1964d5cae
Instruction ID: 5a1b0657482e49f2c4cefe160975597a5b13d9306517eb5896e938f7f2459e0c
Opcode Fuzzy Hash: b6b1bccc3af1154abf1ffa7ce4838ffd30ff2e4a55d62077f24e83f1964d5cae
Instruction Fuzzy Hash: 79212C75D02304AFEB10AFA4EC09B9D7FB5FB08711F1141BBF504A62A0D3BA56548F98

Uniqueness

Uniqueness Score: -1.00%

Function 00413778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 004138CE
/AutoIt3ExecuteLine, xrefs: 004138B9
bM, xrefs: 0044D44E
/AutoIt3OutputDebug, xrefs: 004138A4
/ErrorStdOut, xrefs: 0041388F
CMDLINERAW, xrefs: 0041380D
CMDLINE, xrefs: 00413834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004137C0

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bM
API String ID: 1825951767-1123497042
Opcode ID: a8a668584608f28299f03145376ad55dcc7dd3095893b8171f7483b1afd4faf9
Instruction ID: 9ef57804f4e13e2b329102a3b00843c6597a28a65e4588fdbdbb7cc7069a144e
Opcode Fuzzy Hash: a8a668584608f28299f03145376ad55dcc7dd3095893b8171f7483b1afd4faf9
Instruction Fuzzy Hash: 9EA14D729102299ADF04FFA2CC91AEEB779BF14304F14052FF416A7191DF785A89CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00EB2640 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00EB2711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EB2937

Strings

+/, xrefs: 00EB27F5, 00EB2801, 00EB2810

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID: +/
API String ID: 204039940-4233215163
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 5a2c6911763333eecc94bacabb5480df6b814f04579349981b4393e7cb0797ee
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 7FA11674E00209EBDB18CFA4C894BEEBBB5FF48304F20915DE605BB280D7759A81DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 004303D3
Part of subcall function 004303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 004303DB
Part of subcall function 004303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004303E6
Part of subcall function 004303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004303F1
Part of subcall function 004303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 004303F9
Part of subcall function 004303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00430401

Part of subcall function 00426259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0041FA90), ref: 004262B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0041FB2D
OleInitialize.OLE32(00000000), ref: 0041FBAA
CloseHandle.KERNEL32(00000000), ref: 004549F2

Strings

\dM, xrefs: 0041F957
%J, xrefs: 0041F8F6, 0041F908, 0041FACE, 0041FBB1
cM, xrefs: 0041F94B
<gM, xrefs: 0041FA90

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <gM$\dM$%J$cM
API String ID: 1986988660-3791273082
Opcode ID: a4044a532415529d127d1b4b15defdbb34b2d0edf0c1be487b8db1e9366e4d8c
Instruction ID: 73517480a930ddf022c8fe11f6d6d870a0cf31d7e97a282ac4dee6fdd69c3dc0
Opcode Fuzzy Hash: a4044a532415529d127d1b4b15defdbb34b2d0edf0c1be487b8db1e9366e4d8c
Instruction Fuzzy Hash: 458198B0A022509FC784EF2AEA646557BE5EB99308712813FD819C7362EB395449CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00439D26 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 00439D26

Part of subcall function 004333C7: EncodePointer.KERNEL32(00000000), ref: 004333CA
Part of subcall function 004333C7: __initp_misc_winsig.LIBCMT ref: 004333E5
Part of subcall function 004333C7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0043A0E0
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0043A0F4
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0043A107
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0043A11A
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0043A12D
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0043A140
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0043A153
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0043A166
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0043A179
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0043A18C
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0043A19F
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0043A1B2
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0043A1C5
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0043A1D8
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0043A1EB
Part of subcall function 004333C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0043A1FE

__mtinitlocks.LIBCMT ref: 00439D2B
__mtterm.LIBCMT ref: 00439D34

Part of subcall function 00439D9C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00439D39,00437F0D,004CBD38,00000014), ref: 00439E96
Part of subcall function 00439D9C: _free.LIBCMT ref: 00439E9D
Part of subcall function 00439D9C: DeleteCriticalSection.KERNEL32(0BM,?,?,00439D39,00437F0D,004CBD38,00000014), ref: 00439EBF

__calloc_crt.LIBCMT ref: 00439D59
__initptd.LIBCMT ref: 00439D7B
GetCurrentThreadId.KERNEL32 ref: 00439D82

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: bfbae4023bcce7070496c148b367e4e1a21c10e81a0c6ac97f4b8f89f1115276
Instruction ID: f3f21d84d242fe5eb8c531e894e038047fbbc5bab30c9c85e8f740f6710d74dc
Opcode Fuzzy Hash: bfbae4023bcce7070496c148b367e4e1a21c10e81a0c6ac97f4b8f89f1115276
Instruction Fuzzy Hash: 43F0907261971129EA347B76BC0364B2790DB0A738F20663FF464D55E2FFAC8C01459C

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00413A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00413A36
ShowWindow.USER32(00000000,?,?), ref: 00413A4A
ShowWindow.USER32(00000000,?,?), ref: 00413A53

Strings

AutoIt v3, xrefs: 00413A0D, 00413A12, 00413A13
edit, xrefs: 00413A30

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: bd5e24a6de22a6de5dc214a61582b29bdb41c83163420a656d76122a040db4b5
Instruction ID: 03bca8e782128c4dec59b4862b999b760b79fbf1fba34dfb890bb63296ebf58e
Opcode Fuzzy Hash: bd5e24a6de22a6de5dc214a61582b29bdb41c83163420a656d76122a040db4b5
Instruction Fuzzy Hash: 20F03A706022907EEE3027636C4CE672F7DD7C6F50B0240BBB900E2170C2A60800CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00EB2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EB2300: Sleep.KERNELBASE(000001F4), ref: 00EB2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00EB2537

Strings

Z92K41T9P9BCX290X0DVIS, xrefs: 00EB259A, 00EB259D

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateFileSleep
String ID: Z92K41T9P9BCX290X0DVIS
API String ID: 2694422964-3485135722
Opcode ID: d9212125e830b6ce54abb517be8013d7da878222417a5576e63695de6f9b6cd3
Instruction ID: 970d8abc3339e522215a923e5c32710d5888d9019d8a173b2d1bff67fe225bc3
Opcode Fuzzy Hash: d9212125e830b6ce54abb517be8013d7da878222417a5576e63695de6f9b6cd3
Instruction Fuzzy Hash: A5519130D05249DAEF11DBA4C819BEFBBB8AF15304F10419DE644BB2C1D6B91B49CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0044D5EC

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

_memset.LIBCMT ref: 0041418D
_wcscpy.LIBCMT ref: 004141E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004141F1

Strings

Line: , xrefs: 0044D615

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: b8a7f6888be55a725c1d6c3811b36d15e1ff8c01cf2b675be58c8d15a8dc5ced
Instruction ID: e386a8ce34a58e8056a7d3333ca07de2d581f87c980bfeccf0a76e6d070db176
Opcode Fuzzy Hash: b8a7f6888be55a725c1d6c3811b36d15e1ff8c01cf2b675be58c8d15a8dc5ced
Instruction Fuzzy Hash: E331D371009304AAE721EB60DC45FDB77E8AF44318F10456FF185921A1EB7CA689CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 0043564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004356AB
_memcpy_s.LIBCMT ref: 0043571D
__read_nolock.LIBCMT ref: 0043577B
__filbuf.LIBCMT ref: 0043579E
_memset.LIBCMT ref: 004357E2

Part of subcall function 00438D68: __getptd_noexit.LIBCMT ref: 00438D68

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: cae0994732984f30e844dc18852e81905f9e54cd95b96802ec4a32c7afc4ae47
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 9C51D030A00B05DBDB248FB9C88166FB7B1AF48324F64972FF829962D0D7789D518B49

Uniqueness

Uniqueness Score: -1.00%

Function 004169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00414F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,004D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00414F6F

_free.LIBCMT ref: 0044E68C
_free.LIBCMT ref: 0044E6D3

Part of subcall function 00416BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00416D0D

Strings

Bad directive syntax error, xrefs: 0044E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0044E462

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a593ad06a844fcc0c2daa5c0ee99e4500e646ad8c798fca2459db3e556700707
Instruction ID: f503493c95a19e96398d7b163d39174240daa2d95b0af0ef280bc68d524ebe0d
Opcode Fuzzy Hash: a593ad06a844fcc0c2daa5c0ee99e4500e646ad8c798fca2459db3e556700707
Instruction Fuzzy Hash: 7A917D71910219AFDF04EFA6C8819EEB7B4FF18318F54442FE815AB291DB38A945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004135A1,SwapMouseButtons,00000004,?), ref: 004135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004135A1,SwapMouseButtons,00000004,?,?,?,?,00412754), ref: 004135F5
RegCloseKey.KERNELBASE(00000000,?,?,004135A1,SwapMouseButtons,00000004,?,?,?,?,00412754), ref: 00413617

Strings

Control Panel\Mouse, xrefs: 004135D2

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 94d004f1a6d4446e1efb8fc5f45bd8fa60ce63ff35401c892f2536d4739e5d97
Instruction ID: c64637006a6e78cd94aca8b9d7222802db480953adaa5d731266e91906646c66
Opcode Fuzzy Hash: 94d004f1a6d4446e1efb8fc5f45bd8fa60ce63ff35401c892f2536d4739e5d97
Instruction Fuzzy Hash: 1E114871610208BFDB20CF64DC80DEFB7BCEF44741F00446AE805D7210D2719E949768

Uniqueness

Uniqueness Score: -1.00%

Function 00EB1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00EB1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EB1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EB1B73

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: a7b0e0e583e43b13e8460cb49c649eb4429ef4c65153aa36760bca7dbce21329
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: B8620930A14258DBEB24CFA4C851BDEB372EF58304F5091A9E10DFB2A0E7759E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00415045: _fseek.LIBCMT ref: 0041505D

Part of subcall function 004799BE: _wcscmp.LIBCMT ref: 00479AAE
Part of subcall function 004799BE: _wcscmp.LIBCMT ref: 00479AC1

_free.LIBCMT ref: 0047992C
_free.LIBCMT ref: 00479933
_free.LIBCMT ref: 0047999E

Part of subcall function 00432F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00439C64), ref: 00432FA9
Part of subcall function 00432F95: GetLastError.KERNEL32(00000000,?,00439C64), ref: 00432FBB

_free.LIBCMT ref: 004799A6

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 27635cd8a85985f93ee4b00f663f8be5f62c56393ea9e1a0cc835e80d87b4473
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 9C516DF1904218AFDF249F65CC81AEEBBB9EF48304F1044AEB209A7241DB755E80CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0043493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004349D0
__flush.LIBCMT ref: 004349F0
__write.LIBCMT ref: 00434A23
__flsbuf.LIBCMT ref: 00434A51

Part of subcall function 00438D68: __getptd_noexit.LIBCMT ref: 00438D68

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 9b4702c829849b013c6e774f0c8b330999562a7e91c97e44e785fb3438b3e29c
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 1D41C5706007059BDB189EB9C880AEF7BA5EFC8360F24A16FE855C7750D778AD418B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00414DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00414E1A

Strings

EA06, xrefs: 0044DCF5
AU3!P/J, xrefs: 00414E14

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/J$EA06
API String ID: 4104443479-4102755746
Opcode ID: a5871b93a163454ce94322487157a3a16dd87a1dc445f07901fbbc2a90836f68
Instruction ID: 7ce0f067ad1db34cb6095246970b1697f034d21a6d3bc1108a223f5798576d3f
Opcode Fuzzy Hash: a5871b93a163454ce94322487157a3a16dd87a1dc445f07901fbbc2a90836f68
Instruction Fuzzy Hash: DE417D71A043589BDF215B64C8517FF7FA6ABC5314F28406BEC429B382C62D8DC1C3AA

Uniqueness

Uniqueness Score: -1.00%

Function 004173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044EE62
GetOpenFileNameW.COMDLG32(?), ref: 0044EEAC

Part of subcall function 004148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004148A1,?,?,004137C0,?), ref: 004148CE

Part of subcall function 004309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004309F4

Strings

X, xrefs: 0044EE7A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 6aa2aaf74875c301045849f89c740754ae59f279ddd848648400299610bd92af
Instruction ID: f4efc2dc5d25b4fb03875ece874053abdcfca3c334fd35ef5f76b9215ab7587a
Opcode Fuzzy Hash: 6aa2aaf74875c301045849f89c740754ae59f279ddd848648400299610bd92af
Instruction Fuzzy Hash: C521C6709102589BDB51DF95C845BEE7BF8AF49314F10805FE408E7381DBBC59898B99

Uniqueness

Uniqueness Score: -1.00%

Function 0047901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00479036
__fread_nolock.LIBCMT ref: 0047904B

Strings

EA06, xrefs: 0047907D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 232fdc89f100fdef0e169140744491fc6d8d430a774408ab723a9341d3f00a12
Instruction ID: 64b7351a8b89d6a1430777ca363c4b28073b3b62363db93a4eb2fffae81bb010
Opcode Fuzzy Hash: 232fdc89f100fdef0e169140744491fc6d8d430a774408ab723a9341d3f00a12
Instruction Fuzzy Hash: 2901F9718042586EDB28D6A9C816FEEBBF89B05305F00419FF552D2181E579AA1887A4

Uniqueness

Uniqueness Score: -1.00%

Function 00479B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00479B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00479B99

Strings

aut, xrefs: 00479B93

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 2135af6e8453af1b93172a9411587abd8606cf4ca929a2b3b7274116387b186e
Instruction ID: 456bec2c72d0d9f60f9f5257abd00742596a66aba158c757f19e0a342925aeea
Opcode Fuzzy Hash: 2135af6e8453af1b93172a9411587abd8606cf4ca929a2b3b7274116387b186e
Instruction Fuzzy Hash: 93D05E7954030DABDB509B90DC0EF9A772CE714704F0042F2BE54D10A1DEB565A88B99

Uniqueness

Uniqueness Score: -1.00%

Function 0048CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c11aa5d71518d87e3e30149315ab9dc193494ce760bf93928103b1692cff2b9
Instruction ID: de39179ef69d2e94e790e7dd6d54dd2599c0d979fb00af4f9ef72012c20d523b
Opcode Fuzzy Hash: 2c11aa5d71518d87e3e30149315ab9dc193494ce760bf93928103b1692cff2b9
Instruction Fuzzy Hash: 17F14970A043009FC714EF29C484A6EBBE5BF88318F14896EF89997391D734E945CF86

Uniqueness

Uniqueness Score: -1.00%

Function 004143DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00414401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004144A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 004144C3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: e24e2ad107194f8d3dcfae95595d658601bfd99816ae40c13f7dde0897b99a83
Instruction ID: e5dc199bb3b7775972031aca1c51cb97851ae6d53babc43b9653035ba68da7a5
Opcode Fuzzy Hash: e24e2ad107194f8d3dcfae95595d658601bfd99816ae40c13f7dde0897b99a83
Instruction Fuzzy Hash: DB3150705057119FD720DF64D8847DBBBE8BB88309F00097FE59A83251D7796988CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00435963

Part of subcall function 0043A3AB: __NMSG_WRITE.LIBCMT ref: 0043A3D2
Part of subcall function 0043A3AB: __NMSG_WRITE.LIBCMT ref: 0043A3DC

__NMSG_WRITE.LIBCMT ref: 0043596A

Part of subcall function 0043A408: GetModuleFileNameW.KERNEL32(00000000,004D43BA,00000104,?,00000001,00000000), ref: 0043A49A
Part of subcall function 0043A408: ___crtMessageBoxW.LIBCMT ref: 0043A548

Part of subcall function 004332DF: ___crtCorExitProcess.LIBCMT ref: 004332E5
Part of subcall function 004332DF: ExitProcess.KERNEL32 ref: 004332EE

Part of subcall function 00438D68: __getptd_noexit.LIBCMT ref: 00438D68

RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000000,?,?,?,00431013,?), ref: 0043598F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: f083e7b100949a31fc80a373ce7bcd0b2707ab5d730ad9c0a1eb27e4132f1ba5
Instruction ID: 43211dc327ef0c212862713e7a8d838f743d058a980766ecdd4538e39c24f274
Opcode Fuzzy Hash: f083e7b100949a31fc80a373ce7bcd0b2707ab5d730ad9c0a1eb27e4132f1ba5
Instruction Fuzzy Hash: 9501D2B1341B11EFE6112B26DC42B6EB3988F99775F50203FF800AA2C1DA789D01866D

Uniqueness

Uniqueness Score: -1.00%

Function 00479B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,004797D2,?,?,?,?,?,00000004), ref: 00479B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,004797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00479B5B
CloseHandle.KERNEL32(00000000,?,004797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00479B62

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 9991e566b8230328ccd2a1d100f805abfdc003f823a6530068cb6b0f4b1e875e
Instruction ID: a4b40af22aa02ef2f2f6223d91a666fc1e58c545458b9a1e2f0d76aa93fba717
Opcode Fuzzy Hash: 9991e566b8230328ccd2a1d100f805abfdc003f823a6530068cb6b0f4b1e875e
Instruction Fuzzy Hash: 00E08632580214F7D7311B64EC0AFCA7B18EB15761F108131FB14A90E087B1291597DC

Uniqueness

Uniqueness Score: -1.00%

Function 00478F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00478FA5

Part of subcall function 00432F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00439C64), ref: 00432FA9
Part of subcall function 00432F95: GetLastError.KERNEL32(00000000,?,00439C64), ref: 00432FBB

_free.LIBCMT ref: 00478FB6
_free.LIBCMT ref: 00478FC8

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: ce575ecdc7ac521dcf2ec3df7747d6baa59ff4fc33c17091cf3935995ee71d2d
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 2AE012B16097114ACA24A679AE44AE367EE5F8C368B18181FF40DDB242DE6CE841912C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0045002B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: f4c3c69ebeaa1afc93efabfac0783cb688c6b097573049507fe92587f66bd4a4
Instruction ID: 717cabd1d0f3ffce4c0f4279a45dbf433e6f923fa165ce57c6bc1bc6079a1eed
Opcode Fuzzy Hash: f4c3c69ebeaa1afc93efabfac0783cb688c6b097573049507fe92587f66bd4a4
Instruction Fuzzy Hash: C2223974609341DFD724DF14C494AAABBE1FF49304F14895EE8868B362D739EC85CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00414992

Part of subcall function 004335AC: __lock.LIBCMT ref: 004335B2
Part of subcall function 004335AC: DecodePointer.KERNEL32(00000001,?,004149A7,004681BC), ref: 004335BE
Part of subcall function 004335AC: EncodePointer.KERNEL32(?,?,004149A7,004681BC), ref: 004335C9

Part of subcall function 00414A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00414A73
Part of subcall function 00414A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00414A88

Part of subcall function 00413B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00413B7A
Part of subcall function 00413B4C: IsDebuggerPresent.KERNEL32 ref: 00413B8C
Part of subcall function 00413B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,004D62F8,004D62E0,?,?), ref: 00413BFD
Part of subcall function 00413B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00413C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004149D2

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 58d818db390c43c0cbe8bd15d0f259926770224ff1ef295207d383ec89b22a4c
Instruction ID: b2004db255d7e69b437b107468b82580efa112dc427652e72a5ce3776c635375
Opcode Fuzzy Hash: 58d818db390c43c0cbe8bd15d0f259926770224ff1ef295207d383ec89b22a4c
Instruction Fuzzy Hash: 8F118C719193119BC700EF29DC0594ABFE8EF98754F00456FF045872A1DB749989CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00415DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00415981,?,?,?,?), ref: 00415E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00415981,?,?,?,?), ref: 0044E19C

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 58315377c0cdf05157a45c273b783fb2cb4bc28a56d503e04b2d4a7377619ce5
Instruction ID: cefb4efb9700f6f5dd2730d5e1c1dba6aca1c83df896d2c23ac6fc029bdcc754
Opcode Fuzzy Hash: 58315377c0cdf05157a45c273b783fb2cb4bc28a56d503e04b2d4a7377619ce5
Instruction Fuzzy Hash: 55015670684708FEF7640F14DD86FE7379CAB05768F10831ABAE55A1D0C6B85D858B58

Uniqueness

Uniqueness Score: -1.00%

Function 00430FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043594C: __FF_MSGBANNER.LIBCMT ref: 00435963
Part of subcall function 0043594C: __NMSG_WRITE.LIBCMT ref: 0043596A
Part of subcall function 0043594C: RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000000,?,?,?,00431013,?), ref: 0043598F

std::exception::exception.LIBCMT ref: 0043102C
__CxxThrowException@8.LIBCMT ref: 00431041

Part of subcall function 004387DB: RaiseException.KERNEL32(?,?,?,004CBAF8,00000000,?,?,?,?,00431046,?,004CBAF8,?,00000001), ref: 00438830

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: fef568584edd919f1e41dc02c2155038f4ea71547d131e75f154bc2bc8115637
Instruction ID: 0e8a8981476257ed52e23d1ac8c35f9e2d90e9b362602137341ff03084c20280
Opcode Fuzzy Hash: fef568584edd919f1e41dc02c2155038f4ea71547d131e75f154bc2bc8115637
Instruction Fuzzy Hash: A9F02D3450031DA6C724BA99DD06ADFB7BCDF09359F10502FF804A1A92DFB98A8092DC

Uniqueness

Uniqueness Score: -1.00%

Function 0043582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043585C
__lock_file.LIBCMT ref: 0043587D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 9eaab03168e699632f7499306eceb228978303d4d2d15d57e85888f4bd5a36f5
Instruction ID: fc659135292d4d2b7180059e65c3b561c610fca76e2f1ecb6909d871a7518996
Opcode Fuzzy Hash: 9eaab03168e699632f7499306eceb228978303d4d2d15d57e85888f4bd5a36f5
Instruction Fuzzy Hash: 66018871800709EBCF16BF678C0259FBB61AF48364F15521FB8145B161DB3D8621DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00438D68: __getptd_noexit.LIBCMT ref: 00438D68

__lock_file.LIBCMT ref: 0043561B

Part of subcall function 00436E4E: __lock.LIBCMT ref: 00436E71

__fclose_nolock.LIBCMT ref: 00435626

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 8fd69d23faddc2efa801bd9e20aec51f0d4725a085b390fa06b60a22b78fb94e
Instruction ID: 7d46b2f277b03010acabe2a9ac9abb12de2ece13b61db1501291cde871eedb84
Opcode Fuzzy Hash: 8fd69d23faddc2efa801bd9e20aec51f0d4725a085b390fa06b60a22b78fb94e
Instruction Fuzzy Hash: B7F0BB71904B059AD7217F76880375EB7915F48338F65A10FB818AB1C1CF7C59019B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00EB12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00EB1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00EB1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00EB1B73

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: b9e20c77e9d8c1826dae4ec5a818446ccc442e7b9a9965f21467451bdd7c502c
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 1B12DF24E14658C6EB24DF64D8507DEB232EF68300F10A1E9910DEB7A5E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00422123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8272aaa050c8b3beefa914ba2b0c0b223c89f8b3bd16b1094a1945a602718f8
Instruction ID: 09f95ec0aa1e6151fb32da73f6bfb118dc6917093dd621570455ca2be3321347
Opcode Fuzzy Hash: a8272aaa050c8b3beefa914ba2b0c0b223c89f8b3bd16b1094a1945a602718f8
Instruction Fuzzy Hash: 9051BF30700210EFCF14EB65C991EAE77A5AF85314F5581AEF806AB382DB38ED04CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0041774A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 464124430e8de5960c13c3c2f65887e6ee4843d4792a7d1da34d152b5713a97e
Instruction ID: 7ac121ee733927c563bf36f55ac233b8921f778587c636ff4834c3a5feea046f
Opcode Fuzzy Hash: 464124430e8de5960c13c3c2f65887e6ee4843d4792a7d1da34d152b5713a97e
Instruction Fuzzy Hash: AC31A579208A02DFD7249F19C190962F7B0FF09320B14C56FE9998B7A5E734E8C1CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00415C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00415CF6

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 110a14d7321b30683cee0853f98fe68c061b4f47a9c95672d96cd230158f47f2
Instruction ID: 68f382b8d35aa6d76259c7b62458395a3217355d989f44407a913f17e219e8c9
Opcode Fuzzy Hash: 110a14d7321b30683cee0853f98fe68c061b4f47a9c95672d96cd230158f47f2
Instruction Fuzzy Hash: D7314B71A00B09EFCB18DF29C4846DDB7B1FF88310F14862AD81993710E735A9A0DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004500E1

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d46b88f35f1814b2a7aadfc1a2a91ad0e7b8d4c23ac708f09d686caebd166ca1
Instruction ID: f619e6d4e8a2f8fcdf97a32d22c687f19fa5fa99ac450121eb5a7214dfaf1c13
Opcode Fuzzy Hash: d46b88f35f1814b2a7aadfc1a2a91ad0e7b8d4c23ac708f09d686caebd166ca1
Instruction Fuzzy Hash: 6A411A74504351CFDB24CF14C484B5ABBE1BF45318F19886DE8854B762C33AEC99CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004179AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004179F9

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction ID: 2014f2f574ee47d2fa01b9c4e07275a13f05879d62732eac848b3098ddab6a96
Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction Fuzzy Hash: F411B431208205AFD714DF18D481CAEB7A9EF453A4724851FE815DB3A0DB36AC918798

Uniqueness

Uniqueness Score: -1.00%

Function 00414F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00414D13: FreeLibrary.KERNEL32(00000000,?), ref: 00414D4D

Part of subcall function 0043548B: __wfsopen.LIBCMT ref: 00435496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,004D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00414F6F

Part of subcall function 00414CC8: FreeLibrary.KERNEL32(00000000), ref: 00414D02

Part of subcall function 00414DD0: _memmove.LIBCMT ref: 00414E1A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 2b7f1ea3b1d8eb2725ef2dbf88b506e61f941d4c2f05504907952a3f09f38c0b
Instruction ID: 539296a98afcb153f2299be238f840b9e2f8b05211135c40055084c50db6831a
Opcode Fuzzy Hash: 2b7f1ea3b1d8eb2725ef2dbf88b506e61f941d4c2f05504907952a3f09f38c0b
Instruction Fuzzy Hash: D711E731A00605AADF14AF71DC02BEE77A49F84718F20842FF545A72C1DA799A459798

Uniqueness

Uniqueness Score: -1.00%

Function 004501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 004501BB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 6c7c30958a02b57588e96bc0edcee5431d75903f8b7a8ffaea20504e4848ff5e
Instruction ID: 34a113331255195db632494aa83cfa91b669644e4d96daca4bc0d2c4c3777f7e
Opcode Fuzzy Hash: 6c7c30958a02b57588e96bc0edcee5431d75903f8b7a8ffaea20504e4848ff5e
Instruction Fuzzy Hash: F7211374508341DFDB24DF54C444A5BBBE0BF89304F04896EE88A97722D739E899CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00415D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00415807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00415D76

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 94e2096b577800a1f50b2f33cac3cfedaf4707348c08b6c082493f0ad5bdf18e
Instruction ID: 3dc6f1b2af62cc2c28ffc10492d8bc96f7ca01fc4fb117cf3ab5edbff52ca154
Opcode Fuzzy Hash: 94e2096b577800a1f50b2f33cac3cfedaf4707348c08b6c082493f0ad5bdf18e
Instruction Fuzzy Hash: 1D113A71200B01DFD3308F15E588BA3B7F5EF85750F10C92EE4AA86A50D778E985CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00434A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00434AD6

Part of subcall function 00438D68: __getptd_noexit.LIBCMT ref: 00438D68

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: da84690947b494e5363df1be9f63dfa73db39863df442b2fcbacf517aee5254b
Instruction ID: e45b9f3ebe8a8e95ddc2c2e33a7ec426b6703141484f3c70bd639860efaae685
Opcode Fuzzy Hash: da84690947b494e5363df1be9f63dfa73db39863df442b2fcbacf517aee5254b
Instruction Fuzzy Hash: F3F0D131800209ABDB51BF668C023DFB660AF88329F14910EB4149A1D1CB7C9D10CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00414FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00414FDE

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bd728c929c6f3b4874143dddc8b2a1925f90884f230acaa74266602e9d636fba
Instruction ID: f4b2ea69613830a29e30e793afc211e191e0a29faf749262e043df5857e7b9dc
Opcode Fuzzy Hash: bd728c929c6f3b4874143dddc8b2a1925f90884f230acaa74266602e9d636fba
Instruction Fuzzy Hash: 57F03971105712CFCB349F64E494892BBE1BF543293208A3FE1D682B10C739A896DF49

Uniqueness

Uniqueness Score: -1.00%

Function 004309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004309F4

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 0727fd8cf7056cc616b95620ac28c70874d3c100b4a52263378b1761345d015c
Instruction ID: 40c75ba6aa44f0c1ea65f2bd2881c48d866e2eaf46044eddb4c92e92541295ea
Opcode Fuzzy Hash: 0727fd8cf7056cc616b95620ac28c70874d3c100b4a52263378b1761345d015c
Instruction Fuzzy Hash: 81E0863690422857D720D6999C05FFA77ADDF88690F0401B6FD0CD7215D965AC818694

Uniqueness

Uniqueness Score: -1.00%

Function 00479129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0047914B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: bd543da102b6db0e5559fde7a9db668032db030c3dd4046488ec90c58e8b24d6
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 52E092B0104B005FEB389A24D8117E373E0EB06315F00081DF2EA93341EB667C51875D

Uniqueness

Uniqueness Score: -1.00%

Function 00415DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0044E16B,?,?,00000000), ref: 00415DBF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 405b04948c7a9cb8cbc2e4bf5ca4281dd86fa7c7216685a230a46602b61464e6
Instruction ID: 188732768f28c1c21934cb5ce6eae15c75bebaacdbc45fe0d0e02516b5a71a09
Opcode Fuzzy Hash: 405b04948c7a9cb8cbc2e4bf5ca4281dd86fa7c7216685a230a46602b61464e6
Instruction Fuzzy Hash: 5AD0C77464020CBFE710DB80DC47FA9777CD705710F1001A5FD0496290D6B27D548795

Uniqueness

Uniqueness Score: -1.00%

Function 0043548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00435496

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4a384fe015b5126a6c4dcc80a33d9025b30b83224bb5902ca955de3dd95d1b9c
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 68B0927684020C77DE012E82EC02B593B199B54678F808021FB0C18162A677A6A09689

Uniqueness

Uniqueness Score: -1.00%

Function 0047D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0047D46A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4478b6c165db10b2710fc002927e6b1b8319e9dc848f022698e7ffd7cfbf620e
Instruction ID: bafc9563f527407e51635a3dbec8dad52f4e8dd729e21468099f5f6654d1df95
Opcode Fuzzy Hash: 4478b6c165db10b2710fc002927e6b1b8319e9dc848f022698e7ffd7cfbf620e
Instruction Fuzzy Hash: D07183306143018FC714EF25C491AEAB7F1AF88358F04496EF89A97391DB38ED49CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00430E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00430EF7

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d545d8f1ac149da08a01abaa35c7af466c52d28f396ce01dc60116580296ce95
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0331E274A00105DBC728DF48C4A196AF7A6FF59300F24ABA6E409CB751D738EDC1CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00EB2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00EB2311

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 00b48cc9ed355b6bf1295edfa28ef254e6efb3e30b1bc811861aad54d1c4ae8c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 14E0E67494010EDFDB00EFB4D5496DE7FF4EF04301F100665FD01E2280D6309D508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0049CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0049CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0049CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0049CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0049CF00
SendMessageW.USER32 ref: 0049CF29
_wcsncpy.LIBCMT ref: 0049CFA1
GetKeyState.USER32(00000011), ref: 0049CFC2
GetKeyState.USER32(00000009), ref: 0049CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0049CFE5
GetKeyState.USER32(00000010), ref: 0049CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0049D018
SendMessageW.USER32 ref: 0049D03F
SendMessageW.USER32(?,00001030,?,0049B602), ref: 0049D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0049D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0049D16E
SetCapture.USER32(?), ref: 0049D177
ClientToScreen.USER32(?,?), ref: 0049D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0049D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0049D203
ReleaseCapture.USER32 ref: 0049D20E
GetCursorPos.USER32(?), ref: 0049D248
ScreenToClient.USER32(?,?), ref: 0049D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0049D2B1
SendMessageW.USER32 ref: 0049D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0049D31C
SendMessageW.USER32 ref: 0049D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0049D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0049D37B
GetCursorPos.USER32(?), ref: 0049D39B
ScreenToClient.USER32(?,?), ref: 0049D3A8
GetParent.USER32(?), ref: 0049D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0049D431
SendMessageW.USER32 ref: 0049D462
ClientToScreen.USER32(?,?), ref: 0049D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0049D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0049D51A
SendMessageW.USER32 ref: 0049D53D
ClientToScreen.USER32(?,?), ref: 0049D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0049D5C3

Part of subcall function 004125DB: GetWindowLongW.USER32(?,000000EB), ref: 004125EC

GetWindowLongW.USER32(?,000000F0), ref: 0049D65F

Strings

@GUI_DRAGID, xrefs: 0049D1AA
F, xrefs: 0049D543
prM, xrefs: 0049D1BD

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$prM
API String ID: 3977979337-1086641333
Opcode ID: aab2cd146f20e607e259d77d82abf6f1de936f23b3c2626c7c12239ac324f2bc
Instruction ID: 643ba8172636fb567a2185e959833872a3fb0c11ee7a929b7bec75b7d7ab2411
Opcode Fuzzy Hash: aab2cd146f20e607e259d77d82abf6f1de936f23b3c2626c7c12239ac324f2bc
Instruction Fuzzy Hash: AF428C30604341AFDF25CF28C894AAABFE6FF49314F14053EF656872A1C7399855CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0049804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0049873F

Strings

%d/%02d/%02d, xrefs: 00498478

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 9a521402ddb2201e95bd1840f5831c0865dc39c1ecae77f075f52acd8d9a8830
Instruction ID: 871e3e44a44ed3d54d5a391ed9fd741446094f858871beadf36b0fe1b96a9762
Opcode Fuzzy Hash: 9a521402ddb2201e95bd1840f5831c0865dc39c1ecae77f075f52acd8d9a8830
Instruction Fuzzy Hash: 0112BF71500204ABEF258F69CC49FAB7FB5EF4A710F20417EF915EA2A1DB788945CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0042710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004275C2
_memset.LIBCMT ref: 004276B1
_memmove.LIBCMT ref: 00427C4B
_memmove.LIBCMT ref: 00427E4F

Strings

0wL, xrefs: 00461F5B
[:<:]], xrefs: 004275F1
DEFINE, xrefs: 004625AF
Q\E, xrefs: 004281C1
\b(?=\w), xrefs: 00463C34
\b(?<=\w), xrefs: 00463C41
OaB, xrefs: 0046287E
[:>:]], xrefs: 0042760A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0wL$DEFINE$OaB$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1465500799
Opcode ID: c9e1be78df623eab3ee48cebbca1afe1a1ac97222c78c0569c7e11be2666e5f3
Instruction ID: 2e47e12173541a5f4239c31043e8f8df0c556e188a6d9d7e6fe3ce2abb24e78d
Opcode Fuzzy Hash: c9e1be78df623eab3ee48cebbca1afe1a1ac97222c78c0569c7e11be2666e5f3
Instruction Fuzzy Hash: 7393B271A00215DBDF24CF58D9817AEB7B1FF48710F64816BE945AB380E7789E82CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00414A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00414A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044DA8E
IsIconic.USER32(?), ref: 0044DA97
ShowWindow.USER32(?,00000009), ref: 0044DAA4
SetForegroundWindow.USER32(?), ref: 0044DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044DAC4
GetCurrentThreadId.KERNEL32 ref: 0044DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0044DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0044DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0044DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0044DAF8
SetForegroundWindow.USER32(?), ref: 0044DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044DB10
keybd_event.USER32(00000012,00000000), ref: 0044DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044DB25
keybd_event.USER32(00000012,00000000), ref: 0044DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044DB33
keybd_event.USER32(00000012,00000000), ref: 0044DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0044DB42
keybd_event.USER32(00000012,00000000), ref: 0044DB47
SetForegroundWindow.USER32(?), ref: 0044DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0044DB71

Strings

Shell_TrayWnd, xrefs: 0044DA89

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ca826434d01c0453de287c4a13fce252f1c55757949a56572d28f6870f47c5c7
Instruction ID: 7320290fd093aae1dcf3bcdbcb2103a13a842d840bdc8de942bd275870366234
Opcode Fuzzy Hash: ca826434d01c0453de287c4a13fce252f1c55757949a56572d28f6870f47c5c7
Instruction Fuzzy Hash: 78316071E40318BBFB206FA19C49F7F3E6CEB54B60F114036FA04EA1D1C6B45D11AAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00468858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00468CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00468D0D
Part of subcall function 00468CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00468D3A
Part of subcall function 00468CC3: GetLastError.KERNEL32 ref: 00468D47

_memset.LIBCMT ref: 0046889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004688ED
CloseHandle.KERNEL32(?), ref: 004688FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00468915
GetProcessWindowStation.USER32 ref: 0046892E
SetProcessWindowStation.USER32(00000000), ref: 00468938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00468952

Part of subcall function 00468713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00468851), ref: 00468728
Part of subcall function 00468713: CloseHandle.KERNEL32(?,?,00468851), ref: 0046873A

Strings

, xrefs: 004688AA
winsta0, xrefs: 00468910
default, xrefs: 0046894D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 91e0395ed70cfcdc896885440986dde378db9f1dd521c8f4e5ebd0a8184c9e3c
Instruction ID: 8f60705ea469be16a3a15bd52c566f355cda42e333517b2f4dc0fa586ee25823
Opcode Fuzzy Hash: 91e0395ed70cfcdc896885440986dde378db9f1dd521c8f4e5ebd0a8184c9e3c
Instruction Fuzzy Hash: 2C815BB1900209AFDF11DFE0CC45AAE7B78AF14304F18426FFD10A2261EB398E159B69

Uniqueness

Uniqueness Score: -1.00%

Function 0048425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0049F910), ref: 00484284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00484292
GetClipboardData.USER32(0000000D), ref: 0048429A
CloseClipboard.USER32 ref: 004842A6
GlobalLock.KERNEL32(00000000), ref: 004842C2
CloseClipboard.USER32 ref: 004842CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 004842E1
IsClipboardFormatAvailable.USER32(00000001), ref: 004842EE
GetClipboardData.USER32(00000001), ref: 004842F6
GlobalLock.KERNEL32(00000000), ref: 00484303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00484337
CloseClipboard.USER32 ref: 00484447

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 00d6f914da186f9257324d6283797c1917842dc5c1bb91f3a102096691f384b2
Instruction ID: f31c66c6fd26e1159407460673f3ebe671fde8b32a2fc201e688f3d881135d6c
Opcode Fuzzy Hash: 00d6f914da186f9257324d6283797c1917842dc5c1bb91f3a102096691f384b2
Instruction Fuzzy Hash: 6E518E31204302ABD300BF61EC85FAF77A8AF94B44F10093FF555D22A1DB689D498B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0047C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0047C9F8
FindClose.KERNEL32(00000000), ref: 0047CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0047CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0047CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0047CAAF
__swprintf.LIBCMT ref: 0047CAFB
__swprintf.LIBCMT ref: 0047CB3E

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

__swprintf.LIBCMT ref: 0047CB92

Part of subcall function 004338D8: __woutput_l.LIBCMT ref: 00433931

__swprintf.LIBCMT ref: 0047CBE0

Part of subcall function 004338D8: __flsbuf.LIBCMT ref: 00433953
Part of subcall function 004338D8: __flsbuf.LIBCMT ref: 0043396B

__swprintf.LIBCMT ref: 0047CC2F
__swprintf.LIBCMT ref: 0047CC7E
__swprintf.LIBCMT ref: 0047CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0047CAF5
%4d, xrefs: 0047CB38
%02d, xrefs: 0047CB86, 0047CB90, 0047CBDE, 0047CC2D, 0047CC7C, 0047CCCB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: fbe2bd217940c4ce400b5dd82ae0f5c5fb592c1be6b8f991bb993740c86d881c
Instruction ID: 53d94618c6dc81f38c975214b095506451467d76f0cd47efc53db33a1684fadc
Opcode Fuzzy Hash: fbe2bd217940c4ce400b5dd82ae0f5c5fb592c1be6b8f991bb993740c86d881c
Instruction Fuzzy Hash: EBA14FB1508304ABC714EF51C895EEFB7ECAF98705F40492EF586C3191EA38EA49C766

Uniqueness

Uniqueness Score: -1.00%

Function 0047F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0047F221
_wcscmp.LIBCMT ref: 0047F236
_wcscmp.LIBCMT ref: 0047F24D
GetFileAttributesW.KERNEL32(?), ref: 0047F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0047F279
FindNextFileW.KERNEL32(00000000,?), ref: 0047F291
FindClose.KERNEL32(00000000), ref: 0047F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0047F2B8
_wcscmp.LIBCMT ref: 0047F2DF
_wcscmp.LIBCMT ref: 0047F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0047F308
SetCurrentDirectoryW.KERNEL32(004CA5A0), ref: 0047F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047F330
FindClose.KERNEL32(00000000), ref: 0047F33D
FindClose.KERNEL32(00000000), ref: 0047F34F

Strings

*.*, xrefs: 0047F2B3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 440d747e64951b5b39c66d1b67fff67803a5b7f5db7e08a4d9657976850a45e7
Instruction ID: 8eca51186b6abb143decaa485199c9792f5d415b1398ff2d0429341b2bcc63cb
Opcode Fuzzy Hash: 440d747e64951b5b39c66d1b67fff67803a5b7f5db7e08a4d9657976850a45e7
Instruction Fuzzy Hash: F431B3765012196ADB10DFB4DC49BEE77ACAF08361F1481BBE818D3190EB39DA49CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00490AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00490BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0049F910,00000000,?,00000000,?,?), ref: 00490C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00490C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00490D1D
RegCloseKey.ADVAPI32(?), ref: 0049103D
RegCloseKey.ADVAPI32(00000000), ref: 0049104A

Strings

REG_MULTI_SZ, xrefs: 00490E05
REG_DWORD, xrefs: 00490F0E
REG_BINARY, xrefs: 00490FD8
REG_EXPAND_SZ, xrefs: 00490CBA
REG_SZ, xrefs: 00490D5B
REG_QWORD, xrefs: 00490F8B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 86adb5476663c39404a5d658b4f32103cd44296490321f7cafedc7ab36604a56
Instruction ID: d3c9e35ba3dfc9a2a3395ef57ee2240551ce59009cb545049940b9627ff54c22
Opcode Fuzzy Hash: 86adb5476663c39404a5d658b4f32103cd44296490321f7cafedc7ab36604a56
Instruction Fuzzy Hash: 80028F752006119FCB14DF15C891E6ABBE5FF88714F04886EF8999B362CB38ED45CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0047F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0047F37E
_wcscmp.LIBCMT ref: 0047F393
_wcscmp.LIBCMT ref: 0047F3AA

Part of subcall function 004745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004745DC

FindNextFileW.KERNEL32(00000000,?), ref: 0047F3D9
FindClose.KERNEL32(00000000), ref: 0047F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0047F400
_wcscmp.LIBCMT ref: 0047F427
_wcscmp.LIBCMT ref: 0047F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0047F450
SetCurrentDirectoryW.KERNEL32(004CA5A0), ref: 0047F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0047F478
FindClose.KERNEL32(00000000), ref: 0047F485
FindClose.KERNEL32(00000000), ref: 0047F497

Strings

*.*, xrefs: 0047F3FB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 12b9cfd807472db7dd17e73277f15b5847c7019c64e8ceb0fb60ac73c8d208e2
Instruction ID: 626c92dee2f479569cbe0529dbf787448150cfb69258520c9e2d42cfff61a21d
Opcode Fuzzy Hash: 12b9cfd807472db7dd17e73277f15b5847c7019c64e8ceb0fb60ac73c8d208e2
Instruction Fuzzy Hash: F231C4715012196BCB109FB4EC89AEF77AC9F59324F14817BE818E31A0D738DE59CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 004681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0046874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00468766
Part of subcall function 0046874A: GetLastError.KERNEL32(?,0046822A,?,?,?), ref: 00468770
Part of subcall function 0046874A: GetProcessHeap.KERNEL32(00000008,?,?,0046822A,?,?,?), ref: 0046877F
Part of subcall function 0046874A: HeapAlloc.KERNEL32(00000000,?,0046822A,?,?,?), ref: 00468786
Part of subcall function 0046874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046879D

Part of subcall function 004687E7: GetProcessHeap.KERNEL32(00000008,00468240,00000000,00000000,?,00468240,?), ref: 004687F3
Part of subcall function 004687E7: HeapAlloc.KERNEL32(00000000,?,00468240,?), ref: 004687FA
Part of subcall function 004687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00468240,?), ref: 0046880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0046825B
_memset.LIBCMT ref: 00468270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0046828F
GetLengthSid.ADVAPI32(?), ref: 004682A0
GetAce.ADVAPI32(?,00000000,?), ref: 004682DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004682F9
GetLengthSid.ADVAPI32(?), ref: 00468316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00468325
HeapAlloc.KERNEL32(00000000), ref: 0046832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0046834D
CopySid.ADVAPI32(00000000), ref: 00468354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00468385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004683AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004683BF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: defa0bc9955752ced8a8412b24729239ad9fcf69355588ea66d83da6226cb29c
Instruction ID: 3ef700423fdbb5d780e46576d24b15aaf2fd5623748e155991d603e1f6f40128
Opcode Fuzzy Hash: defa0bc9955752ced8a8412b24729239ad9fcf69355588ea66d83da6226cb29c
Instruction Fuzzy Hash: 9F616C71900209ABCF00DF91DC44AAEBBB9FF14704F14826EE815E6391EB359A55CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00426843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 00461567
UTF16), xrefs: 00461508
UTF), xrefs: 00461533
BSR_UNICODE), xrefs: 00461771
PJK, xrefs: 004268B3
LF), xrefs: 004616DD
ANY), xrefs: 00461717
UCP), xrefs: 00461546
ANYCRLF), xrefs: 00461734
LIMIT_RECURSION=, xrefs: 00461635
CR), xrefs: 004616C0
LIMIT_MATCH=, xrefs: 004615A9
NO_START_OPT), xrefs: 00461588
BSR_ANYCRLF), xrefs: 00461757
OaB, xrefs: 00461888, 0046192F, 004619DD
CRLF), xrefs: 004616FA

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$OaB$PJK$UCP)$UTF)$UTF16)
API String ID: 0-3805103286
Opcode ID: 3c42e5731bca9e07215c05479393084d9149922cd5724f91856a512a747587cd
Instruction ID: 4dd38b54c7e090ca76027bd3b300859d3ed744d4da7e9700ba3771736f525a42
Opcode Fuzzy Hash: 3c42e5731bca9e07215c05479393084d9149922cd5724f91856a512a747587cd
Instruction Fuzzy Hash: 5772B275E002299BDB14CF59D8807AEB7B5FF48310F55816BE805EB390EB389D81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00490665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00490038,?,?), ref: 004910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00490737

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004907D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0049086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00490AAD
RegCloseKey.ADVAPI32(00000000), ref: 00490ABA

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a7047f69adb857ea58a97a2f0b9e2d586f86fbe7d271d33babc13deaf717fa84
Instruction ID: c0608f8fb4a7367812332161e2d0a1ca25e752956384624549e30d0f81f3365d
Opcode Fuzzy Hash: a7047f69adb857ea58a97a2f0b9e2d586f86fbe7d271d33babc13deaf717fa84
Instruction Fuzzy Hash: BFE17D71204210AFCB14DF25C890E6BBBF9EF89714F04846EF45ADB262DA34ED45CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00470219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00470241
GetAsyncKeyState.USER32(000000A0), ref: 004702C2
GetKeyState.USER32(000000A0), ref: 004702DD
GetAsyncKeyState.USER32(000000A1), ref: 004702F7
GetKeyState.USER32(000000A1), ref: 0047030C
GetAsyncKeyState.USER32(00000011), ref: 00470324
GetKeyState.USER32(00000011), ref: 00470336
GetAsyncKeyState.USER32(00000012), ref: 0047034E
GetKeyState.USER32(00000012), ref: 00470360
GetAsyncKeyState.USER32(0000005B), ref: 00470378
GetKeyState.USER32(0000005B), ref: 0047038A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0e30bf3fbed0739b8ca78daf715f3ec5f33e5fef61b87343cd40d7eb4acfe69a
Instruction ID: d0ebc4ec8b791acdb156fed755982c7c80c84fc3c23857bdf11630fc246b4a09
Opcode Fuzzy Hash: 0e30bf3fbed0739b8ca78daf715f3ec5f33e5fef61b87343cd40d7eb4acfe69a
Instruction Fuzzy Hash: 9B4187245457C9EAFF315A6484083E7BAA06B11344F08C0AFD9CD567C3E7985DC8879A

Uniqueness

Uniqueness Score: -1.00%

Function 00484458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0048447F
EmptyClipboard.USER32 ref: 00484485
GlobalAlloc.KERNEL32(00000002,?), ref: 0048449A
CloseClipboard.USER32 ref: 00484539

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5f2ec4918c25dd18cef783f4a13ba81b3ce03322da5871a070608b851fb5529c
Instruction ID: ee7226e0a523b3da26dfc00118df7f57fcfb8d7307aca949c2ae2f37932789c5
Opcode Fuzzy Hash: 5f2ec4918c25dd18cef783f4a13ba81b3ce03322da5871a070608b851fb5529c
Instruction Fuzzy Hash: 4821AB35200211AFDB10AF65EC09B6E7BA8EF54724F10847BF946DB2A1DB38AC01CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00473A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004148A1,?,?,004137C0,?), ref: 004148CE

Part of subcall function 00474CD3: GetFileAttributesW.KERNEL32(?,00473947), ref: 00474CD4

FindFirstFileW.KERNEL32(?,?), ref: 00473ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00473B87
MoveFileW.KERNEL32(?,?), ref: 00473B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00473BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00473BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00473BF5

Strings

\*.*, xrefs: 00473A8A, 00473A93, 00473AA8

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 0a2e24b1d2b923bde063db7b25125a233c435af0fbbeb8c0dd56f864b46074a2
Instruction ID: 9754a6b3f2125d20ab86e0f0b44232269087db576be5fa83a415e3b0d5ed74a9
Opcode Fuzzy Hash: 0a2e24b1d2b923bde063db7b25125a233c435af0fbbeb8c0dd56f864b46074a2
Instruction Fuzzy Hash: 8551B1318001099ACF15EFA1CD929EEB779AF54305F2481ABE40677192DF286F4DDBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00457B0C
VUUU, xrefs: 00424520
VUUU, xrefs: 004244DB
VUUU, xrefs: 004244ED
ERCP, xrefs: 0042421F
OaB, xrefs: 00424984, 00458173

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: ERCP$OaB$VUUU$VUUU$VUUU$VUUU
API String ID: 0-735457013
Opcode ID: 213d752254bcd7351f6bc68c386e4c39213eb3a173fa4ca6a86017a4554ae563
Instruction ID: 4a6fa432619518fe85f890482c263421e8f2822d8e1b26aeb8f6d504559c57e7
Opcode Fuzzy Hash: 213d752254bcd7351f6bc68c386e4c39213eb3a173fa4ca6a86017a4554ae563
Instruction Fuzzy Hash: C2A2BE70E0422ACBDF24CF58E9407AEB7B1FB84305F5481ABD856A7381D7389E85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0047F6AB
Sleep.KERNEL32(0000000A), ref: 0047F6DB
_wcscmp.LIBCMT ref: 0047F6EF
_wcscmp.LIBCMT ref: 0047F70A
FindNextFileW.KERNEL32(?,?), ref: 0047F7A8
FindClose.KERNEL32(00000000), ref: 0047F7BE

Strings

*.*, xrefs: 0047F690

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 1dfe5f8f4c426a93d3f610cf8fa9de2f61949e4b4f975969a92780c875334195
Instruction ID: 03841993d001a7052cbc0261ea5069954a66cedaa76c169d1f805f79e43a8c74
Opcode Fuzzy Hash: 1dfe5f8f4c426a93d3f610cf8fa9de2f61949e4b4f975969a92780c875334195
Instruction Fuzzy Hash: 864184719042099FCF15DF64CC45AEEBBB4FF05314F14856BE819A3290E7349E89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00425A05
_memmove.LIBCMT ref: 00425A55
_memmove.LIBCMT ref: 00425ABB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7a37b68e8fe39702ab4ca05364dcdc4f58833dc0ca622ed989687c17ff50b330
Instruction ID: ee5eed4df66d09f002f4a4897583895fbfea59e5329c6eae9ec947fe22f9b710
Opcode Fuzzy Hash: 7a37b68e8fe39702ab4ca05364dcdc4f58833dc0ca622ed989687c17ff50b330
Instruction Fuzzy Hash: F412AA70A00619EFDF04DFA5D981AEEB7B5FF48304F10826AE406E7250EB39AD51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00425680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00430FF6: std::exception::exception.LIBCMT ref: 0043102C
Part of subcall function 00430FF6: __CxxThrowException@8.LIBCMT ref: 00431041

_memmove.LIBCMT ref: 0046062F
_memmove.LIBCMT ref: 00460744
_memmove.LIBCMT ref: 004607EB

Strings

yZB, xrefs: 00460881, 004607FF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZB
API String ID: 1300846289-2095521711
Opcode ID: 086329e7e26cf6dfa6b1af756e8c2fa85a1b5691e532d3c7fad67b7dd24e5706
Instruction ID: f102fb6f5491810e8da070a4f9b82dbe3317c4c690c7c1ec1dcd9e1ef834435b
Opcode Fuzzy Hash: 086329e7e26cf6dfa6b1af756e8c2fa85a1b5691e532d3c7fad67b7dd24e5706
Instruction Fuzzy Hash: 610280B0A00209EBDF04DF65D981AAF7BB5FF48304F14806EE806DB255EB39D951CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0047545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00468CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00468D0D
Part of subcall function 00468CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00468D3A
Part of subcall function 00468CC3: GetLastError.KERNEL32 ref: 00468D47

ExitWindowsEx.USER32(?,00000000), ref: 0047549B

Strings

, xrefs: 00475489
SeShutdownPrivilege, xrefs: 0047546B
@, xrefs: 0047548E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1b04ba0fed9253e9bc94be364899295deec77bfcfa79dcfa62659fa7ad551c0e
Instruction ID: 0f0f0a9255f057c04da90fd37e0b114e27abfae23972f6a90f1bdaa1cec46cbc
Opcode Fuzzy Hash: 1b04ba0fed9253e9bc94be364899295deec77bfcfa79dcfa62659fa7ad551c0e
Instruction Fuzzy Hash: 9E012431A54B052AE72857749C4ABFB7368AB00353F24823BFD0EDA1D2DADC1C84819D

Uniqueness

Uniqueness Score: -1.00%

Function 00423190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

OaB, xrefs: 00423482

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __itow__swprintf
String ID: OaB
API String ID: 674341424-1622370741
Opcode ID: 072aa26fbda948fed38c77d44864c1d875936919a559fe249236a409b45cbf77
Instruction ID: 736ff12524585708a01c5122d7db730e0236081b78fd9a561c05b9ca805141b0
Opcode Fuzzy Hash: 072aa26fbda948fed38c77d44864c1d875936919a559fe249236a409b45cbf77
Instruction Fuzzy Hash: C9229D716083119FC724DF14D891B6BB7E4AF84304F40492EF89A97392DB78EE45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00486596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004865EF
WSAGetLastError.WSOCK32(00000000), ref: 004865FE
bind.WSOCK32(00000000,?,00000010), ref: 0048661A
listen.WSOCK32(00000000,00000005), ref: 00486629
WSAGetLastError.WSOCK32(00000000), ref: 00486643
closesocket.WSOCK32(00000000,00000000), ref: 00486657

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: b24940b59f238d89afbdbcfc03de9609670526cb0bec4df87008b9b101595646
Instruction ID: b60c97ca9e945ba5cbc4c1eae0ed39bfaa2ea92aded17828d31ff4c922ec4079
Opcode Fuzzy Hash: b24940b59f238d89afbdbcfc03de9609670526cb0bec4df87008b9b101595646
Instruction Fuzzy Hash: FD21CE306002009FCB00FF64C849B6EB7A9EF45324F15856FE956E73D1DB38AD458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00411287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

DefDlgProcW.USER32(?,?,?,?,?), ref: 004119FA
GetSysColor.USER32(0000000F), ref: 00411A4E
SetBkColor.GDI32(?,00000000), ref: 00411A61

Part of subcall function 00411290: DefDlgProcW.USER32(?,00000020,?), ref: 004112D8

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 080ef342b3e095b1559a97d490a52d653368edacdfa655c72b17231ed98cea7a
Instruction ID: bd154e56c97e0142878f947162af50d987752f476feadeb12ea8582aee865f23
Opcode Fuzzy Hash: 080ef342b3e095b1559a97d490a52d653368edacdfa655c72b17231ed98cea7a
Instruction Fuzzy Hash: 1BA129B1106584BAEA28AB295C84DFF2E5DDF41385B14012FF602D52B2CA1CDD82D2FF

Uniqueness

Uniqueness Score: -1.00%

Function 00486A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 004880CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00486AB1
WSAGetLastError.WSOCK32(00000000), ref: 00486ADA
bind.WSOCK32(00000000,?,00000010), ref: 00486B13
WSAGetLastError.WSOCK32(00000000), ref: 00486B20
closesocket.WSOCK32(00000000,00000000), ref: 00486B34

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 0b16f2ebbcc3490f32254eb406fdd60c60a4b2fd08d2e0ec81e8cb1d43502d95
Instruction ID: 4f0f20feaba64655920a97c006adc55643d71cd9a7987a62cb65328432769129
Opcode Fuzzy Hash: 0b16f2ebbcc3490f32254eb406fdd60c60a4b2fd08d2e0ec81e8cb1d43502d95
Instruction Fuzzy Hash: 4A41E475B00210AFEB10BF659C96FAE77A59F04718F04846EF90AEB3C2DB785D408799

Uniqueness

Uniqueness Score: -1.00%

Function 004955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0049564C
IsWindowEnabled.USER32 ref: 0049565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00495667
IsIconic.USER32 ref: 00495675
IsZoomed.USER32 ref: 00495683

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 954d45d1d6db80908bde64cf4a21205a21cfa3862d442d9684a4f17c22344413
Instruction ID: 5a7605e0d402995cc612f457cfd957508fc94a08e47ad989d733a181e2689c42
Opcode Fuzzy Hash: 954d45d1d6db80908bde64cf4a21205a21cfa3862d442d9684a4f17c22344413
Instruction Fuzzy Hash: BD11B231300A106FEB221F26DC54A6F7B99EF54761B55403BE80AD7251CB789D42CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0047C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0047C69D
CoCreateInstance.OLE32(004A2D6C,00000000,00000001,004A2BDC,?), ref: 0047C6B5

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

CoUninitialize.OLE32 ref: 0047C922

Strings

.lnk, xrefs: 0047C631, 0047C659, 0047C663

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 92a040416b055da4c47346e9f32d5b06fd6552e79c064d26262d839a418581b0
Instruction ID: d1172d7422a0264bbc770de02f47fa82375513a7bfd3437d262a488cb647b008
Opcode Fuzzy Hash: 92a040416b055da4c47346e9f32d5b06fd6552e79c064d26262d839a418581b0
Instruction Fuzzy Hash: ACA13E71208205AFD700EF55C891EABB7ECEF98348F00492EF15697192DB74EE49CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0048C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00451D88,?), ref: 0048C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0048C324

Strings

GetSystemWow64DirectoryW, xrefs: 0048C31E
kernel32.dll, xrefs: 0048C30D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: c586e23fdf0208c40aca8c81c1917bffe9850579ff3ce67d250caf45e6d952ab
Instruction ID: 538f2c77715f988053849f238542c6131e9b52952d4bd3d7da185b34e506b8e1
Opcode Fuzzy Hash: c586e23fdf0208c40aca8c81c1917bffe9850579ff3ce67d250caf45e6d952ab
Instruction Fuzzy Hash: A9E08C74200303CFDB205F29D845B4B76D4EB18305B90C83BE886C2320E7B8D881CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0048F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0048F151
Process32FirstW.KERNEL32(00000000,?), ref: 0048F15F

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Process32NextW.KERNEL32(00000000,?), ref: 0048F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0048F22E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 2a19bd8028ad9c464f1623a9dd116274f0b3fdfb736ff317714e7599eb803e5a
Instruction ID: a95e3daa68cf39447bb6ccb7677546e33b8eb1058f396893ca483b61c083edef
Opcode Fuzzy Hash: 2a19bd8028ad9c464f1623a9dd116274f0b3fdfb736ff317714e7599eb803e5a
Instruction Fuzzy Hash: 19517D715043009FD310EF21DC86EAFBBE8EF94754F10482EF49597291EB74A948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0046EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0046EB19

Strings

|, xrefs: 0046EB49
(, xrefs: 0046EB5F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 918201ee4c585f15553b0b31700dc3ed81a518e393b99aa62b31582bdfe94290
Instruction ID: b1fb73f4f5da468c4973a4ccc703d271ff5d570577d9fdca0013cc3ae76c8593
Opcode Fuzzy Hash: 918201ee4c585f15553b0b31700dc3ed81a518e393b99aa62b31582bdfe94290
Instruction Fuzzy Hash: BF323679A00605DFC728CF1AD481A6AB7F0FF48710B15C56EE89ACB3A1E774E941CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 004826D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0048270C

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f5962da7a4ab2a48d5c6bc878d4349d8606905f20d7a054626f6f49049ea3370
Instruction ID: 9553dac4f42e24b8040a4a50870ba4dd2cd5ac0abd3f06a3c19a837a41af17cc
Opcode Fuzzy Hash: f5962da7a4ab2a48d5c6bc878d4349d8606905f20d7a054626f6f49049ea3370
Instruction Fuzzy Hash: 5141E775500209BFEB20FA95CE85EBF77BCEB40718F10446FF601A6240EAF99E419758

Uniqueness

Uniqueness Score: -1.00%

Function 0047B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0047B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0047B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0047B655

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0700a0526c80dcf4cbf23cbad14ed3b6024097f9e517041d8c917d70c403f6f1
Instruction ID: ad0da04c7b80a9f69787437498de402c639a44cdfbf354f1710606e0fd4050e8
Opcode Fuzzy Hash: 0700a0526c80dcf4cbf23cbad14ed3b6024097f9e517041d8c917d70c403f6f1
Instruction Fuzzy Hash: BC218E35A00108EFCB00EFA5D881AEDBBB8FF48314F1480AAE905EB351DB359D46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00468CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00430FF6: std::exception::exception.LIBCMT ref: 0043102C
Part of subcall function 00430FF6: __CxxThrowException@8.LIBCMT ref: 00431041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00468D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00468D3A
GetLastError.KERNEL32 ref: 00468D47

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 2792346556c3738e3e611d56dc75177cdfbeae946d53749169fe42c259ad08f0
Instruction ID: 3d22278aaeb515809940e29c6f6263e5c66455ee155603541c0bc5522fc18258
Opcode Fuzzy Hash: 2792346556c3738e3e611d56dc75177cdfbeae946d53749169fe42c259ad08f0
Instruction Fuzzy Hash: 2B1191B1414209AFE728DF54DC85D6BB7BCFB44714B20862FF45693251EB74AC418A68

Uniqueness

Uniqueness Score: -1.00%

Function 00474021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0047404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00474088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00474091

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c91166aef44876b3ec4579b6e29c32bd18e4864aec800c79ae2fe01b06f8070d
Instruction ID: da32a4644bdc2403161ca5a4488a57e2fc750549ba94073c8a4460fc1656cbcc
Opcode Fuzzy Hash: c91166aef44876b3ec4579b6e29c32bd18e4864aec800c79ae2fe01b06f8070d
Instruction Fuzzy Hash: 4A1173B1904224BEE7209BE8DC44FBFBBBCEB48710F104567BA08E7190D3785D0547A5

Uniqueness

Uniqueness Score: -1.00%

Function 00474C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00474C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00474C43
FreeSid.ADVAPI32(?), ref: 00474C53

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 761a3954402a7296381962641f474e2c9e82227d78aa850959cc94c49c5a9bbb
Instruction ID: fddb419b68bacb57f4f7b61a9409f0aa5af521943e05df54d6ab34eb4c7cf826
Opcode Fuzzy Hash: 761a3954402a7296381962641f474e2c9e82227d78aa850959cc94c49c5a9bbb
Instruction Fuzzy Hash: EEF03C75911208BFDB04DFE09C89AAEB7BCEB08201F104479A501E2181D7746A048B54

Uniqueness

Uniqueness Score: -1.00%

Function 00478B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00478B25

Part of subcall function 0043543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004791F8,00000000,?,?,?,?,004793A9,00000000,?), ref: 00435443
Part of subcall function 0043543A: __aulldiv.LIBCMT ref: 00435463

Strings

0uM, xrefs: 00478B1C

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0uM
API String ID: 2893107130-2165279772
Opcode ID: 2e4b423379ba89278c2ef12cf132fd6fc7f30a8290b152d8804414d1ad0a5f93
Instruction ID: 8916c392af08cbfd64af6f1efceebfb398abb626ff14ff6be5bcec6335d66ea2
Opcode Fuzzy Hash: 2e4b423379ba89278c2ef12cf132fd6fc7f30a8290b152d8804414d1ad0a5f93
Instruction Fuzzy Hash: 9C2127726355108BC729CF25D441A52B3E1EBA4320B688E6EE0F9CB2D0CA34B904CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0600c67417236d08058b1a51bd17a4268140d755ab3b31b0ff80fa83a62f31
Instruction ID: 4305bbde60be2a49353fddf7f78c2fcedd1df95b8fa7e5fa9e05e03d2db2fd00
Opcode Fuzzy Hash: 0b0600c67417236d08058b1a51bd17a4268140d755ab3b31b0ff80fa83a62f31
Instruction Fuzzy Hash: C322AF78A00219DFDB24DF55C490AEEB7B1FF08300F14816AEC569B352E738AD85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0047C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0047C966
FindClose.KERNEL32(00000000), ref: 0047C996

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8e9bfee9111864f778b679cdc08faa9fe4c4489a4b59a5261dae37f41a328d19
Instruction ID: 3149ef117e5c4fabe453e2ea8203e0e1b7db173621ae3e22a74dc69bc0bd0fcb
Opcode Fuzzy Hash: 8e9bfee9111864f778b679cdc08faa9fe4c4489a4b59a5261dae37f41a328d19
Instruction Fuzzy Hash: E3118E726106009FD710EF29C845A6AF7E9EF84324F00852EF9A9D7291DB34AC04CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0047A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0048977D,?,0049FB84,?), ref: 0047A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0048977D,?,0049FB84,?), ref: 0047A314

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 41023d6bd1722450586cb2f35e7b19077aba3b20dc88ddd8ae9a840dc81009f6
Instruction ID: 32383c6cdb3216d1858a991445a560513f1b3450f7a6884121147e3f3117fb8c
Opcode Fuzzy Hash: 41023d6bd1722450586cb2f35e7b19077aba3b20dc88ddd8ae9a840dc81009f6
Instruction Fuzzy Hash: 67F0BE3114422DABEB209FA4CC48FEA736DAF08361F00826AB808D2181D6349944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00468713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00468851), ref: 00468728
CloseHandle.KERNEL32(?,?,00468851), ref: 0046873A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e1edc0f9eab6b03451d705600a20e9ed90984476c22ef498485d068670ebb154
Instruction ID: b179daa7df428e605e5d012ce704806d5bccda699468837c71139bf86685c184
Opcode Fuzzy Hash: e1edc0f9eab6b03451d705600a20e9ed90984476c22ef498485d068670ebb154
Instruction Fuzzy Hash: EFE0B676010610EFE7252B61EC09D777BB9EB04355B24893EB896C0870DB66AC90DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0043A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00438F97,?,?,?,00000001), ref: 0043A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0043A3A3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e89c153c64a0a7eae553ab33aef3bc2923fc84761e3de4e68834d15c9d202f3a
Instruction ID: 1dffa9f090f912da30bd58fb2ebc50def1d395c3a42681840bbe33786d621bf8
Opcode Fuzzy Hash: e89c153c64a0a7eae553ab33aef3bc2923fc84761e3de4e68834d15c9d202f3a
Instruction Fuzzy Hash: AEB09231054208EBCA102BA1EC09B883F68EB54BA2F404032FA0DC4C60CB6654A48A99

Uniqueness

Uniqueness Score: -1.00%

Function 0043F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be31eb6898093637abe1ee59d881b5df341faf5ec01595c9e1c016803bd47dbf
Instruction ID: 72b7ba1fac81288218eaa08a5bfa95e7f1ad85658383d94abc476d3f00e8e593
Opcode Fuzzy Hash: be31eb6898093637abe1ee59d881b5df341faf5ec01595c9e1c016803bd47dbf
Instruction Fuzzy Hash: 44321662D69F014DD7239634DC32336A648AFBB3D8F15E737E819B5AA6EB2CD4834104

Uniqueness

Uniqueness Score: -1.00%

Function 0044267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06899fe8fbb8387729570558cb5c9175436fe77ab598278bb87c0603f373f7b1
Instruction ID: 5b9b838bf108ba3527c63bc2ca35ae50bb99c7bad92d174a0732f2cd741526d7
Opcode Fuzzy Hash: 06899fe8fbb8387729570558cb5c9175436fe77ab598278bb87c0603f373f7b1
Instruction Fuzzy Hash: 66B11220D2AF414DD76396398831336BB4CAFBB2D5F91D72BFC2674D22EB2185938245

Uniqueness

Uniqueness Score: -1.00%

Function 004841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00484218

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 91c343aa9a5e54a17f7bc90f4afe2a5de236df2c495f61b845525d1f84adf0fd
Instruction ID: be9766679522e2cf771e805978f0f254faeb9a9f7e0b4f035d88f7ba111a3ac3
Opcode Fuzzy Hash: 91c343aa9a5e54a17f7bc90f4afe2a5de236df2c495f61b845525d1f84adf0fd
Instruction Fuzzy Hash: E7E04F312442159FC710EF9AD844A9AF7E8AFA47A0F00846BFC49C7352DA74FC458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00474EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00474EEC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: b4976495b8e2dab76e64a13ed9a5ae0932ff94119e536437a696e9d5b64e45f5
Instruction ID: 4d37cd976cd9e9b23e3bd15179c449342ae1c2f00d5a1d0a064cd06da7a9da26
Opcode Fuzzy Hash: b4976495b8e2dab76e64a13ed9a5ae0932ff94119e536437a696e9d5b64e45f5
Instruction Fuzzy Hash: A2D05E981A061479FC184B309C5FFF71108F3807B5FD0C15BB10AC92C2DAD86D555539

Uniqueness

Uniqueness Score: -1.00%

Function 00468C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,004688D1), ref: 00468CB3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: f83294c04185d0f3b9d961a8019438f149f5ded403a181d7673703a19b5a6afb
Instruction ID: 6a3c798ba1005cc2b4538fa38c6a55190843b2ef1f10c70334da21e974543c1b
Opcode Fuzzy Hash: f83294c04185d0f3b9d961a8019438f149f5ded403a181d7673703a19b5a6afb
Instruction Fuzzy Hash: F8D05E3226450EABEF018EA4DC01EAE3B69EB04B01F408121FE15C50A1C775E835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00452230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00452242

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8cd13eb4cb03bbb0bafb084deff19159b6d742c4ba9c2a396352a7b7022330e8
Instruction ID: 098cdfc35e76ada58f7ad9a141e099794f2168270124a9a1631a51af8796be03
Opcode Fuzzy Hash: 8cd13eb4cb03bbb0bafb084deff19159b6d742c4ba9c2a396352a7b7022330e8
Instruction Fuzzy Hash: 1EC04CF1800109DBDB05DB90D988DEE77BCAB04305F104067A501F2111D7749B488A75

Uniqueness

Uniqueness Score: -1.00%

Function 0043A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0043A36A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c97b8f654d62f1e1a81810f5d93c54c01443b989dfeb9b3f4a59ecf89946173a
Instruction ID: bab062c64f22b93782312355bfeab221fca7a928853fb645aecdd2b5b68c8750
Opcode Fuzzy Hash: c97b8f654d62f1e1a81810f5d93c54c01443b989dfeb9b3f4a59ecf89946173a
Instruction Fuzzy Hash: 25A0123000010CE78A001B51EC044447F5CD6001907004031F80C80821873254504584

Uniqueness

Uniqueness Score: -1.00%

Function 00428A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5358bfbe715e1cff5154cf3146ef1d124d333d95539428c467f53a88eae44f9
Instruction ID: 5576ef12c63e602642ef948195b5f5d60584c6ca1ae4a75e5e50d1698f596ba7
Opcode Fuzzy Hash: f5358bfbe715e1cff5154cf3146ef1d124d333d95539428c467f53a88eae44f9
Instruction Fuzzy Hash: AB224B30706625CBDF288B19E49467E77A1EF01304FA4446FD9468B791EB3C9D82CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00432405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: d7c5e928b71a381e20c253822976aa86b213e327ab63e6708d206e58be5b4898
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: B7C1E4322050930ADF2D8639D53003FBAE15EA67B1B1A275FE4B3CB6D4EF68D524D624

Uniqueness

Uniqueness Score: -1.00%

Function 0043283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 1602e514a06fb6364e1d87efcb88065a932e231bd1caba1bc0c96b313233e007
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: C9C1C4322051930ADF2D463A853013FFBE15EA67B171A276FE4B2CB6D4EF28D524D624

Uniqueness

Uniqueness Score: -1.00%

Function 00EB3660 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 6307854edb58335ee2b5421f9c1c9e9f5d05d99c09611204261952d94154ce0c
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8541B571D1051CEBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EB34F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: df8f2f9e26ba45f203a11a2f49f74ad32d552f2fed400aa074669a57deb25b9d
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 46019279A01109EFCB58DFA8C5919AEF7F5FF48310F208599E819A7701D731AE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EB3550 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: c61831e2f3608c0554ae2eaa1e0e2c8bfee953365a18a919a8f27cb4f9f22618
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 56019278A01109EFCB54DFA8C5919AEFBF5FB48310F208699E919A7701D730AE41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EB1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1979074499.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eb0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 004937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0049F910), ref: 004938AF
IsWindowVisible.USER32(?), ref: 004938D3

Strings

ADDSTRING, xrefs: 0049399E
GETLINE, xrefs: 00493C23
TABLEFT, xrefs: 0049390F
GETCURRENTLINE, xrefs: 00493B75
ISVISIBLE, xrefs: 004938BF
SETCURRENTSELECTION, xrefs: 00493A3E
SELECTSTRING, xrefs: 00493A8E
GETCURRENTCOL, xrefs: 00493BB0
FINDSTRING, xrefs: 004939FE
GETLINECOUNT, xrefs: 00493B4E
EDITPASTE, xrefs: 00493BE7
CURRENTTAB, xrefs: 00493945
SENDCOMMANDID, xrefs: 00493C62
HIDEDROPDOWN, xrefs: 00493988
ISENABLED, xrefs: 004938F3
GETSELECTED, xrefs: 00493B2B
ISCHECKED, xrefs: 00493AC1
GETCURRENTSELECTION, xrefs: 00493A6B
UNCHECK, xrefs: 00493B0B
CHECK, xrefs: 00493AF5
DELSTRING, xrefs: 004939D1
TABRIGHT, xrefs: 00493925
SHOWDROPDOWN, xrefs: 00493968

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 46e24ff3c521566d322618efc63690c1ec7bb8896998c77e3544ad0cc51a7370
Instruction ID: de5931df293d75f0826ad3be2ba7655594970e0d703a688c7391e8f26c3bffaa
Opcode Fuzzy Hash: 46e24ff3c521566d322618efc63690c1ec7bb8896998c77e3544ad0cc51a7370
Instruction Fuzzy Hash: FBD172342042059BCF14EF11C451A6A7BE9EF55349F10446FF8865B3A2DB39EE4ACB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0049A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0049A89F
GetSysColorBrush.USER32(0000000F), ref: 0049A8D0
GetSysColor.USER32(0000000F), ref: 0049A8DC
SetBkColor.GDI32(?,000000FF), ref: 0049A8F6
SelectObject.GDI32(?,?), ref: 0049A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0049A930
GetSysColor.USER32(00000010), ref: 0049A938
CreateSolidBrush.GDI32(00000000), ref: 0049A93F
FrameRect.USER32(?,?,00000000), ref: 0049A94E
DeleteObject.GDI32(00000000), ref: 0049A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0049A9A0
FillRect.USER32(?,?,?), ref: 0049A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0049A9FD

Part of subcall function 0049AB60: GetSysColor.USER32(00000012), ref: 0049AB99
Part of subcall function 0049AB60: SetTextColor.GDI32(?,?), ref: 0049AB9D
Part of subcall function 0049AB60: GetSysColorBrush.USER32(0000000F), ref: 0049ABB3
Part of subcall function 0049AB60: GetSysColor.USER32(0000000F), ref: 0049ABBE
Part of subcall function 0049AB60: GetSysColor.USER32(00000011), ref: 0049ABDB
Part of subcall function 0049AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0049ABE9
Part of subcall function 0049AB60: SelectObject.GDI32(?,00000000), ref: 0049ABFA
Part of subcall function 0049AB60: SetBkColor.GDI32(?,00000000), ref: 0049AC03
Part of subcall function 0049AB60: SelectObject.GDI32(?,?), ref: 0049AC10
Part of subcall function 0049AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0049AC2F
Part of subcall function 0049AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0049AC46
Part of subcall function 0049AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0049AC5B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8f6a0b065f97e6bdf066eb8656185338c0c69a0202b1edf215787790a62107a1
Instruction ID: bea36b495051077383c672c39bb6423702bfcc48e9a0ba112c1fc3dd8b3d7015
Opcode Fuzzy Hash: 8f6a0b065f97e6bdf066eb8656185338c0c69a0202b1edf215787790a62107a1
Instruction Fuzzy Hash: 85A17C72008301BFDB109F64DC08A6B7BA9FB88331F104A3AF962D61A1D775D959CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00412C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00412CA2
DeleteObject.GDI32(00000000), ref: 00412CE8
DeleteObject.GDI32(00000000), ref: 00412CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00412CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00412D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0044C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0044C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044CAED

Part of subcall function 00411B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00412036,?,00000000,?,?,?,?,004116CB,00000000,?), ref: 00411B9A

SendMessageW.USER32(?,00001053), ref: 0044CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0044CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0044CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0044CB62

Strings

0, xrefs: 0044C981

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: cd13c1fbf64da754f5ae0befe639fc01ae28fd4398a51c56e710f78d7dfee412
Instruction ID: a281b1c8dcf0f14365afb723e8092e90148a90ad25fe9b51839ad35110b6419b
Opcode Fuzzy Hash: cd13c1fbf64da754f5ae0befe639fc01ae28fd4398a51c56e710f78d7dfee412
Instruction Fuzzy Hash: 3D129E30601201EFEB50CF24C984BAAB7E5FF44310F58457AE589DB262D779EC92CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004877F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004878B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004878EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00487900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00487946
GetClientRect.USER32(00000000,?), ref: 00487952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00487996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004879A5
GetStockObject.GDI32(00000011), ref: 004879B5
SelectObject.GDI32(00000000,00000000), ref: 004879B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004879C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004879D2
DeleteDC.GDI32(00000000), ref: 004879DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00487A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00487A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00487A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00487A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00487A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00487AAE
GetStockObject.GDI32(00000011), ref: 00487AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00487AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00487ACE

Strings

static, xrefs: 00487990, 00487AA8
AutoIt v3, xrefs: 0048793E
msctls_progress32, xrefs: 00487A4F
DISPLAY, xrefs: 0048799B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 09772084625a0168e3a75323e493bb0d7d8011d8c7b43d4e3f0209ecd0f98929
Instruction ID: e8bf3394c947b1ed52aa4109b154eef71eaf1bcae57b480e4fdbb1f45acee5da
Opcode Fuzzy Hash: 09772084625a0168e3a75323e493bb0d7d8011d8c7b43d4e3f0209ecd0f98929
Instruction Fuzzy Hash: 13A18171A40205BFEB149FA4DC4AFAE7BB9EB45714F10416AFA14E72E0D774AD00CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0047AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0047AF89
GetDriveTypeW.KERNEL32(?,0049FAC0,?,\\.\,0049F910), ref: 0047B066
SetErrorMode.KERNEL32(00000000,0049FAC0,?,\\.\,0049F910), ref: 0047B1C4

Strings

1394, xrefs: 0047B146
SATA, xrefs: 0047B177
Fixed, xrefs: 0047B0AE
SAS, xrefs: 0047B170
FileBackedVirtual, xrefs: 0047B193
Removable, xrefs: 0047B0B8
ATAPI, xrefs: 0047B138
CDROM, xrefs: 0047B09A
MMC, xrefs: 0047B185
SCSI, xrefs: 0047B131
Network, xrefs: 0047B0A4
USB, xrefs: 0047B15B
RAID, xrefs: 0047B162
Fibre, xrefs: 0047B154
RAMDisk, xrefs: 0047B090
SSD, xrefs: 0047B0F1
Virtual, xrefs: 0047B18C
PhysicalDrive, xrefs: 0047B012
\\.\, xrefs: 0047AFDB
Unknown, xrefs: 0047B086, 0047B12A
SSA, xrefs: 0047B14D
iSCSI, xrefs: 0047B169
ATA, xrefs: 0047B13F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: bb286fca10f361c4cfd7cc1b3d054fa1a63d1ae3e13bcce3004982247e54a9d8
Instruction ID: 02c15761b85901745d1a3221d53611f843764012c84ff64b21f824760ee1fd4e
Opcode Fuzzy Hash: bb286fca10f361c4cfd7cc1b3d054fa1a63d1ae3e13bcce3004982247e54a9d8
Instruction Fuzzy Hash: AD51A074684289AA8B00DB10C956FFE73B0FB54389770C02BE40EA7690C72D9D528A8F

Uniqueness

Uniqueness Score: -1.00%

Function 00416A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00416A91
__wcsnicmp.LIBCMT ref: 00416AA9
__wcsnicmp.LIBCMT ref: 00416AC1
__wcsnicmp.LIBCMT ref: 00416AD9
__wcsnicmp.LIBCMT ref: 00416AF1
__wcsnicmp.LIBCMT ref: 00416B09
__wcsnicmp.LIBCMT ref: 00416B21
__wcsnicmp.LIBCMT ref: 00416B35
__wcsnicmp.LIBCMT ref: 00416B76
__wcsnicmp.LIBCMT ref: 00416B8A
__wcsnicmp.LIBCMT ref: 00416B9E
__wcsnicmp.LIBCMT ref: 00416BB2

Strings

#pragma compile, xrefs: 00416A8B
#ce, xrefs: 00416BAC
#include, xrefs: 00416B03
#comments-start, xrefs: 00416B1B, 00416B70
#cs, xrefs: 00416B2F, 00416B84
#OnAutoItStartRegister, xrefs: 00416AD3
#requireadmin, xrefs: 00416ABB
Cannot parse #include, xrefs: 0044E819
Unterminated group of comments, xrefs: 0044E82C
#comments-end, xrefs: 00416B98
#notrayicon, xrefs: 00416AA3
Bad directive syntax error, xrefs: 0044E743
#include-once, xrefs: 00416AEB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ce4d709e9c9e55a010c31acbb86239cbe627ecec04753b34064c33ec962f6ece
Instruction ID: ad9383cce02724c4166fcabc5417e2b2d5b772e276ddd25d6bdcaa6bd4604c27
Opcode Fuzzy Hash: ce4d709e9c9e55a010c31acbb86239cbe627ecec04753b34064c33ec962f6ece
Instruction Fuzzy Hash: 78812D70644215BADB20BF22CD82FEF7768BF15358F14402BFD45AA181EB6CEA85C25D

Uniqueness

Uniqueness Score: -1.00%

Function 0049AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0049AB99
SetTextColor.GDI32(?,?), ref: 0049AB9D
GetSysColorBrush.USER32(0000000F), ref: 0049ABB3
GetSysColor.USER32(0000000F), ref: 0049ABBE
CreateSolidBrush.GDI32(?), ref: 0049ABC3
GetSysColor.USER32(00000011), ref: 0049ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0049ABE9
SelectObject.GDI32(?,00000000), ref: 0049ABFA
SetBkColor.GDI32(?,00000000), ref: 0049AC03
SelectObject.GDI32(?,?), ref: 0049AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0049AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0049AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0049AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0049ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0049ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0049ACEC
DrawFocusRect.USER32(?,?), ref: 0049ACF7
GetSysColor.USER32(00000011), ref: 0049AD05
SetTextColor.GDI32(?,00000000), ref: 0049AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0049AD21
SelectObject.GDI32(?,0049A869), ref: 0049AD38
DeleteObject.GDI32(?), ref: 0049AD43
SelectObject.GDI32(?,?), ref: 0049AD49
DeleteObject.GDI32(?), ref: 0049AD4E
SetTextColor.GDI32(?,?), ref: 0049AD54
SetBkColor.GDI32(?,?), ref: 0049AD5E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 667fee7e84ec813b7cd14dcb1a1b1f7dff990fe0514350045cbad710610e465f
Instruction ID: aa4ebfc30ab5b085313b7dd824842d0137af45773f2a62a10a2a13a663bf60e4
Opcode Fuzzy Hash: 667fee7e84ec813b7cd14dcb1a1b1f7dff990fe0514350045cbad710610e465f
Instruction Fuzzy Hash: 2B617C71900218FFDF119FA8DC49EAE7B79EB08320F214136F915EB2A1D6759D50CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00498C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00498D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00498D45
CharNextW.USER32(0000014E), ref: 00498D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00498DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00498DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00498DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00498DF9
SetWindowTextW.USER32(?,0000014E), ref: 00498E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00498E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00498E8C
_memset.LIBCMT ref: 00498EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00498EFA
_memset.LIBCMT ref: 00498F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00498F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00498FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00499088
InvalidateRect.USER32(?,00000000,00000001), ref: 004990AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004990F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00499121
DrawMenuBar.USER32(?), ref: 00499130
SetWindowTextW.USER32(?,0000014E), ref: 00499158

Strings

0, xrefs: 004990C2

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: e94d1b344a2ef90427c6fdf1686e2ffeefbde635327b054625d8fda5b27b2fb5
Instruction ID: 3c5fbe8ab2d06ddfe4f9f0a5e3c2d05a3055a444bfa906971748c163db211a10
Opcode Fuzzy Hash: e94d1b344a2ef90427c6fdf1686e2ffeefbde635327b054625d8fda5b27b2fb5
Instruction Fuzzy Hash: 9BE19070901209AADF109F59CC85AEF7F78FF06314F00817BF91596290DB788A85CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00494B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00494C51
GetDesktopWindow.USER32 ref: 00494C66
GetWindowRect.USER32(00000000), ref: 00494C6D
GetWindowLongW.USER32(?,000000F0), ref: 00494CCF
DestroyWindow.USER32(?), ref: 00494CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00494D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00494D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00494D68
SendMessageW.USER32(?,00000421,?,?), ref: 00494D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00494D90
IsWindowVisible.USER32(?), ref: 00494DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00494DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00494DDF
GetWindowRect.USER32(?,?), ref: 00494DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00494E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00494E37
CopyRect.USER32(?,?), ref: 00494E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00494EB9

Strings

tooltips_class32, xrefs: 00494D1D
0, xrefs: 00494BFC
(, xrefs: 00494E2A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1ec409d626523aea7dc6d08ac6327286e975f453636bcb4161cf0ab0c6243638
Instruction ID: 3f64c0f7c84d08b3ca5b4fe23f5f82e5fbb5987a1e661510277a7732188d5189
Opcode Fuzzy Hash: 1ec409d626523aea7dc6d08ac6327286e975f453636bcb4161cf0ab0c6243638
Instruction Fuzzy Hash: 3EB16A71604340AFDB04DF65C944F6ABBE4BF84314F008A2EF5999B2A1D774EC46CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004746D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004746E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0047470E
_wcscpy.LIBCMT ref: 0047473C
_wcscmp.LIBCMT ref: 00474747
_wcscat.LIBCMT ref: 0047475D
_wcsstr.LIBCMT ref: 00474768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00474784
_wcscat.LIBCMT ref: 004747CD
_wcscat.LIBCMT ref: 004747D4
_wcsncpy.LIBCMT ref: 004747FF

Strings

StringFileInfo\, xrefs: 00474757
%u.%u.%u.%u, xrefs: 00474862
\VarFileInfo\Translation, xrefs: 0047477C
04090000, xrefs: 004747BA
DefaultLangCodepage, xrefs: 004747E7

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 9eddc060d1df4824cf139a4fcc0078d76361163088d6cfe6852eb91f2132fc09
Instruction ID: 7e6b62b94a5ace899a1cc29c28e5194fc841685e830c0e22f6d3380d1215134e
Opcode Fuzzy Hash: 9eddc060d1df4824cf139a4fcc0078d76361163088d6cfe6852eb91f2132fc09
Instruction Fuzzy Hash: 9E4117356002147AEB14BA618C43FBF77BCDF85714F10406FF909E6182EB7C9A0196AD

Uniqueness

Uniqueness Score: -1.00%

Function 004127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004128BC
GetSystemMetrics.USER32(00000007), ref: 004128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004128EF
GetSystemMetrics.USER32(00000008), ref: 004128F7
GetSystemMetrics.USER32(00000004), ref: 0041291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00412939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00412949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0041297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00412990
GetClientRect.USER32(00000000,000000FF), ref: 004129AE
GetStockObject.GDI32(00000011), ref: 004129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004129D5

Part of subcall function 00412344: GetCursorPos.USER32(?), ref: 00412357
Part of subcall function 00412344: ScreenToClient.USER32(004D67B0,?), ref: 00412374
Part of subcall function 00412344: GetAsyncKeyState.USER32(00000001), ref: 00412399
Part of subcall function 00412344: GetAsyncKeyState.USER32(00000002), ref: 004123A7

SetTimer.USER32(00000000,00000000,00000028,00411256), ref: 004129FC

Strings

AutoIt v3 GUI, xrefs: 00412974

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d4897b129ec61930b86e0d369dd64bd2fc5f2f3c1dc3ccca00faac25a86dfcc9
Instruction ID: 21908d2c27fca98e46955d2eadd4be028012f108bed6c97a4efc5ce7b5b08e41
Opcode Fuzzy Hash: d4897b129ec61930b86e0d369dd64bd2fc5f2f3c1dc3ccca00faac25a86dfcc9
Instruction Fuzzy Hash: 60B16F7160120AEFDB14DFA8DD45BEE7BA4FB08314F11823BFA15E6290DB789851CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00494069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004940F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004941B6

Strings

GETSELECTEDCOUNT, xrefs: 00494199
GETITEMCOUNT, xrefs: 00494128
GETTEXT, xrefs: 0049415F
SELECTALL, xrefs: 0049421D
ISSELECTED, xrefs: 004941C1
FINDITEM, xrefs: 00494329
SELECTCLEAR, xrefs: 00494235
GETSELECTED, xrefs: 004942E4
GETSUBITEMCOUNT, xrefs: 00494141
SELECTINVERT, xrefs: 00494286
VIEWCHANGE, xrefs: 00494375
DESELECT, xrefs: 004942A4
SELECT, xrefs: 00494250

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 70760ecaafd69d9abc062a9240caf6856ddcc5467b3a8d4aac6a5efc3533ffc7
Instruction ID: dfac5d262586dc47d4165f2ca1848d65040c1acd14f3fd490ac5a3a63abe2f38
Opcode Fuzzy Hash: 70760ecaafd69d9abc062a9240caf6856ddcc5467b3a8d4aac6a5efc3533ffc7
Instruction Fuzzy Hash: F2A162302143019BCB14EF21C951E6A77E5BF84318F14896EB8965B7D2DB38EC46CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 004852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00485309
LoadCursorW.USER32(00000000,00007F8A), ref: 00485314
LoadCursorW.USER32(00000000,00007F00), ref: 0048531F
LoadCursorW.USER32(00000000,00007F03), ref: 0048532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00485335
LoadCursorW.USER32(00000000,00007F01), ref: 00485340
LoadCursorW.USER32(00000000,00007F81), ref: 0048534B
LoadCursorW.USER32(00000000,00007F88), ref: 00485356
LoadCursorW.USER32(00000000,00007F80), ref: 00485361
LoadCursorW.USER32(00000000,00007F86), ref: 0048536C
LoadCursorW.USER32(00000000,00007F83), ref: 00485377
LoadCursorW.USER32(00000000,00007F85), ref: 00485382
LoadCursorW.USER32(00000000,00007F82), ref: 0048538D
LoadCursorW.USER32(00000000,00007F84), ref: 00485398
LoadCursorW.USER32(00000000,00007F04), ref: 004853A3
LoadCursorW.USER32(00000000,00007F02), ref: 004853AE
GetCursorInfo.USER32(?), ref: 004853BE
GetLastError.KERNEL32(00000001,00000000), ref: 004853E9

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0505ce2b3d0113a49c4709ecbf3d66a2ff0ceca923f0aeee73b7ec6e78e82abb
Instruction ID: 679303809a954bc2c720b9215e042c95539e3ad3645a41b1649805f33309c183
Opcode Fuzzy Hash: 0505ce2b3d0113a49c4709ecbf3d66a2ff0ceca923f0aeee73b7ec6e78e82abb
Instruction Fuzzy Hash: D4417370E043196ADB10AFBA8C4996FFFB8EF51B50B10453FE509E7291DAB8A4018F55

Uniqueness

Uniqueness Score: -1.00%

Function 0046AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0046AAA5
__swprintf.LIBCMT ref: 0046AB46
_wcscmp.LIBCMT ref: 0046AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0046ABAE
_wcscmp.LIBCMT ref: 0046ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0046AC21
GetDlgCtrlID.USER32(?), ref: 0046AC73
GetWindowRect.USER32(?,?), ref: 0046ACA9
GetParent.USER32(?), ref: 0046ACC7
ScreenToClient.USER32(00000000), ref: 0046ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0046AD48
_wcscmp.LIBCMT ref: 0046AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0046AD82
_wcscmp.LIBCMT ref: 0046AD96

Part of subcall function 0043386C: _iswctype.LIBCMT ref: 00433874

Strings

%s%u, xrefs: 0046AB40

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: edbd0ffccc86fdb332504fe1916bae76d3247758c2cc2be3934808355e5794f1
Instruction ID: 879ab8a69f98824828c3a523539c1ebf9bde1bc109fae20cb9b51ce1c7682d7b
Opcode Fuzzy Hash: edbd0ffccc86fdb332504fe1916bae76d3247758c2cc2be3934808355e5794f1
Instruction Fuzzy Hash: 42A1E171200B02ABD714DF20C884BABB7E9FF44305F00452BF999E2250E738E965CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0046B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0046B3DB
_wcscmp.LIBCMT ref: 0046B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0046B414
CharUpperBuffW.USER32(?,00000000), ref: 0046B431
_wcscmp.LIBCMT ref: 0046B44F
_wcsstr.LIBCMT ref: 0046B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0046B498
_wcscmp.LIBCMT ref: 0046B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0046B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0046B518
_wcscmp.LIBCMT ref: 0046B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0046B550
GetWindowRect.USER32(00000004,?), ref: 0046B5B9

Strings

ThumbnailClass, xrefs: 0046B4A3, 0046B523
@, xrefs: 0046B3BC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 4fd7d228bda4485e94ccb70e4f9d79e98d9060ee2dadc967fc9f79319bd36f6c
Instruction ID: 6e5af648d9ebed857080d40eb0c8b8a385a702e0fbb87d0b7da0ed341137adec
Opcode Fuzzy Hash: 4fd7d228bda4485e94ccb70e4f9d79e98d9060ee2dadc967fc9f79319bd36f6c
Instruction Fuzzy Hash: 60818F711043059BDB04DF11C885FAB77E8EF44318F04856BED85CA292EB38DD89CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0049C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

DragQueryPoint.SHELL32(?,?), ref: 0049C917

Part of subcall function 0049ADF1: ClientToScreen.USER32(?,?), ref: 0049AE1A
Part of subcall function 0049ADF1: GetWindowRect.USER32(?,?), ref: 0049AE90
Part of subcall function 0049ADF1: PtInRect.USER32(?,?,0049C304), ref: 0049AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0049C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0049C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0049C9AE
_wcscat.LIBCMT ref: 0049C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0049C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0049CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0049CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0049CA47
DragFinish.SHELL32(?), ref: 0049CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0049CB41

Strings

@GUI_DROPID, xrefs: 0049CA6E
@GUI_DRAGFILE, xrefs: 0049CAF0
prM, xrefs: 0049CA8B
@GUI_DRAGID, xrefs: 0049CAB9

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prM
API String ID: 169749273-3682893157
Opcode ID: 3ee397d3696b5d718915653923c4acd8f4be9a2ee284c6eb5e711504aed0af6d
Instruction ID: f8444ba6f6180e010f827e2e0213b5c44b89cc53e10baef6c4b414a20aee89cc
Opcode Fuzzy Hash: 3ee397d3696b5d718915653923c4acd8f4be9a2ee284c6eb5e711504aed0af6d
Instruction Fuzzy Hash: 87617C71108300AFC701EF65DC85E9FBBE9EF98754F00092FF591921A1DB749A49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0046B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0046B23F

Strings

HANDLE=, xrefs: 0046B238
LAST, xrefs: 0046B204
[LAST, xrefs: 0046B2EC
ALL, xrefs: 0046B2D3
[ALL, xrefs: 0046B2E5
REGEXP=, xrefs: 0046B254
[HANDLE:, xrefs: 0046B24B
[CLASS:, xrefs: 0046B28F
CLASSNAME=, xrefs: 0046B27C
ACTIVE, xrefs: 0046B21A
[REGEXPTITLE:, xrefs: 0046B267
[ACTIVE, xrefs: 0046B22C

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 334b8ddd2e636c133e332ce21863aac414b61288c7e73581c35db21d63737c51
Instruction ID: cc7d81e5d47b27d7aa3c71427057f09549b4098d887ab81db020595e90160564
Opcode Fuzzy Hash: 334b8ddd2e636c133e332ce21863aac414b61288c7e73581c35db21d63737c51
Instruction Fuzzy Hash: A7319A35A44205A6DB10FA62CD5BFEE77A89F24754F20006FB441B10D2FF296E84C59E

Uniqueness

Uniqueness Score: -1.00%

Function 0046C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0046C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0046C4E6
SetWindowTextW.USER32(?,?), ref: 0046C4FD
GetDlgItem.USER32(?,000003EA), ref: 0046C512
SetWindowTextW.USER32(00000000,?), ref: 0046C518
GetDlgItem.USER32(?,000003E9), ref: 0046C528
SetWindowTextW.USER32(00000000,?), ref: 0046C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0046C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0046C569
GetWindowRect.USER32(?,?), ref: 0046C572
SetWindowTextW.USER32(?,?), ref: 0046C5DD
GetDesktopWindow.USER32 ref: 0046C5E3
GetWindowRect.USER32(00000000), ref: 0046C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0046C636
GetClientRect.USER32(?,?), ref: 0046C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0046C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0046C693

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 0e2a52834791b87d6c3a91fc77f06f606ab93383845b966e04adab9fba2b6da9
Instruction ID: 957fa222008b7d79c41ff44a95fa717bd2b7e38ac0f573415a0c4df475639839
Opcode Fuzzy Hash: 0e2a52834791b87d6c3a91fc77f06f606ab93383845b966e04adab9fba2b6da9
Instruction Fuzzy Hash: D6518F71900709AFDB20DFA8CD85B6FBBF5FF04704F00493AE682A26A0D774A945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0049A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0049A4C8
DestroyWindow.USER32(?,?), ref: 0049A542

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0049A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0049A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0049A5F1
DestroyWindow.USER32(00000000), ref: 0049A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00410000,00000000), ref: 0049A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0049A663
GetDesktopWindow.USER32 ref: 0049A67C
GetWindowRect.USER32(00000000), ref: 0049A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0049A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0049A6B3

Part of subcall function 004125DB: GetWindowLongW.USER32(?,000000EB), ref: 004125EC

Strings

tooltips_class32, xrefs: 0049A5B5, 0049A643
0, xrefs: 0049A4DE

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 6c9b4239facd80b04ebac876d003a755a09efa4d5a92cc0b575cd7b238b29f41
Instruction ID: d636a8caf671e052a403371459ffa6d149991d257c0988af4b219b53e24d42fb
Opcode Fuzzy Hash: 6c9b4239facd80b04ebac876d003a755a09efa4d5a92cc0b575cd7b238b29f41
Instruction Fuzzy Hash: 54719B71144205AFDB20DF28CC49FAA7BE5EB98304F08453EF985872A0C778ED56CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00494619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004946AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004946F6

Strings

GETTOTALCOUNT, xrefs: 004946DD
COLLAPSE, xrefs: 0049473C
GETSELECTED, xrefs: 00494806
EXISTS, xrefs: 0049475F
GETITEMCOUNT, xrefs: 004947D8
ISCHECKED, xrefs: 00494879
GETTEXT, xrefs: 00494849
UNCHECK, xrefs: 004948D2
CHECK, xrefs: 00494716
EXPAND, xrefs: 004947A8
SELECT, xrefs: 004948A7

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 039561a81fab56d7fd0a89df6d5760808cb4925a4509b545b10f5709830515b2
Instruction ID: 2cc56c3af111bc84792df9988c62fa7c9c89f24f2bddad58018f62b92a6a27a6
Opcode Fuzzy Hash: 039561a81fab56d7fd0a89df6d5760808cb4925a4509b545b10f5709830515b2
Instruction Fuzzy Hash: EF9184742047019BCF14EF11C451E6EBBE5AF85318F04846EF8955B3A2DB38ED4ACB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0047A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0049FB78), ref: 0047A0FC

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0047A11E
__swprintf.LIBCMT ref: 0047A177
__swprintf.LIBCMT ref: 0047A190
_wprintf.LIBCMT ref: 0047A246
_wprintf.LIBCMT ref: 0047A264

Strings

Line %d (File "%s"):, xrefs: 0047A171, 0047A18A
^ ERROR, xrefs: 0047A1E8
%J, xrefs: 0047A0C9
Error: , xrefs: 0047A20E
"%s" (%d) : ==> %s:%s%s, xrefs: 0047A241
"%s" (%d) : ==> %s:, xrefs: 0047A25F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%J
API String ID: 311963372-4090123827
Opcode ID: fb1f8e044a0aee97dd7c3ef6e5e341a79269e6881d3b35ccc1b3694beb75f02c
Instruction ID: 54fc337cfc6b9e588a11c4b6198c2f904027460cd9e702ea23ed5e6908e26f95
Opcode Fuzzy Hash: fb1f8e044a0aee97dd7c3ef6e5e341a79269e6881d3b35ccc1b3694beb75f02c
Instruction Fuzzy Hash: 89518131900209BACF15EBE1CD46EEEB779AF14304F1041ABF505721A2EB396F99CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

CharLowerBuffW.USER32(?,?), ref: 0047A636
GetDriveTypeW.KERNEL32 ref: 0047A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0047A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0047A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0047A730

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

Strings

wait, xrefs: 0047A6ED
type cdaudio alias cd wait, xrefs: 0047A6AE
close, xrefs: 0047A63C
set cd door , xrefs: 0047A6D1
open , xrefs: 0047A692
closed, xrefs: 0047A64A, 0047A653
open, xrefs: 0047A65D
close cd wait, xrefs: 0047A71B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: c3c0940986a88c1fbd8d80d01d8937a6dbbef032d7290d933f7025eeaf218e7e
Instruction ID: 822e813ca5d807618abf96f1ce17eb94d483e47ebe20cd1106df8f3f6bae6284
Opcode Fuzzy Hash: c3c0940986a88c1fbd8d80d01d8937a6dbbef032d7290d933f7025eeaf218e7e
Instruction Fuzzy Hash: 1A518E751043049FC704EF11C8919AAB3F4FF98308F14896EF88A97261DB39EE4ACB46

Uniqueness

Uniqueness Score: -1.00%

Function 0047A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0047A47A
__swprintf.LIBCMT ref: 0047A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0047A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0047A4FE
_memset.LIBCMT ref: 0047A51D
_wcsncpy.LIBCMT ref: 0047A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0047A58E
CloseHandle.KERNEL32(00000000), ref: 0047A599
RemoveDirectoryW.KERNEL32(?), ref: 0047A5A2
CloseHandle.KERNEL32(00000000), ref: 0047A5AC

Strings

\??\%s, xrefs: 0047A496
:, xrefs: 0047A4BD
\, xrefs: 0047A4B2

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b0f8bd10d39a91011a8a9417991fe8c24d7f5169f84e97e303be1ada19ec15c8
Instruction ID: fd885a44799be205fba550dfe4c992bcbb4e2cc3cfb197322981576366e5da94
Opcode Fuzzy Hash: b0f8bd10d39a91011a8a9417991fe8c24d7f5169f84e97e303be1ada19ec15c8
Instruction Fuzzy Hash: 9D3180B5500119ABDB21DFA1DC49FEF77BCEF88705F1041BBFA08D2160E67896588B29

Uniqueness

Uniqueness Score: -1.00%

Function 0049C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0049C4EC
GetFocus.USER32 ref: 0049C4FC
GetDlgCtrlID.USER32(00000000), ref: 0049C507
_memset.LIBCMT ref: 0049C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0049C65D
GetMenuItemCount.USER32(?), ref: 0049C67D
GetMenuItemID.USER32(?,00000000), ref: 0049C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0049C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0049C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0049C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0049C779

Strings

0, xrefs: 0049C62A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d646e38633b7103039adfaa8608f2646873bc8da614835bdc5d79d7820da7e03
Instruction ID: 4b60b5b7b961666f07803896fef2779493975f814b818dbe7fbc9d8a080f819d
Opcode Fuzzy Hash: d646e38633b7103039adfaa8608f2646873bc8da614835bdc5d79d7820da7e03
Instruction Fuzzy Hash: 13818C70208301AFDB10CF15C984A6BBBE9EB88314F10497FF99597291D778ED05CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0046874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00468766
Part of subcall function 0046874A: GetLastError.KERNEL32(?,0046822A,?,?,?), ref: 00468770
Part of subcall function 0046874A: GetProcessHeap.KERNEL32(00000008,?,?,0046822A,?,?,?), ref: 0046877F
Part of subcall function 0046874A: HeapAlloc.KERNEL32(00000000,?,0046822A,?,?,?), ref: 00468786
Part of subcall function 0046874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046879D

Part of subcall function 004687E7: GetProcessHeap.KERNEL32(00000008,00468240,00000000,00000000,?,00468240,?), ref: 004687F3
Part of subcall function 004687E7: HeapAlloc.KERNEL32(00000000,?,00468240,?), ref: 004687FA
Part of subcall function 004687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00468240,?), ref: 0046880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00468458
_memset.LIBCMT ref: 0046846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0046848C
GetLengthSid.ADVAPI32(?), ref: 0046849D
GetAce.ADVAPI32(?,00000000,?), ref: 004684DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004684F6
GetLengthSid.ADVAPI32(?), ref: 00468513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00468522
HeapAlloc.KERNEL32(00000000), ref: 00468529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0046854A
CopySid.ADVAPI32(00000000), ref: 00468551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00468582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004685A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004685BC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 5b5af9b3350a2d2950dc78849b5cf9ed5eec74d3e4d87b7c5243607157eb2f3f
Instruction ID: 72b764d1a20848b3086bd6d45086787825ccc37bb5d3b96d801fad9f97bc2463
Opcode Fuzzy Hash: 5b5af9b3350a2d2950dc78849b5cf9ed5eec74d3e4d87b7c5243607157eb2f3f
Instruction Fuzzy Hash: FE615A71900209BBDF00DFA1DC45AAEBBB9FF54304F14822EE815E6291EB359A15CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0048762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004876A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 004876AE
CreateCompatibleDC.GDI32(?), ref: 004876BA
SelectObject.GDI32(00000000,?), ref: 004876C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0048771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00487757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0048777B
SelectObject.GDI32(00000006,?), ref: 00487783
DeleteObject.GDI32(?), ref: 0048778C
DeleteDC.GDI32(00000006), ref: 00487793
ReleaseDC.USER32(00000000,?), ref: 0048779E

Strings

(, xrefs: 00487723

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d22e9e1ebd839e8483e04e53885b97d98ce01770373f9e2e9d8fe741de0a6295
Instruction ID: 67f1463430e29352c2f78fa94699604ef6fc65c7d618675226ebc10ce77b2218
Opcode Fuzzy Hash: d22e9e1ebd839e8483e04e53885b97d98ce01770373f9e2e9d8fe741de0a6295
Instruction Fuzzy Hash: 77515B75904209EFCB15DFA8CC85EAEBBB9EF48310F24842EF949E7210D735A845CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00416BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00430B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00416C6C,?,00008000), ref: 00430BB7

Part of subcall function 004148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004148A1,?,?,004137C0,?), ref: 004148CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00416D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00416E5A

Part of subcall function 004159CD: _wcscpy.LIBCMT ref: 00415A05

Part of subcall function 0043387D: _iswctype.LIBCMT ref: 00433885

Strings

AU3!, xrefs: 00416CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0044E84A
Error opening the file, xrefs: 0044E866, 0044E8E1
Unterminated string, xrefs: 0044EC0D
Bad directive syntax error, xrefs: 0044EBC6
EA06, xrefs: 0044E87B
>>>AUTOIT SCRIPT<<<, xrefs: 0044E8BF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 4f8614fcfaa9caaf6f2a6b6608fd7a1e3c85813851da3a66121d29b81d881660
Instruction ID: 9a1238e73d41e6d03db60798b8230442b8dbb3e755e754f40d0d7dcac5a34633
Opcode Fuzzy Hash: 4f8614fcfaa9caaf6f2a6b6608fd7a1e3c85813851da3a66121d29b81d881660
Instruction Fuzzy Hash: 53028E711083419FC714EF26C881AAFBBE5BF98358F14491EF485972A1DB38D989CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 004145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004145F9
GetMenuItemCount.USER32(004D6890), ref: 0044D7CD
GetMenuItemCount.USER32(004D6890), ref: 0044D87D
GetCursorPos.USER32(?), ref: 0044D8C1
SetForegroundWindow.USER32(00000000), ref: 0044D8CA
TrackPopupMenuEx.USER32(004D6890,00000000,?,00000000,00000000,00000000), ref: 0044D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0044D8E9

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 4293df113762541f19969074e5c6ec91063bb8d3278dad487f0357b4202f742d
Instruction ID: 996b16ef81af911fbf104a5300a6dd76b2d4951fcc8aeb94d0f03947fd588806
Opcode Fuzzy Hash: 4293df113762541f19969074e5c6ec91063bb8d3278dad487f0357b4202f742d
Instruction Fuzzy Hash: 45710570A00205BEFB209F15DC45FEABF64FF45368F204227F529A62E1C7B96850DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00488BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00488BEC
CoInitialize.OLE32(00000000), ref: 00488C19
CoUninitialize.OLE32 ref: 00488C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00488D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00488E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,004A2C0C), ref: 00488E84
CoGetObject.OLE32(?,00000000,004A2C0C,?), ref: 00488EA7
SetErrorMode.KERNEL32(00000000), ref: 00488EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00488F3A
VariantClear.OLEAUT32(?), ref: 00488F4A

Strings

,,J, xrefs: 00488BD6

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,J
API String ID: 2395222682-1630447030
Opcode ID: 823aaf2c83daddf62ea3a679de526f76bbc2fa18ba7fa21f992a66c820daf348
Instruction ID: b70be7c908d2d13cac0ccfb51ce303d18dc667d87b71b706930191074fe76721
Opcode Fuzzy Hash: 823aaf2c83daddf62ea3a679de526f76bbc2fa18ba7fa21f992a66c820daf348
Instruction Fuzzy Hash: 1BC133B1208305AFD700EF69C88496BB7E9BF88348F00492EF589DB251DB75ED06CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00490038,?,?), ref: 004910BC

Strings

HKEY_LOCAL_MACHINE, xrefs: 00491125
HKCR, xrefs: 00491164
HKEY_CURRENT_USER, xrefs: 0049119B
HKLM, xrefs: 0049113A
HKEY_CLASSES_ROOT, xrefs: 0049114F
HKCC, xrefs: 0049118A
HKU, xrefs: 004911CE
HKEY_USERS, xrefs: 004911BD
HKEY_CURRENT_CONFIG, xrefs: 00491179
HKCU, xrefs: 004911AC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 266f4b6752f5225233388a2e869686ec588f4a395593150f6a911ff851e59aa5
Instruction ID: e80d8ba78d62ff30444d638c3d8af7d18138abd3b86978698afa3f63b708d908
Opcode Fuzzy Hash: 266f4b6752f5225233388a2e869686ec588f4a395593150f6a911ff851e59aa5
Instruction Fuzzy Hash: 9341703414024B9BDF10EF91D892AEB3B78EF19344F10456BEC915B2A1DB38A91AC799

Uniqueness

Uniqueness Score: -1.00%

Function 00475569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

Part of subcall function 00417A84: _memmove.LIBCMT ref: 00417B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004755D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004755E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004755F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0047560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0047561C

Strings

play PlayMe wait, xrefs: 00475606
open , xrefs: 00475581
status PlayMe mode, xrefs: 004755CD
alias PlayMe, xrefs: 004755AB
play PlayMe, xrefs: 00475617
close PlayMe, xrefs: 004755E3, 00475610

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: af96bc60504829061c2856c42be5b19793ef4713e2e49573c137a0afdf81d500
Instruction ID: bc37b291c15cfb471a26b5707aa88ca638f190c8724e2123f5bc48201f6226b7
Opcode Fuzzy Hash: af96bc60504829061c2856c42be5b19793ef4713e2e49573c137a0afdf81d500
Instruction Fuzzy Hash: CC11083469019D79D720B6A2CC59EFF7B7CEF91B08F50042FB804960D1DEAC0D45C5A9

Uniqueness

Uniqueness Score: -1.00%

Function 004748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0047490E
gethostname.WSOCK32(?,00000100), ref: 00474928
gethostbyname.WSOCK32(?), ref: 00474935
_wcscpy.LIBCMT ref: 0047495D
_memmove.LIBCMT ref: 00474970
inet_ntoa.WSOCK32(?), ref: 0047497B
_strcat.LIBCMT ref: 00474989
_wcscpy.LIBCMT ref: 004749A0
WSACleanup.WSOCK32 ref: 004749AE
_wcscpy.LIBCMT ref: 004749BC

Strings

0.0.0.0, xrefs: 00474957

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: b4db2ad0a9f8e8145d00bf0ee650b482ae9e17031c3655b5e544218c39d36cd0
Instruction ID: 2f46acdb17cc547ec6c730dbe8849819dc3febb84db386764c367db6e861fb1c
Opcode Fuzzy Hash: b4db2ad0a9f8e8145d00bf0ee650b482ae9e17031c3655b5e544218c39d36cd0
Instruction Fuzzy Hash: 3B113AB1A04114ABCB24EB74DC0AEEB77BCDF44714F0041BBF508D61A1EFB89A85D659

Uniqueness

Uniqueness Score: -1.00%

Function 00475217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0047521C

Part of subcall function 00430719: timeGetTime.WINMM(?,75A8B400,00420FF9), ref: 0043071D

Sleep.KERNEL32(0000000A), ref: 00475248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0047526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0047528E
SetActiveWindow.USER32 ref: 004752AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004752BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 004752DA
Sleep.KERNEL32(000000FA), ref: 004752E5
IsWindow.USER32 ref: 004752F1
EndDialog.USER32(00000000), ref: 00475302

Strings

BUTTON, xrefs: 00475280

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 98a59ddb5ae8c7a6fdb33663f216bb210939982b934a6d97eda774ce1a5bf4b6
Instruction ID: 0e421ad05af354253d5c2fb7b3ef9b9cd9bf64ccbcac018dde675a1361791641
Opcode Fuzzy Hash: 98a59ddb5ae8c7a6fdb33663f216bb210939982b934a6d97eda774ce1a5bf4b6
Instruction Fuzzy Hash: F621D470205704BFE7005F60EC89B663BAAEB5438AF10447BF809C52B1DBB99C148A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0047D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

CoInitialize.OLE32(00000000), ref: 0047D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0047D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0047D8FC
CoCreateInstance.OLE32(004A2D7C,00000000,00000001,004CA89C,?), ref: 0047D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0047D9B7
CoTaskMemFree.OLE32(?,?), ref: 0047DA0F
_memset.LIBCMT ref: 0047DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0047DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0047DAAB
CoTaskMemFree.OLE32(00000000), ref: 0047DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0047DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0047DAEB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c2194d26a493b624c8d52ac9cc7c3a4af006910bf052bdbc8c2339851a4e6ffa
Instruction ID: fa87021eca1d10c7edb1f26a0b1f24e50f87bef2218c1058ad3e41905697d9ef
Opcode Fuzzy Hash: c2194d26a493b624c8d52ac9cc7c3a4af006910bf052bdbc8c2339851a4e6ffa
Instruction Fuzzy Hash: 24B11B75A00109AFDB04DFA5C888EAEBBB9FF48304B14846AF509EB261DB34ED45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0047052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004705A7
SetKeyboardState.USER32(?), ref: 00470612
GetAsyncKeyState.USER32(000000A0), ref: 00470632
GetKeyState.USER32(000000A0), ref: 00470649
GetAsyncKeyState.USER32(000000A1), ref: 00470678
GetKeyState.USER32(000000A1), ref: 00470689
GetAsyncKeyState.USER32(00000011), ref: 004706B5
GetKeyState.USER32(00000011), ref: 004706C3
GetAsyncKeyState.USER32(00000012), ref: 004706EC
GetKeyState.USER32(00000012), ref: 004706FA
GetAsyncKeyState.USER32(0000005B), ref: 00470723
GetKeyState.USER32(0000005B), ref: 00470731

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 743db87a9b7f4c9af8eae51757dbd0facd0d0c6ffdbc74482f225b78cf4f3f24
Instruction ID: ac3967007472507ab396743e3e79b969443276a98c1a81dae6fcb269e2933f8d
Opcode Fuzzy Hash: 743db87a9b7f4c9af8eae51757dbd0facd0d0c6ffdbc74482f225b78cf4f3f24
Instruction Fuzzy Hash: 2051EB20A0578469FB34DBB488547EBBFB49F11380F08C59FD5CA5A2C2DA6C9A4CCB59

Uniqueness

Uniqueness Score: -1.00%

Function 0046C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0046C746
GetWindowRect.USER32(00000000,?), ref: 0046C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0046C7B6
GetDlgItem.USER32(?,00000002), ref: 0046C7C1
GetWindowRect.USER32(00000000,?), ref: 0046C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0046C827
GetDlgItem.USER32(?,000003E9), ref: 0046C835
GetWindowRect.USER32(00000000,?), ref: 0046C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0046C889
GetDlgItem.USER32(?,000003EA), ref: 0046C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0046C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0046C8C1

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 8711340212ee1fc7f23908c39a03555b9d0bf2b6905e3df519facfbf82616f88
Instruction ID: d4274c37541e587f594733963bf15d0dd8d1053c66e071b41eefb48db980e9ff
Opcode Fuzzy Hash: 8711340212ee1fc7f23908c39a03555b9d0bf2b6905e3df519facfbf82616f88
Instruction Fuzzy Hash: 0A515F71B00205AFDB18CFA8DD89AAEBBBAEB98311F14813EF515D7290E7709D04CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0041201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00411B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00412036,?,00000000,?,?,?,?,004116CB,00000000,?), ref: 00411B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004120D3
KillTimer.USER32(-00000001,?,?,?,?,004116CB,00000000,?,?,00411AE2,?,?), ref: 0041216E
DestroyAcceleratorTable.USER32(00000000), ref: 0044BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004116CB,00000000,?,?,00411AE2,?,?), ref: 0044BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004116CB,00000000,?,?,00411AE2,?,?), ref: 0044BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004116CB,00000000,?,?,00411AE2,?,?), ref: 0044BF5A
DeleteObject.GDI32(00000000), ref: 0044BF6C

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 320dbae841e8f658fc7ecc0edb195662deddf975c6745e75fca1d128ad3193e7
Instruction ID: 2c776ef5aa666b2c095f1ded8ac468b5e6847d5c7f1f8bb480edcab4d2f44197
Opcode Fuzzy Hash: 320dbae841e8f658fc7ecc0edb195662deddf975c6745e75fca1d128ad3193e7
Instruction Fuzzy Hash: 4261BB30102610EFDB25AF14CE48B667BF1FB14316F11853BE246C6A60C7B9A8A5DF8D

Uniqueness

Uniqueness Score: -1.00%

Function 004121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004125DB: GetWindowLongW.USER32(?,000000EB), ref: 004125EC

GetSysColor.USER32(0000000F), ref: 004121D3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3566e4d1b70e42f6b53d7bfec7c398a31632aff4684889ce88e868c0a2c38042
Instruction ID: 201ca8cc321447df9191bba4995a27246aad50bc1a02c655441ef46781771cd5
Opcode Fuzzy Hash: 3566e4d1b70e42f6b53d7bfec7c398a31632aff4684889ce88e868c0a2c38042
Instruction Fuzzy Hash: B741A131100140ABDB215F68DD88BFA3765EB16331F1842B7FD65CA2E2C7758C92DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0049F910), ref: 0047AB76
GetDriveTypeW.KERNEL32(00000061,004CA620,00000061), ref: 0047AC40
_wcscpy.LIBCMT ref: 0047AC6A

Strings

fixed, xrefs: 0047ABBE
cdrom, xrefs: 0047AB92
ramdisk, xrefs: 0047ABEA
all, xrefs: 0047AB7C
unknown, xrefs: 0047AC01
removable, xrefs: 0047ABA8
network, xrefs: 0047ABD4

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 615cace000d8837c1ee5797bb119e5bf7d76663f48ca56a7c3461079bfacf7bf
Instruction ID: 0c0b188ceb5212117002af7ed57b38375c57fce86fcb8d2e885966713058ab1a
Opcode Fuzzy Hash: 615cace000d8837c1ee5797bb119e5bf7d76663f48ca56a7c3461079bfacf7bf
Instruction Fuzzy Hash: 4B5192301083059BC710EF15C891AEFB7A5EF84308F14882FF599572A2DB39ED5ACA5B

Uniqueness

Uniqueness Score: -1.00%

Function 0049C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

Part of subcall function 00412344: GetCursorPos.USER32(?), ref: 00412357
Part of subcall function 00412344: ScreenToClient.USER32(004D67B0,?), ref: 00412374
Part of subcall function 00412344: GetAsyncKeyState.USER32(00000001), ref: 00412399
Part of subcall function 00412344: GetAsyncKeyState.USER32(00000002), ref: 004123A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0049C2E4
ImageList_EndDrag.COMCTL32 ref: 0049C2EA
ReleaseCapture.USER32 ref: 0049C2F0
SetWindowTextW.USER32(?,00000000), ref: 0049C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0049C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0049C48F

Strings

@GUI_DROPID, xrefs: 0049C3E1
@GUI_DRAGFILE, xrefs: 0049C424
prM, xrefs: 0049C438
prM, xrefs: 0049C3FD

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$prM$prM
API String ID: 1924731296-1716393258
Opcode ID: b9e76d28936a0fb013aa4d1659c13608627b3ded0275d4abd4bfffe7f7fc7765
Instruction ID: bc911daa166aedb4e88573d92b3f696a5a696822d827c4bac2ea3cc815acd160
Opcode Fuzzy Hash: b9e76d28936a0fb013aa4d1659c13608627b3ded0275d4abd4bfffe7f7fc7765
Instruction Fuzzy Hash: 8E519E70204304AFDB04EF24C895FAA7BE5EB88314F00493EF555872E1DB78A958DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004199C2
__swprintf.LIBCMT ref: 00419A0C
__i64tow.LIBCMT ref: 0044FA0F

Strings

True, xrefs: 0044F9D0
False, xrefs: 0044F9D7
0x%p, xrefs: 0044F9F1
%.15g, xrefs: 00419A06

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 38f6e0caf4f12f44e343452e40efb5b42331aa1a5cc4e76146defa309db998e9
Instruction ID: c0fb887c64386f608924ab99067e1236ba4018070f8b54705f26018df6567378
Opcode Fuzzy Hash: 38f6e0caf4f12f44e343452e40efb5b42331aa1a5cc4e76146defa309db998e9
Instruction Fuzzy Hash: 7F41E6B1614205AFEB24DF39D842FB773E8EB48304F20446FE549D7391EA799D428B1A

Uniqueness

Uniqueness Score: -1.00%

Function 004973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004973D9
CreateMenu.USER32 ref: 004973F4
SetMenu.USER32(?,00000000), ref: 00497403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00497490
IsMenu.USER32(?), ref: 004974A6
CreatePopupMenu.USER32 ref: 004974B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004974DD
DrawMenuBar.USER32 ref: 004974E5

Strings

F, xrefs: 004974D1
0, xrefs: 004973CF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 8b276861ebbc5b76aefa4cb103975e5eacb46b1b6d7c51c9e0c85b9e327305e0
Instruction ID: b7622564d021cf26afabd7c601e5cf50c09c0514841207447f139e274edd472d
Opcode Fuzzy Hash: 8b276861ebbc5b76aefa4cb103975e5eacb46b1b6d7c51c9e0c85b9e327305e0
Instruction Fuzzy Hash: 26416574A11209EFDF20DF64D884E9ABBB9FF49310F15403AF90597362D734A914CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0049772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 004977CD
CreateCompatibleDC.GDI32(00000000), ref: 004977D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004977E7
SelectObject.GDI32(00000000,00000000), ref: 004977EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 004977FA
DeleteDC.GDI32(00000000), ref: 00497803
GetWindowLongW.USER32(?,000000EC), ref: 0049780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00497821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0049782D

Strings

static, xrefs: 00497765

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 8c010495478175ea26d2f427da39bcb05881e4e46666510158d6bb3f805baf70
Instruction ID: 48557fc63c489b7909d4ca36a77e73f3b44d0c56ec47b9da7702ea78bd96b263
Opcode Fuzzy Hash: 8c010495478175ea26d2f427da39bcb05881e4e46666510158d6bb3f805baf70
Instruction Fuzzy Hash: 56318A32115215ABDF119FA4DC09FDB3F69EF19324F110236FA15E61A0C739E825DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00437040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043707B

Part of subcall function 00438D68: __getptd_noexit.LIBCMT ref: 00438D68

__gmtime64_s.LIBCMT ref: 00437114
__gmtime64_s.LIBCMT ref: 0043714A
__gmtime64_s.LIBCMT ref: 00437167
__allrem.LIBCMT ref: 004371BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004371D9
__allrem.LIBCMT ref: 004371F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043720E
__allrem.LIBCMT ref: 00437225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437243
__invoke_watson.LIBCMT ref: 004372B4

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: fc6e7c87c75787564935bdef476a3171b4f7bcbf04cb775ebef4892b3e85d803
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 7E710AB2A04706ABF7249E79CC81B5BB3B4AF19724F14522FF954E7381E778D9008798

Uniqueness

Uniqueness Score: -1.00%

Function 00472A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00472A31
GetMenuItemInfoW.USER32(004D6890,000000FF,00000000,00000030), ref: 00472A92
SetMenuItemInfoW.USER32(004D6890,00000004,00000000,00000030), ref: 00472AC8
Sleep.KERNEL32(000001F4), ref: 00472ADA
GetMenuItemCount.USER32(?), ref: 00472B1E
GetMenuItemID.USER32(?,00000000), ref: 00472B3A
GetMenuItemID.USER32(?,-00000001), ref: 00472B64
GetMenuItemID.USER32(?,?), ref: 00472BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00472BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00472C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00472C24

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 8c08a7cce8a0615bbbc3a961d85d068207f34841f3572a4e3924b764f976f4da
Instruction ID: 96113755ecbb7fc9f641a566c139abde51d64bf2d6f6bc04018786d969c6fae7
Opcode Fuzzy Hash: 8c08a7cce8a0615bbbc3a961d85d068207f34841f3572a4e3924b764f976f4da
Instruction Fuzzy Hash: B061C4B0900249AFDB21CF64CE88DFF7BB8EB51314F14846BE84593251D7B9AD05DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00497192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00497214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00497217
GetWindowLongW.USER32(?,000000F0), ref: 0049723B
_memset.LIBCMT ref: 0049724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0049725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004972D6

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1fde27723f7b4aa295b9025f75d72e0353d696f5ccfdd0d2cf1c43ba32a3a5ff
Instruction ID: 33d7573e4b919e1e31eb55e087032895aa8955dd6e1cfcc811132f6712d5b025
Opcode Fuzzy Hash: 1fde27723f7b4aa295b9025f75d72e0353d696f5ccfdd0d2cf1c43ba32a3a5ff
Instruction Fuzzy Hash: 34614D75A00208AFDB20DFA4CC81EEE7BB8EB09714F14416AFA14A73A1D774AD45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0046710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00467135
SafeArrayAllocData.OLEAUT32(?), ref: 0046718E
VariantInit.OLEAUT32(?), ref: 004671A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 004671C0
VariantCopy.OLEAUT32(?,?), ref: 00467213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00467227
VariantClear.OLEAUT32(?), ref: 0046723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00467249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00467252
VariantClear.OLEAUT32(?), ref: 00467264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0046726F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 62b2299805e74112c771a3ad97092ff5c26cb8461af0b37ec88be70783abcaf9
Instruction ID: 8701ec0114e8bd58ace494b429f707853e9f7dc48e55ef034403cb958f81bff0
Opcode Fuzzy Hash: 62b2299805e74112c771a3ad97092ff5c26cb8461af0b37ec88be70783abcaf9
Instruction Fuzzy Hash: 52416F31A00219AFCF00DFA5D8549EEBBB9FF58358F00807AF915E7261DB34A949CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

CoInitialize.OLE32 ref: 00488718
CoUninitialize.OLE32 ref: 00488723
CoCreateInstance.OLE32(?,00000000,00000017,004A2BEC,?), ref: 00488783
IIDFromString.OLE32(?,?), ref: 004887F6
VariantInit.OLEAUT32(?), ref: 00488890
VariantClear.OLEAUT32(?), ref: 004888F1

Strings

Failed to create object, xrefs: 0048878E, 00488844
Invalid parameter, xrefs: 0048880F
NULL Pointer assignment, xrefs: 004887C8

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: e9e03f5b7d0ea1cb9b29975616c12bb197fa8eccda8f80591b869122c32045b3
Instruction ID: c6c00d7889528c3629e76d82bf56d676d241a21a75f141ffa01793cc70da168b
Opcode Fuzzy Hash: e9e03f5b7d0ea1cb9b29975616c12bb197fa8eccda8f80591b869122c32045b3
Instruction Fuzzy Hash: 8E61AE706083019FD710EF25C848B5FBBE4AF84718F94481EF9859B291DB78ED48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00485A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00485AA6
inet_addr.WSOCK32(?,?,?), ref: 00485AEB
gethostbyname.WSOCK32(?), ref: 00485AF7
IcmpCreateFile.IPHLPAPI ref: 00485B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00485B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00485B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00485C00
WSACleanup.WSOCK32 ref: 00485C06

Strings

Ping, xrefs: 00485B29

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 37c7649e9aaca2caaf7a4eb6f88149612167a344ccdcee9269ad97bb26bf7c47
Instruction ID: 3fd6f0f96a51548dac25ef88a0427f4c546f668878772b21fcb142580cddedc3
Opcode Fuzzy Hash: 37c7649e9aaca2caaf7a4eb6f88149612167a344ccdcee9269ad97bb26bf7c47
Instruction Fuzzy Hash: C1518D316047009FDB10AF25CC85B6EBBE0EF58314F14896BF955DB2A1DB78EC448B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0047B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0047B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0047B7B1
GetLastError.KERNEL32 ref: 0047B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0047B828

Strings

NOTREADY, xrefs: 0047B7E7
READY, xrefs: 0047B801
INVALID, xrefs: 0047B7FA
UNKNOWN, xrefs: 0047B7E0
READONLY, xrefs: 0047B7F3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1e5002dd9e1c37d880a971166a31b822dac001ff3339dee18ea965e147b74666
Instruction ID: f856859da2e022c141b10a70a9b6809f76b3b9731ec1ba2ac5232ddc8bbc9867
Opcode Fuzzy Hash: 1e5002dd9e1c37d880a971166a31b822dac001ff3339dee18ea965e147b74666
Instruction Fuzzy Hash: A6318035A002099FDB14EF64C885BFEB7B8EF84704F10802BE509D7291DB799D46C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00469471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 0046B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0046B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 004694F6
GetDlgCtrlID.USER32 ref: 00469501
GetParent.USER32 ref: 0046951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00469520
GetDlgCtrlID.USER32(?), ref: 00469529
GetParent.USER32(?), ref: 00469545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00469548

Strings

ListBox, xrefs: 004694B3
ComboBox, xrefs: 0046947E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: eff175c1c70c1180677cd0037f266d76a8eaba240734f88604faf26f0ec619c1
Instruction ID: c150fcc78120b9399cfed48d8e855c54adcb44853edd5761d2d9a6482e2d7156
Opcode Fuzzy Hash: eff175c1c70c1180677cd0037f266d76a8eaba240734f88604faf26f0ec619c1
Instruction Fuzzy Hash: 7621F475A00204BBCF01AB61CC85EFEBB78EF55300F10012BF522972A1EB795D5ADB29

Uniqueness

Uniqueness Score: -1.00%

Function 0046955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 0046B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0046B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004695DF
GetDlgCtrlID.USER32 ref: 004695EA
GetParent.USER32 ref: 00469606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00469609
GetDlgCtrlID.USER32(?), ref: 00469612
GetParent.USER32(?), ref: 0046962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00469631

Strings

ListBox, xrefs: 0046959E
ComboBox, xrefs: 00469569

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4084cb61258f059e3cc3d6d3cc0c72d103bcff700b2ced3e0cd3c927c8ad35b1
Instruction ID: ceac88f9f5661d2c32060682fece7a70e84c6221108c2d909970495730d14dde
Opcode Fuzzy Hash: 4084cb61258f059e3cc3d6d3cc0c72d103bcff700b2ced3e0cd3c927c8ad35b1
Instruction Fuzzy Hash: 7D21F875A00204BBDF01AB61CC85EFEBB78EF54300F10002BF512972A1EB795D5ADB29

Uniqueness

Uniqueness Score: -1.00%

Function 00469645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00469651
GetClassNameW.USER32(00000000,?,00000100), ref: 00469666
_wcscmp.LIBCMT ref: 00469678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004696F3

Strings

details, xrefs: 004696A1
largeicons, xrefs: 00469687
list, xrefs: 004696D5
smallicons, xrefs: 004696BB
SHELLDLL_DefView, xrefs: 00469672

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 90a579973529a5e0a070fa3ecaf064bd61c7389e4b065f1e337832d9a46891d1
Instruction ID: 3abe1552bf8ae59e16ce4338dddb05d3d961092c1820c61726378fe93c0e7105
Opcode Fuzzy Hash: 90a579973529a5e0a070fa3ecaf064bd61c7389e4b065f1e337832d9a46891d1
Instruction Fuzzy Hash: E711C67B248307BAFA012A21DC0BEAB779C9B19775F20002BF900E50D1FEF96D514A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00474189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0047419D
__swprintf.LIBCMT ref: 004741AA

Part of subcall function 004338D8: __woutput_l.LIBCMT ref: 00433931

FindResourceW.KERNEL32(?,?,0000000E), ref: 004741D4
LoadResource.KERNEL32(?,00000000), ref: 004741E0
LockResource.KERNEL32(00000000), ref: 004741ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0047420D
LoadResource.KERNEL32(?,00000000), ref: 0047421F
SizeofResource.KERNEL32(?,00000000), ref: 0047422E
LockResource.KERNEL32(?), ref: 0047423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0047429B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 2cecafcdc079f5b3a422556bed2f3285c1004e7fac2e69c9500d9c9a7f66e1b1
Instruction ID: ea90146071d01671917a2d5b16ca9d49c30a7deba43baa6dd1584f13c354eadf
Opcode Fuzzy Hash: 2cecafcdc079f5b3a422556bed2f3285c1004e7fac2e69c9500d9c9a7f66e1b1
Instruction Fuzzy Hash: BD31D07160120AABCB119F60EC48EFF7BACEF58341F008577F909D2151E778DA618BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004716DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00471700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00470778,?,00000001), ref: 00471714
GetWindowThreadProcessId.USER32(00000000), ref: 0047171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00470778,?,00000001), ref: 0047172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0047173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00470778,?,00000001), ref: 00471755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00470778,?,00000001), ref: 00471767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00470778,?,00000001), ref: 004717AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00470778,?,00000001), ref: 004717C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00470778,?,00000001), ref: 004717CC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 88cf16644cfc7da06e9e290bc6ed8e08c9069838448f79de801724b9b70d2531
Instruction ID: 3596cf5346e150c9aeab672522d581c7d1b510409cd24da2bf69e4ff24041c76
Opcode Fuzzy Hash: 88cf16644cfc7da06e9e290bc6ed8e08c9069838448f79de801724b9b70d2531
Instruction Fuzzy Hash: 99318F75605304BBEB259F18DC84BAA7BADEB55711F10803BF908D63B0E7789D488B68

Uniqueness

Uniqueness Score: -1.00%

Function 00489428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048947C
VariantInit.OLEAUT32(?), ref: 0048954D
VariantInit.OLEAUT32(?), ref: 0048964E
VariantClear.OLEAUT32(?), ref: 00489658
VariantClear.OLEAUT32(?), ref: 004896B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00489631
Null Object assignment in FOR..IN loop, xrefs: 004894DD, 0048960B, 004896C3
,,J, xrefs: 004894FA

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,J$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2710839379
Opcode ID: 2e02e7654f182fceb13582ece06b518cc3d832f766d97ed2d41bcad7fa4b6542
Instruction ID: d1fe256f6eba703a075b075185564724e2cfee7c229254f6551408696b387e3a
Opcode Fuzzy Hash: 2e02e7654f182fceb13582ece06b518cc3d832f766d97ed2d41bcad7fa4b6542
Instruction Fuzzy Hash: E091C171A00609ABCF24EFA5C844FAFB7B8EF45714F14891AF505AB240E7789D45CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0046A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0046AA64), ref: 0046A9A2

Strings

REGEXPCLASS, xrefs: 0046A767
NAME, xrefs: 0046A7D4
TEXT, xrefs: 0046A8D9
CLASSNN, xrefs: 0046A744
CLASS, xrefs: 0046A721
INSTANCE, xrefs: 0046A8B0

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: d3c74996ee5561ab21480fd1b5204039a43d34149714cca95816762fa8cd0570
Instruction ID: 2e3279ac34da52fd666f919ecd12a1ab51c7d111edd03939698eb51e1f8cad56
Opcode Fuzzy Hash: d3c74996ee5561ab21480fd1b5204039a43d34149714cca95816762fa8cd0570
Instruction Fuzzy Hash: 92918670600906EADB48DF61C441BEAFB75BF04308F50851FD499B7251EB386DAACF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00412E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00412EAE

Part of subcall function 00411DB3: GetClientRect.USER32(?,?), ref: 00411DDC
Part of subcall function 00411DB3: GetWindowRect.USER32(?,?), ref: 00411E1D
Part of subcall function 00411DB3: ScreenToClient.USER32(?,?), ref: 00411E45

GetDC.USER32 ref: 0044CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0044CF95
SelectObject.GDI32(00000000,00000000), ref: 0044CFA3
SelectObject.GDI32(00000000,00000000), ref: 0044CFB8
ReleaseDC.USER32(?,00000000), ref: 0044CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0044D04B

Strings

U, xrefs: 0044CF20

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b016539496628d1930e81559287042632acb11f7b0a0fa641c69708124753b1c
Instruction ID: 7eff1bffa9d37342bd72c00d04890fa5dcbeeb5bb6361b1a8dcf0ae2d16d59d9
Opcode Fuzzy Hash: b016539496628d1930e81559287042632acb11f7b0a0fa641c69708124753b1c
Instruction Fuzzy Hash: E171D230501204DFDF218F64C880AEB7BB6FF49314F18427BED559A2A5C7398C96DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00488F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0049F910), ref: 0048903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0049F910), ref: 00489071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004891EB
SysFreeString.OLEAUT32(?), ref: 00489215

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: b3b0c967d3ddc4c30e77a42425ef849a5bc97ae708d4cea53f3a8554104e844a
Instruction ID: 3fe43bb4d01d2e80cf5d2a60f992e61edd55406d905867d34478e3d0781bd666
Opcode Fuzzy Hash: b3b0c967d3ddc4c30e77a42425ef849a5bc97ae708d4cea53f3a8554104e844a
Instruction Fuzzy Hash: 72F13971A00109EFDB04EF94C888EBEB7B9FF49314F14845AF915AB250DB35AE46CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0048F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0048FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0048FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0048FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0048FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0048FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0048FD90
CloseHandle.KERNEL32(?), ref: 0048FDBF
CloseHandle.KERNEL32(?), ref: 0048FE36

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 8d008b28326577402e65ab4ced6581f2460e398ae66ae2af77c1cd8b8f393075
Instruction ID: 05e77f3895cd9ff413ea5dab7292154cceefc541d44f09a9e8d29b5a5b240484
Opcode Fuzzy Hash: 8d008b28326577402e65ab4ced6581f2460e398ae66ae2af77c1cd8b8f393075
Instruction Fuzzy Hash: A6E1A3312042019FC714EF25C491B6FBBE1AF84314F14896EF8999B3A2DB39DC49CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00474F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004738D3,?), ref: 004748C7

Part of subcall function 004748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004738D3,?), ref: 004748E0

Part of subcall function 00474CD3: GetFileAttributesW.KERNEL32(?,00473947), ref: 00474CD4

lstrcmpiW.KERNEL32(?,?), ref: 00474FE2
_wcscmp.LIBCMT ref: 00474FFC
MoveFileW.KERNEL32(?,?), ref: 00475017

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 115d4ba879da982d1ce5c3e9a9d091715eb20912055ed1ff2fdcb285f4b52003
Instruction ID: 13ea8127f119594130f1ff96728dc0579c40ddbd425e1ac69ccbafe5e9f5b866
Opcode Fuzzy Hash: 115d4ba879da982d1ce5c3e9a9d091715eb20912055ed1ff2fdcb285f4b52003
Instruction Fuzzy Hash: CC5174B25087859BC724EB60D8819DFB3ECAF85345F00492FF189D7151EF78A28C876A

Uniqueness

Uniqueness Score: -1.00%

Function 004988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0049896E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6e4576b991852342b527a5e389eea0ff5af06d165920ef773d175d0ec60738e4
Instruction ID: 9f290c6b70ab4a13b4e71763c4bb67cb89f3bee20284f0d1c179484425f17f7c
Opcode Fuzzy Hash: 6e4576b991852342b527a5e389eea0ff5af06d165920ef773d175d0ec60738e4
Instruction Fuzzy Hash: 0951A370600208BEDF20DF2DCC85BAA3F65BB06354F50413BF515E62A1CF79A9908B59

Uniqueness

Uniqueness Score: -1.00%

Function 00412B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0044C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0044C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0044C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0044C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0044C5C0
DestroyIcon.USER32(00000000), ref: 0044C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0044C5EC
DestroyIcon.USER32(?), ref: 0044C5FB

Part of subcall function 0049A71E: DeleteObject.GDI32(00000000), ref: 0049A757

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: e2d34531a34233e1cd47111accb11f06316b27ad4b4e916d720ae6ef9c58281a
Instruction ID: 5342eba04f89f2a7eb58c046fdd78857ddd49d2db8b3b8b61fea3b4018868a4f
Opcode Fuzzy Hash: e2d34531a34233e1cd47111accb11f06316b27ad4b4e916d720ae6ef9c58281a
Instruction Fuzzy Hash: 62518B74601209AFEB20DF25CD85FAA37F5EB54311F10452AF902D72A0DBB8EDA1DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00468E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00468A84,00000B00,?,?), ref: 00468E0C
HeapAlloc.KERNEL32(00000000,?,00468A84,00000B00,?,?), ref: 00468E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00468A84,00000B00,?,?), ref: 00468E28
GetCurrentProcess.KERNEL32(?,00000000,?,00468A84,00000B00,?,?), ref: 00468E30
DuplicateHandle.KERNEL32(00000000,?,00468A84,00000B00,?,?), ref: 00468E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00468A84,00000B00,?,?), ref: 00468E43
GetCurrentProcess.KERNEL32(00468A84,00000000,?,00468A84,00000B00,?,?), ref: 00468E4B
DuplicateHandle.KERNEL32(00000000,?,00468A84,00000B00,?,?), ref: 00468E4E
CreateThread.KERNEL32(00000000,00000000,00468E74,00000000,00000000,00000000), ref: 00468E68

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b8b77cc81edd786100c9ad7836c21a2f3bbf749871a291d21a7c40ddb4ec0081
Instruction ID: d2edd81a95df6a45e01da41e80c3d1ba83824bfb1fb4ce5600b9c9b174f87e52
Opcode Fuzzy Hash: b8b77cc81edd786100c9ad7836c21a2f3bbf749871a291d21a7c40ddb4ec0081
Instruction Fuzzy Hash: CA01A8B5240308FFE610ABA5DC4AF6B3BACEB99711F104432FA05DB1A1CA759C04CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00489A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00467652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?,?,?,0046799D), ref: 0046766F
Part of subcall function 00467652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?,?), ref: 0046768A
Part of subcall function 00467652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?,?), ref: 00467698
Part of subcall function 00467652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?), ref: 004676A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00489B1B
_memset.LIBCMT ref: 00489B28
_memset.LIBCMT ref: 00489C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00489C97
CoTaskMemFree.OLE32(?), ref: 00489CA2

Strings

NULL Pointer assignment, xrefs: 00489CF0

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 716faf5048dfdd27abddc06c40fce7dc1e3454bbd92a0da5b5358be52a73cda9
Instruction ID: a5244f1382cbdec21377c5364a351cb57c3e8595f2a0eb7b1541c244ef83dabc
Opcode Fuzzy Hash: 716faf5048dfdd27abddc06c40fce7dc1e3454bbd92a0da5b5358be52a73cda9
Instruction Fuzzy Hash: 14915A71D00219EBDB10EFA5DC80AEEBBB9BF08314F20412AF519A7281DB755A44CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00496FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00497093
SendMessageW.USER32(?,00001036,00000000,?), ref: 004970A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004970C1
_wcscat.LIBCMT ref: 0049711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00497133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00497161

Strings

SysListView32, xrefs: 00497065

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 8378f03f5bd62b282f8895ebc13c1cf801619476d8b8c7c0caa624c3ffa2e794
Instruction ID: 2849e2fe50287bf9e6821b862a6c4474bcd316363b849824308ac7c7b9843f1d
Opcode Fuzzy Hash: 8378f03f5bd62b282f8895ebc13c1cf801619476d8b8c7c0caa624c3ffa2e794
Instruction Fuzzy Hash: 7C419371A14308ABDF219F64CC85BEF7BA8EF08354F10043BF544E7292D6799D858B68

Uniqueness

Uniqueness Score: -1.00%

Function 0048EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00473E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00473EB6
Part of subcall function 00473E91: Process32FirstW.KERNEL32(00000000,?), ref: 00473EC4
Part of subcall function 00473E91: CloseHandle.KERNEL32(00000000), ref: 00473F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0048ECB8
GetLastError.KERNEL32 ref: 0048ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0048ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0048ED77
GetLastError.KERNEL32(00000000), ref: 0048ED82
CloseHandle.KERNEL32(00000000), ref: 0048EDB7

Strings

SeDebugPrivilege, xrefs: 0048ECD6

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cf7e3ca7257079a0de5d34a047b961bfb61b116ccc8010564638351ea56c5a4f
Instruction ID: 2944f71c3c111393587dd83a38be01d02568319c4d3b2521d0ed922814fd9f08
Opcode Fuzzy Hash: cf7e3ca7257079a0de5d34a047b961bfb61b116ccc8010564638351ea56c5a4f
Instruction Fuzzy Hash: EA4180713002019FD714EF15CC95F6EB7A5AF44718F18846EF8469B2C2DB79AC48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00473226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004732C5

Strings

info, xrefs: 00473266
question, xrefs: 0047327E
warning, xrefs: 004732AE
stop, xrefs: 00473296
blank, xrefs: 00473247

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: cdafd3a18770606b5ca4377e17e04f2ed6a3be232b453c257c0216baf2545866
Instruction ID: fe26f6564cf8adbfba64638c8da55dab1408ed175c5d441cb1eb76d8fc1bf8f6
Opcode Fuzzy Hash: cdafd3a18770606b5ca4377e17e04f2ed6a3be232b453c257c0216baf2545866
Instruction Fuzzy Hash: 9D118B35248356BA9B005E51DC42EEFB39CDF1973AF2040AFF508A6283D67D5B0016AE

Uniqueness

Uniqueness Score: -1.00%

Function 00474534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0047454E
LoadStringW.USER32(00000000), ref: 00474555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0047456B
LoadStringW.USER32(00000000), ref: 00474572
_wprintf.LIBCMT ref: 00474598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004745B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00474593

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: ca7299c03043b36b66d9412bbb7b90fa49e4ecde260ad7e4f390a2dd398b9fff
Instruction ID: 99dc4972c3af727da81f4016ab94b83ec3544a4e86491c56b03b543f6045e6bd
Opcode Fuzzy Hash: ca7299c03043b36b66d9412bbb7b90fa49e4ecde260ad7e4f390a2dd398b9fff
Instruction Fuzzy Hash: DC014FF6900208BFE750ABA19D89EF7776CD718301F0045B7BB49E2051EA749E898B79

Uniqueness

Uniqueness Score: -1.00%

Function 0049D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

GetSystemMetrics.USER32(0000000F), ref: 0049D78A
GetSystemMetrics.USER32(0000000F), ref: 0049D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0049D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0049DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0049DA24
ShowWindow.USER32(00000003,00000000), ref: 0049DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0049DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0049DA8B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 649372d9bad0919cad74b2b55b4a96e7c1bf4cb941659f29b1c8918f18631c86
Instruction ID: 1dc38c1cbaba762ae8215c061d347c8dc186fef413fe4dae832478eb6ffbcc5b
Opcode Fuzzy Hash: 649372d9bad0919cad74b2b55b4a96e7c1bf4cb941659f29b1c8918f18631c86
Instruction Fuzzy Hash: 70B19A71A00215EFDF14DF69C9C57AE7BB1BF48700F08807AEC499B295D738A960CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0044C417,00000004,00000000,00000000,00000000), ref: 00412ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0044C417,00000004,00000000,00000000,00000000,000000FF), ref: 00412B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0044C417,00000004,00000000,00000000,00000000), ref: 0044C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0044C417,00000004,00000000,00000000,00000000), ref: 0044C4D6

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 15f6601073c2bfc483b7dba7a5a8b65a495a5b817f5602f0186ee576cb33b51a
Instruction ID: fe480b3fa0354d41c102eb916878ea9c740acb05874934198fc857d25882be63
Opcode Fuzzy Hash: 15f6601073c2bfc483b7dba7a5a8b65a495a5b817f5602f0186ee576cb33b51a
Instruction Fuzzy Hash: 04412D313096809ADB758B288FD87FB3B91AF55340F18842FE047C6660D6BDA8D6D71D

Uniqueness

Uniqueness Score: -1.00%

Function 00477368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0047737F

Part of subcall function 00430FF6: std::exception::exception.LIBCMT ref: 0043102C
Part of subcall function 00430FF6: __CxxThrowException@8.LIBCMT ref: 00431041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004773B6
EnterCriticalSection.KERNEL32(?), ref: 004773D2
_memmove.LIBCMT ref: 00477420
_memmove.LIBCMT ref: 0047743D
LeaveCriticalSection.KERNEL32(?), ref: 0047744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00477461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00477480

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 9ee8f50038cec98d896a87e546157dac1153323a215076c111565fbe865d8f76
Instruction ID: 9a8daa5353b8a860ffb77aa6cd870bde0594818486976bfadd15fe563a6457c1
Opcode Fuzzy Hash: 9ee8f50038cec98d896a87e546157dac1153323a215076c111565fbe865d8f76
Instruction Fuzzy Hash: 68319E31904205EBDF10DF65DD85AAF7BB8EF48310F1481BAF904EB256DB349A14CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00496442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0049645A
GetDC.USER32(00000000), ref: 00496462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0049646D
ReleaseDC.USER32(00000000,00000000), ref: 00496479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004964B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004964C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00499299,?,?,000000FF,00000000,?,000000FF,?), ref: 00496500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00496520

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 510ada94a4f233bcbcc96ab8493c6e7ac157dc3bca911e826ee5e71b887bd21d
Instruction ID: b50c84a7d5405390fede4a3750011ea9b7c0528f4fb9aae9bbbcb12e4f033450
Opcode Fuzzy Hash: 510ada94a4f233bcbcc96ab8493c6e7ac157dc3bca911e826ee5e71b887bd21d
Instruction Fuzzy Hash: BE316972201210BBEF108F509C8AFEB3FA9EB19765F050076FE08DA295D6759C51CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0046C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0046C087
_memcmp.LIBCMT ref: 0046C0A9
_memcmp.LIBCMT ref: 0046C0C1
_memcmp.LIBCMT ref: 0046C0D4
_memcmp.LIBCMT ref: 0046C0EE
_memcmp.LIBCMT ref: 0046C101
_memcmp.LIBCMT ref: 0046C119
_memcmp.LIBCMT ref: 0046C134

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 03b910f84648e88ce810891820f4c9e8a78debcdd4029e56530d2b9cd9ec9a33
Instruction ID: e2a88a1cda9384126c98190e7162cf6357c68ebb6c8dbaa44780eab2e1d6b24d
Opcode Fuzzy Hash: 03b910f84648e88ce810891820f4c9e8a78debcdd4029e56530d2b9cd9ec9a33
Instruction Fuzzy Hash: D021C561600205B7D210A5668D83FBB339CAF263A8F140027FE4696393F75DDD1195EF

Uniqueness

Uniqueness Score: -1.00%

Function 0047ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

Part of subcall function 0042FEC6: _wcscpy.LIBCMT ref: 0042FEE9

_wcstok.LIBCMT ref: 0047EEFF
_wcscpy.LIBCMT ref: 0047EF8E
_memset.LIBCMT ref: 0047EFC1

Strings

X, xrefs: 0047EFFE

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: ee9d6b69b0ed3572532f24307ceb7c0f80b5a36d4bb0613a99e0c577c6167211
Instruction ID: 1608b6df078441a7b699d807bc06afb893425fc65e5310f0a03cad34e4edbaad
Opcode Fuzzy Hash: ee9d6b69b0ed3572532f24307ceb7c0f80b5a36d4bb0613a99e0c577c6167211
Instruction Fuzzy Hash: 1AC160715083409FC714EF25C895A9AB7E4FF85314F00896EF899973A2DB38ED45CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00486E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00486F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00486F35
WSAGetLastError.WSOCK32(00000000), ref: 00486F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00486FFE
inet_ntoa.WSOCK32(?), ref: 00486FBB

Part of subcall function 0046AE14: _strlen.LIBCMT ref: 0046AE1E
Part of subcall function 0046AE14: _memmove.LIBCMT ref: 0046AE40

_strlen.LIBCMT ref: 00487058
_memmove.LIBCMT ref: 004870C1

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 9606f83491d16eadb0eb521f515659fc99e6559f39d1543727655e67a05009ed
Instruction ID: b4118651307d39954aa520b3315da0e5a466a82b5491f491b6bc53acca0abc50
Opcode Fuzzy Hash: 9606f83491d16eadb0eb521f515659fc99e6559f39d1543727655e67a05009ed
Instruction Fuzzy Hash: 0B812171508300ABC710EF25CC91FAFB7A9AF84718F10492EF5459B2A2DB78ED44C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00411424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa413728de6566d1f44b67b22acb45f4f1a1fc3c6bd5802a7455cad0268677c
Instruction ID: 5999d5288811c4a8dbddc0864ca9217c34e4df62d003abcae0c4ad904a14bca8
Opcode Fuzzy Hash: cfa413728de6566d1f44b67b22acb45f4f1a1fc3c6bd5802a7455cad0268677c
Instruction Fuzzy Hash: 81716E70900109EFDB04CF59CC45AFFBB79FF85314F14815AFA15AA261C738AA51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0049B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F363B0), ref: 0049B6A5
IsWindowEnabled.USER32(00F363B0), ref: 0049B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0049B795
SendMessageW.USER32(00F363B0,000000B0,?,?), ref: 0049B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0049B809
GetWindowLongW.USER32(00F363B0,000000EC), ref: 0049B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0049B843

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 8f75ed33aa7967ecfe237d8ea009bd37bb496b78165296bd174d392b428b7f5d
Instruction ID: ec799f6aedd24d886a7e637fcc8c6f24e094b12d819fd533e8548e5d940a72c6
Opcode Fuzzy Hash: 8f75ed33aa7967ecfe237d8ea009bd37bb496b78165296bd174d392b428b7f5d
Instruction Fuzzy Hash: EB71AE34600204AFDF209FA4DAD4FAA7FB9EB89300F0541BBE94597361C739AD51CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0048F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048F75C
_memset.LIBCMT ref: 0048F825
ShellExecuteExW.SHELL32(?), ref: 0048F86A

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

Part of subcall function 0042FEC6: _wcscpy.LIBCMT ref: 0042FEE9

GetProcessId.KERNEL32(00000000), ref: 0048F8E1
CloseHandle.KERNEL32(00000000), ref: 0048F910

Strings

@, xrefs: 0048F839

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: b2830a15a615976ce4c7e12e81a5f7658356bce67944f98b3b60dc9705e8699a
Instruction ID: b7656f2ff3237bd96d7530bf1fa7cb13e6b91e3e809a6af26c91efe24e18cdbc
Opcode Fuzzy Hash: b2830a15a615976ce4c7e12e81a5f7658356bce67944f98b3b60dc9705e8699a
Instruction Fuzzy Hash: 0E61C0B4A00619DFCB04EF55C580AAEBBF1FF48314F10846EE845AB351DB38AD84CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0047145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0047149C
GetKeyboardState.USER32(?), ref: 004714B1
SetKeyboardState.USER32(?), ref: 00471512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00471540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0047155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 004715A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004715C8

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0a5e53be5c704dd91dce77eefbcaa353ac27de053500be04abb9f637e6223549
Instruction ID: aa6d4c00589b62bff08b470aaf2de6eaa9922ef5712ed75936bf3ec6ffda6829
Opcode Fuzzy Hash: 0a5e53be5c704dd91dce77eefbcaa353ac27de053500be04abb9f637e6223549
Instruction Fuzzy Hash: BF51D2A06047D53EFB3A46388C45BFB7EA95B46304F08C48BE5D9599E2C29CEC88D758

Uniqueness

Uniqueness Score: -1.00%

Function 00471276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004712B5
GetKeyboardState.USER32(?), ref: 004712CA
SetKeyboardState.USER32(?), ref: 0047132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00471357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00471374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004713B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004713D9

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4907d6895e661b30eb5405eaf9a07ca74a1b0de9fcc4fb059414122f0b088c1d
Instruction ID: c645c442d588698de3dc43a37accfe5418c0946b31e28ed0eec0d15606f1562f
Opcode Fuzzy Hash: 4907d6895e661b30eb5405eaf9a07ca74a1b0de9fcc4fb059414122f0b088c1d
Instruction Fuzzy Hash: A551E3A05046D53DFB3682298C45BFB7FA95B06304F08C48BE5DC9A9E2D398EC98D758

Uniqueness

Uniqueness Score: -1.00%

Function 0047589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004758AC
_wcsncpy.LIBCMT ref: 004758E1
_wcsncpy.LIBCMT ref: 00475913
_wcsncpy.LIBCMT ref: 00475946
_wcsncpy.LIBCMT ref: 00475988
_wcsncpy.LIBCMT ref: 004759C2
_wcsncpy.LIBCMT ref: 004759F1

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 6fc6f01f2258a1d0943ff03906f75a3461da65f187dc80374be66fa17b98bb84
Instruction ID: 93f5a9a64262e97d5f2009bc9f2782ad7edbf0be3e124d15608a8abbb4826265
Opcode Fuzzy Hash: 6fc6f01f2258a1d0943ff03906f75a3461da65f187dc80374be66fa17b98bb84
Instruction Fuzzy Hash: A941A2A5C20128B6CB10FBB588879CF73A89F09710F50946BF618E3121E778E754C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0046DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0046DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0046DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0046DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0046DB8E

Strings

DllGetClassObject, xrefs: 0046DB01
,,J, xrefs: 0046DA69

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,J$DllGetClassObject
API String ID: 753597075-3339271131
Opcode ID: 89107543b24a0b167211d85f9eea60e0652d86cd1326b459d5ff7ce3bbbc9cd5
Instruction ID: 2317e424656818fc6051b7b0a57ba9be67009307635d2e0a63872485c0e6ba12
Opcode Fuzzy Hash: 89107543b24a0b167211d85f9eea60e0652d86cd1326b459d5ff7ce3bbbc9cd5
Instruction Fuzzy Hash: 4D419271E00208DFDB14CF55C884A9A7BA9EF44710F1180AFE9059F20AE7B5ED44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004738D3,?), ref: 004748C7

Part of subcall function 004748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004738D3,?), ref: 004748E0

lstrcmpiW.KERNEL32(?,?), ref: 004738F3
_wcscmp.LIBCMT ref: 0047390F
MoveFileW.KERNEL32(?,?), ref: 00473927
_wcscat.LIBCMT ref: 0047396F
SHFileOperationW.SHELL32(?), ref: 004739DB

Strings

\*.*, xrefs: 00473969

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 7209381908430b446b104f07a07fbe56f8c22ed82c27dd8f18b363386e82da29
Instruction ID: be723e9d791bf348ebd02e97a688539368373c20ffff630fe61488f31e6cf6e2
Opcode Fuzzy Hash: 7209381908430b446b104f07a07fbe56f8c22ed82c27dd8f18b363386e82da29
Instruction Fuzzy Hash: 2B4193B25083449EC751EF65C841AEFB7E8AF88345F00492FB58DC3261EB78D689C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00497500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00497519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004975C0
IsMenu.USER32(?), ref: 004975D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00497620
DrawMenuBar.USER32 ref: 00497633

Strings

0, xrefs: 0049750D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 470cd462c311e531765ae8f1592f072e43b80a2ffc96550b9f4024ea9339686d
Instruction ID: 541f077ea0420a409fc71512d5b0378ca1e0e3f2510b555c6ced6416f3e552a6
Opcode Fuzzy Hash: 470cd462c311e531765ae8f1592f072e43b80a2ffc96550b9f4024ea9339686d
Instruction Fuzzy Hash: D1412375A15608EFDF20EF58D884A9ABBB8FB08324F05803AE91597390D734AD55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0049122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0049125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00491286
FreeLibrary.KERNEL32(00000000), ref: 0049133D

Part of subcall function 0049122D: RegCloseKey.ADVAPI32(?), ref: 004912A3
Part of subcall function 0049122D: FreeLibrary.KERNEL32(?), ref: 004912F5
Part of subcall function 0049122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00491318

RegDeleteKeyW.ADVAPI32(?,?), ref: 004912E0

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 7059e5fad9d1789f5c7672db81067bb17f485f33102c0429b02e1e68a7bcf8cd
Instruction ID: a7c7c16cc75466ee2feda16d102996dd15e3f27eb6c498e88335d64017f85959
Opcode Fuzzy Hash: 7059e5fad9d1789f5c7672db81067bb17f485f33102c0429b02e1e68a7bcf8cd
Instruction Fuzzy Hash: F7310E71A0111ABFEF159F90DC89EFFBBBCEB08304F00057BE911E2651D6745E499AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0049653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0049655B
GetWindowLongW.USER32(00F363B0,000000F0), ref: 0049658E
GetWindowLongW.USER32(00F363B0,000000F0), ref: 004965C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004965F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0049661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00496630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0049664A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fe6b0c0f56dabaecdb24daccda831c5a0f1d7df8a764c3e72a59d8b554666853
Instruction ID: 5dc001b9b6a352fee7c01f7da695dd8587a0b6144d9c4eedc16aebb1033c2000
Opcode Fuzzy Hash: fe6b0c0f56dabaecdb24daccda831c5a0f1d7df8a764c3e72a59d8b554666853
Instruction Fuzzy Hash: 7A310330605210AFDF209F18EC84F563BE1FB5A364F1A017AF501CB2B9CB65AC44DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00486486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 004880CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004864D9
WSAGetLastError.WSOCK32(00000000), ref: 004864E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00486521
connect.WSOCK32(00000000,?,00000010), ref: 0048652A
WSAGetLastError.WSOCK32 ref: 00486534
closesocket.WSOCK32(00000000), ref: 0048655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00486576

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 61b4c1e8e98157a7369092b864b706277c42f70b56b03566db62d93e291b075d
Instruction ID: 59f01e0b3411cbf2dc4136d2921aad67f9115e7afd511cf3df4f40d07a088150
Opcode Fuzzy Hash: 61b4c1e8e98157a7369092b864b706277c42f70b56b03566db62d93e291b075d
Instruction Fuzzy Hash: 0C31E131600118ABDB10AF64DC85BBE7BA9EB44754F05443EFD05D7380DB78AC48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0046E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0046E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0046E120
SysAllocString.OLEAUT32(00000000), ref: 0046E123
SysAllocString.OLEAUT32 ref: 0046E144
SysFreeString.OLEAUT32 ref: 0046E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0046E167
SysAllocString.OLEAUT32(?), ref: 0046E175

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9bd4a97aa67f6f826918e3b22a8a625f4eb29f80d86bb417e9b9218e53190f4c
Instruction ID: 31461e15323ad26066192f8db19c30f67ef548e638463dc07b9a3d48ec3d9c74
Opcode Fuzzy Hash: 9bd4a97aa67f6f826918e3b22a8a625f4eb29f80d86bb417e9b9218e53190f4c
Instruction Fuzzy Hash: 95219835604118AFDF109FA9DC88CAB77ECEB19760B108137F915CB260EA74DC45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0049783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00411D73
Part of subcall function 00411D35: GetStockObject.GDI32(00000011), ref: 00411D87
Part of subcall function 00411D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00411D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004978A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004978AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004978B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004978C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004978D4

Strings

Msctls_Progress32, xrefs: 00497872

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 88bb01c8b699228b569be2826282cd86eba20949eda9255c3f693ef700a59b32
Instruction ID: c28e006edba9deea120e49c745b80e2d9ecbcd942afd2d38a16d86033172dbb8
Opcode Fuzzy Hash: 88bb01c8b699228b569be2826282cd86eba20949eda9255c3f693ef700a59b32
Instruction Fuzzy Hash: 1F11B6B1110219BFEF159F60CC85EE77F5DEF08758F014125FA04A2090C7759C21DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00434292,?), ref: 004341E3
GetProcAddress.KERNEL32(00000000), ref: 004341EA
EncodePointer.KERNEL32(00000000), ref: 004341F6
DecodePointer.KERNEL32(00000001,00434292,?), ref: 00434213

Strings

combase.dll, xrefs: 004341DE
RoInitialize, xrefs: 004341D2

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 26f1702482be7595815b2392827d1e91c8f499ef9be405b34d394ffb0485c427
Instruction ID: 74790bdfd481f1a1c6f3f034e1768b7caf5c25702cae13946a5579382181a3f2
Opcode Fuzzy Hash: 26f1702482be7595815b2392827d1e91c8f499ef9be405b34d394ffb0485c427
Instruction Fuzzy Hash: 23E01AB0691300AFEB205BB4EC0DB493BA4B7B5706F604437B811E51A0DBF954999F0C

Uniqueness

Uniqueness Score: -1.00%

Function 0043429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004341B8), ref: 004342B8
GetProcAddress.KERNEL32(00000000), ref: 004342BF
EncodePointer.KERNEL32(00000000), ref: 004342CA
DecodePointer.KERNEL32(004341B8), ref: 004342E5

Strings

RoUninitialize, xrefs: 004342A7
combase.dll, xrefs: 004342B3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 38057efa62d245b2ae13955af0c2d300135bfb4a60db2454e07a4ae053b96712
Instruction ID: 8f2ad9e780d1160a32c723bb7dc26ed56113a7fd5ea30c32549c7eed3fe68dfd
Opcode Fuzzy Hash: 38057efa62d245b2ae13955af0c2d300135bfb4a60db2454e07a4ae053b96712
Instruction Fuzzy Hash: 9DE0B678582311ABEB109B64ED0DB4A3BA4B7B5782F204077F411F11E0CFB99688DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 0047675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004768AD
_memmove.LIBCMT ref: 004767E8

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

_memmove.LIBCMT ref: 0047685B
_memmove.LIBCMT ref: 00476942
_memmove.LIBCMT ref: 0047695B
_memmove.LIBCMT ref: 00476977

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 93b3fe1bf09b770244ec23dce923942e0d514e4956ba1ddd2cbb217d59e0d148
Instruction ID: 565432db713fb915ab068029b22bd64f4afc7e746ca0839d87ea66c52bb62668
Opcode Fuzzy Hash: 93b3fe1bf09b770244ec23dce923942e0d514e4956ba1ddd2cbb217d59e0d148
Instruction Fuzzy Hash: A361DE7050065A9BCF15EF22CC91EFE37A5AF0830CF05851EF9596B292DB38AC41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0049046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 004910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00490038,?,?), ref: 004910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00490548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00490588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 004905AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004905D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00490617
RegCloseKey.ADVAPI32(00000000), ref: 00490624

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 852821f9e263cd01c26d13238c04a58e56a206c97a434a5bd5b22bcfaadc413d
Instruction ID: eb0cdecb5364e88bdc657329391743d379fe267b9264bdcb8201567bf590f0fa
Opcode Fuzzy Hash: 852821f9e263cd01c26d13238c04a58e56a206c97a434a5bd5b22bcfaadc413d
Instruction Fuzzy Hash: E3516B31208200AFCB14EF55C885EAFBBE9FF88718F04492EF455872A1DB35E945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00495A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00495A82
GetMenuItemCount.USER32(00000000), ref: 00495AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00495AE1
GetMenuItemID.USER32(?,?), ref: 00495B50
GetSubMenu.USER32(?,?), ref: 00495B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00495BAF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: b7a19b8b7d47fc40f3923a74c88488a40c9244af5f1ee579e06914f7b44272ba
Instruction ID: 26f94c3318049a32012b5e97cf05fbbee9611e73c3e38181d66ec879b0ba8ba3
Opcode Fuzzy Hash: b7a19b8b7d47fc40f3923a74c88488a40c9244af5f1ee579e06914f7b44272ba
Instruction Fuzzy Hash: 8451A231A00615EFCF15EFA5C845AAEBBB4EF48314F20406BE915B7351CB78BE418B99

Uniqueness

Uniqueness Score: -1.00%

Function 0046F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0046F3F7
VariantClear.OLEAUT32(00000013), ref: 0046F469
VariantClear.OLEAUT32(00000000), ref: 0046F4C4
_memmove.LIBCMT ref: 0046F4EE
VariantClear.OLEAUT32(?), ref: 0046F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0046F569

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 28d98e0e8f6c3c70b8b1b442e218d81ef6483ce9489c4afa0ce3946068bd425f
Instruction ID: 9c9a49d7a24b004877caa8e475b68d6fa04ed62087f36ef2f790163f0d2eba27
Opcode Fuzzy Hash: 28d98e0e8f6c3c70b8b1b442e218d81ef6483ce9489c4afa0ce3946068bd425f
Instruction Fuzzy Hash: EF517AB5A00209EFCB10CF58D880AAAB7B8FF5C314B15816AE959DB301E734E915CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00472747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00472792
IsMenu.USER32(00000000), ref: 004727B2
CreatePopupMenu.USER32 ref: 004727E6
GetMenuItemCount.USER32(000000FF), ref: 00472844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00472875

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 2922c3dad28425be33e9227011d13051a3ae9f53bd1644456607cd56aca11154
Instruction ID: 43f5bf9e4f5908bd554e6d742d6f783f700473ac0dd3bab6c7b94b19c623a7e2
Opcode Fuzzy Hash: 2922c3dad28425be33e9227011d13051a3ae9f53bd1644456607cd56aca11154
Instruction Fuzzy Hash: 6051C470900205EFDF24DF65CA84BEEBBF4EF04314F11866BE41997291D7B98A05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00411765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0041179A
GetWindowRect.USER32(?,?), ref: 004117FE
ScreenToClient.USER32(?,?), ref: 0041181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0041182C
EndPaint.USER32(?,?), ref: 00411876

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 7707e09d00d7325d45c7bc6166d12a57bd407159d33aea16ca6a84759db89916
Instruction ID: c732ff550e8dcf30465f3d0c44e696fe4c2e987b8320bb1ceb042ef2f163dbbc
Opcode Fuzzy Hash: 7707e09d00d7325d45c7bc6166d12a57bd407159d33aea16ca6a84759db89916
Instruction Fuzzy Hash: 814190701053019FD710EF25C884BB67BE8EB59724F14463AF694862B1C7349C85DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0049B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004D67B0,00000000,00F363B0,?,?,004D67B0,?,0049B862,?,?), ref: 0049B9CC
EnableWindow.USER32(00000000,00000000), ref: 0049B9F0
ShowWindow.USER32(004D67B0,00000000,00F363B0,?,?,004D67B0,?,0049B862,?,?), ref: 0049BA50
ShowWindow.USER32(00000000,00000004,?,0049B862,?,?), ref: 0049BA62
EnableWindow.USER32(00000000,00000001), ref: 0049BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0049BAA9

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8c2dc20f0e05a0a925eb554832272bb93224912a6dadcaecb2dd373924e2053f
Instruction ID: c2fbaeb484ab26ea3e261bc1b323c1fc79106eefaa9b4258b609c22094700868
Opcode Fuzzy Hash: 8c2dc20f0e05a0a925eb554832272bb93224912a6dadcaecb2dd373924e2053f
Instruction Fuzzy Hash: 0A415170600241AFDF21CF54E589B967FE0FB05314F1841BAEA488F3A2C739AC45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00485134,?,?,00000000,00000001), ref: 004873BF

Part of subcall function 00483C94: GetWindowRect.USER32(?,?), ref: 00483CA7

GetDesktopWindow.USER32 ref: 004873E9
GetWindowRect.USER32(00000000), ref: 004873F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00487422

Part of subcall function 004754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0047555E

GetCursorPos.USER32(?), ref: 0048744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004874AC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: cb8b568fa7520d56e49d46313c3da0bfc5718d67cc31af2cb9278fc2ac49255f
Instruction ID: 90fe4211358e4e82d9a5c1cdb14c088b50ca00052c77735e5953d3c79346863e
Opcode Fuzzy Hash: cb8b568fa7520d56e49d46313c3da0bfc5718d67cc31af2cb9278fc2ac49255f
Instruction Fuzzy Hash: A731F232508305ABC720EF14D849F9FBBA9FF98714F10092AF488D7191C774E909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00468D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00468608
Part of subcall function 004685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00468612
Part of subcall function 004685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00468621
Part of subcall function 004685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00468628
Part of subcall function 004685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0046863E

GetLengthSid.ADVAPI32(?,00000000,00468977), ref: 00468DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00468DB8
HeapAlloc.KERNEL32(00000000), ref: 00468DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00468DD8
GetProcessHeap.KERNEL32(00000000,00000000,00468977), ref: 00468DEC
HeapFree.KERNEL32(00000000), ref: 00468DF3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b083e72da948844ca2c48cc545f8e5d3c4c5c1a58cb1a2d2c18f08e70d3ccf8f
Instruction ID: 097e32ceef8bef643700ee5ecd2a7fb1ae3d38683988f05d8c5349164efb7cf9
Opcode Fuzzy Hash: b083e72da948844ca2c48cc545f8e5d3c4c5c1a58cb1a2d2c18f08e70d3ccf8f
Instruction Fuzzy Hash: 43119D71500605FBDB109F64CC09BAF7769EB55315F10423EE845D7251EB399904CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00468AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00468B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00468B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00468B40
CloseHandle.KERNEL32(00000004), ref: 00468B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00468B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00468B8E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 155da4f7230fbadd0db4f45eadf3398ee0b45bd601db2efef3300588d37bc09e
Instruction ID: a58712517f7ac45ac3cf76fb598c5fd25325409ba98c629a39eac2b61a10f461
Opcode Fuzzy Hash: 155da4f7230fbadd0db4f45eadf3398ee0b45bd601db2efef3300588d37bc09e
Instruction Fuzzy Hash: 231159B250020DABDF118FA4ED49FDA7BA9EF08704F04417AFE04A2160D776AD64AB65

Uniqueness

Uniqueness Score: -1.00%

Function 0049C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0041134D
Part of subcall function 004112F3: SelectObject.GDI32(?,00000000), ref: 0041135C
Part of subcall function 004112F3: BeginPath.GDI32(?), ref: 00411373
Part of subcall function 004112F3: SelectObject.GDI32(?,00000000), ref: 0041139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0049C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0049C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0049C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0049C1F6
EndPath.GDI32(00000000), ref: 0049C206
StrokePath.GDI32(00000000), ref: 0049C216

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 20161f37a271abc5da61122a67cabd63ffffc8dfc1692d606054e196ebd177e5
Instruction ID: 2356f0b1503965a3c0330df7b855391a876e3733934599646810e42de13d30b4
Opcode Fuzzy Hash: 20161f37a271abc5da61122a67cabd63ffffc8dfc1692d606054e196ebd177e5
Instruction Fuzzy Hash: BA115B7640010CBFDF01AF90DC88EEA3FACEB08354F048072BA088A171C7719D58DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 004303D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 004303DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004303E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004303F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 004303F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00430401

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 727043a5049d22dc29090e4358cfeb45c6219871a65800f10304818ba54e4d06
Instruction ID: e37766de72d257028e3a22f0fc75118e1aa450ffe0dc479f3c53d8af01350063
Opcode Fuzzy Hash: 727043a5049d22dc29090e4358cfeb45c6219871a65800f10304818ba54e4d06
Instruction Fuzzy Hash: D50148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15887941C7B5A868CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0047568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0047569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004756B1
GetWindowThreadProcessId.USER32(?,?), ref: 004756C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004756CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004756D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004756E0

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 09a6661674dc1540fbb52b0a13637ba2d6b9dad0e9568c541e79c57ae210fb2a
Instruction ID: a79f05b52ada4fbb4da1e4a41e446de5c31666b3ef09c67503273e40d8007f7a
Opcode Fuzzy Hash: 09a6661674dc1540fbb52b0a13637ba2d6b9dad0e9568c541e79c57ae210fb2a
Instruction Fuzzy Hash: B9F03032241658BBE7215BA2DC0EEEF7B7CEFD6B11F00017AFA04D1050DBA51E0686B9

Uniqueness

Uniqueness Score: -1.00%

Function 004774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 004774E5
EnterCriticalSection.KERNEL32(?,?,00421044,?,?), ref: 004774F6
TerminateThread.KERNEL32(00000000,000001F6,?,00421044,?,?), ref: 00477503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00421044,?,?), ref: 00477510

Part of subcall function 00476ED7: CloseHandle.KERNEL32(00000000,?,0047751D,?,00421044,?,?), ref: 00476EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00477523
LeaveCriticalSection.KERNEL32(?,?,00421044,?,?), ref: 0047752A

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7f2d5fb4b0c299493a674c35645885fccf46f904dfce5fb09907fb897d3f594a
Instruction ID: 84bf9d82ae7516e81cf30d883baf8a0684eea1096f15bd383ec56a835c2a89bc
Opcode Fuzzy Hash: 7f2d5fb4b0c299493a674c35645885fccf46f904dfce5fb09907fb897d3f594a
Instruction Fuzzy Hash: 74F05E3A140A12EBDB111B64FC8CAEF772AEF55306B500573F202D14B0CB766815CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00468E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00468E7F
UnloadUserProfile.USERENV(?,?), ref: 00468E8B
CloseHandle.KERNEL32(?), ref: 00468E94
CloseHandle.KERNEL32(?), ref: 00468E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00468EA5
HeapFree.KERNEL32(00000000), ref: 00468EAC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 528975e28a50d4b8348fbb3b2ce24b86fce944dda9c39ab30de7031a78d16446
Instruction ID: 27f5d9ba2699ccac43f629b1c9fc045263f416b99e0fd3603d048338593366aa
Opcode Fuzzy Hash: 528975e28a50d4b8348fbb3b2ce24b86fce944dda9c39ab30de7031a78d16446
Instruction Fuzzy Hash: 70E0C236004401FBDA011FF1EC0D90ABB69FBA9322B208232F219C1070CB32A828DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00467A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004A2C7C,?), ref: 00467C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004A2C7C,?), ref: 00467C4A
CLSIDFromProgID.OLE32(?,?,00000000,0049FB80,000000FF,?,00000000,00000800,00000000,?,004A2C7C,?), ref: 00467C6F
_memcmp.LIBCMT ref: 00467C90

Strings

,,J, xrefs: 00467A85

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,J
API String ID: 314563124-1630447030
Opcode ID: d045b64e87e080109cc8502e5fe08ea6e12b1f835c4aaca564744819787e1421
Instruction ID: c82c984d41ae5aba6b2d8959db2c45e4302346e03cc39b1a84eb6fd47bf090d5
Opcode Fuzzy Hash: d045b64e87e080109cc8502e5fe08ea6e12b1f835c4aaca564744819787e1421
Instruction Fuzzy Hash: 4D813A71A00109EFCB00DF94C984EEEB7B9FF89319F204199E506EB250DB75AE06CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00488902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00488928
CharUpperBuffW.USER32(?,?), ref: 00488A37
VariantClear.OLEAUT32(?), ref: 00488BAF

Part of subcall function 00477804: VariantInit.OLEAUT32(00000000), ref: 00477844
Part of subcall function 00477804: VariantCopy.OLEAUT32(00000000,?), ref: 0047784D
Part of subcall function 00477804: VariantClear.OLEAUT32(00000000), ref: 00477859

Strings

AUTOIT.ERROR, xrefs: 00488A3D
Incorrect Parameter format, xrefs: 00488960, 00488B22

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: cf2756c046df20372c6f0bd688c07973b164f89ab0a5d5a12d56d0c5a8246f49
Instruction ID: b5f81d887d5788201722477f5cd9319be2e337a46d8829fe7190e06d63c1e6ef
Opcode Fuzzy Hash: cf2756c046df20372c6f0bd688c07973b164f89ab0a5d5a12d56d0c5a8246f49
Instruction Fuzzy Hash: D9916C706083019FC710EF25C48495BBBE4AF89358F144D6FF89A8B361DB35E946CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00472F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042FEC6: _wcscpy.LIBCMT ref: 0042FEE9

_memset.LIBCMT ref: 00473077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004730A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00473159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00473187

Strings

0, xrefs: 00473063

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: b4f7f2aa1b871effdc1d00a12f18d84acc00afbf7b5fe5b01c07956fe2932a86
Instruction ID: d5dc61c8e0900dc35dacccd6e37d8205b51954a63fb93a098057fd30b32fa863
Opcode Fuzzy Hash: b4f7f2aa1b871effdc1d00a12f18d84acc00afbf7b5fe5b01c07956fe2932a86
Instruction Fuzzy Hash: 9351F3316083409ED715DF28C845AEBB7E4EF45325F448A2FF889D3291DB78CE44A79A

Uniqueness

Uniqueness Score: -1.00%

Function 00472C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00472CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00472CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00472D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004D6890,00000000), ref: 00472D5A

Strings

0, xrefs: 00472CA4

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: b58f2f6bb655dd245fc43b5bfa662d19fbb7c3b7629097cbb61e922a316dd0ce
Instruction ID: a81cc5b367d371399455ab9c5b461f9403928c936d70b6ca973414b1334e9f36
Opcode Fuzzy Hash: b58f2f6bb655dd245fc43b5bfa662d19fbb7c3b7629097cbb61e922a316dd0ce
Instruction Fuzzy Hash: 52419230104302AFD720DF25C944B9BB7E4EF85324F14862FF96997291D7B8E904CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00469372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 0046B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0046B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004693F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00469439

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

Strings

ListBox, xrefs: 004693B5
ComboBox, xrefs: 00469380

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 8c413f2a740cc46c8ea3d9af8d25637947b5a9702de20de012efb06d784ff710
Instruction ID: ba0aa3c2d4ecabee06e7f2a6b000e4b0e1601c839284f5065dc74e70c1870d68
Opcode Fuzzy Hash: 8c413f2a740cc46c8ea3d9af8d25637947b5a9702de20de012efb06d784ff710
Instruction Fuzzy Hash: A121F271A44104BADB14ABA1DC85DFFB77CDF05354B10412FF921972E0EB7C0D4A9A19

Uniqueness

Uniqueness Score: -1.00%

Function 00496656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00411D73
Part of subcall function 00411D35: GetStockObject.GDI32(00000011), ref: 00411D87
Part of subcall function 00411D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00411D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004966D0
LoadLibraryW.KERNEL32(?), ref: 004966D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004966EC
DestroyWindow.USER32(?), ref: 004966F4

Strings

SysAnimate32, xrefs: 004966AB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d0f09583d66baa17a88fa7af660ecfcddb1422101b6d208bf8cc7ec85d9dbaae
Instruction ID: ad6633f211a6a668d820d56c19a8b564931c718bffd17c55652bbc32ef5b1ffd
Opcode Fuzzy Hash: d0f09583d66baa17a88fa7af660ecfcddb1422101b6d208bf8cc7ec85d9dbaae
Instruction Fuzzy Hash: 71219F71100205ABEF104FA4EC80EBB3BADEB59368F12463BF910D2290D779DC519768

Uniqueness

Uniqueness Score: -1.00%

Function 0047703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0047705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00477091
GetStdHandle.KERNEL32(0000000C), ref: 004770A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 004770DD

Strings

nul, xrefs: 004770D8

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2d85be07b8138dd415b321b49e4b2ed64b426c68e434cce505db6ec7bdbbf102
Instruction ID: 59eb531766ae397c487e0a017ee387d072749ab8019b90808c86866aa76afabc
Opcode Fuzzy Hash: 2d85be07b8138dd415b321b49e4b2ed64b426c68e434cce505db6ec7bdbbf102
Instruction Fuzzy Hash: 8921D174604249ABDF209F38DC04BDA77A8BF54320F608A2BFCA4D72D0D7759800CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0047710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0047712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0047715D
GetStdHandle.KERNEL32(000000F6), ref: 0047716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004771A8

Strings

nul, xrefs: 004771A3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 12a48efeddf476e3780fe1c6edb2d63f8c745aa39bedc0e14660a4ec75de41f4
Instruction ID: bbb4cd3adfc7b96d0fbb555346243ed8313dfeb48a681496e157600934f77481
Opcode Fuzzy Hash: 12a48efeddf476e3780fe1c6edb2d63f8c745aa39bedc0e14660a4ec75de41f4
Instruction Fuzzy Hash: 1621C1755042059BDF209F289C04AEAB7A8EF55324FA08A2BFDE4D33D0D7749841CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0047AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0047AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0047AF13
__swprintf.LIBCMT ref: 0047AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0049F910), ref: 0047AF6A

Strings

%lu, xrefs: 0047AF26

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: f82ee3dd131ebe5a18531bfa209e42511bb80447f7272be4b4968cb93ab3500e
Instruction ID: 5dfb93cb795686797f82195049d41dfaa709b5c42f152d38ca2f833de836367b
Opcode Fuzzy Hash: f82ee3dd131ebe5a18531bfa209e42511bb80447f7272be4b4968cb93ab3500e
Instruction Fuzzy Hash: E1215134600109AFCB10EF55C885EEE7BB8EF89708B10407AF909DB251DA35EE45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0046A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

Part of subcall function 0046A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0046A399
Part of subcall function 0046A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0046A3AC
Part of subcall function 0046A37C: GetCurrentThreadId.KERNEL32 ref: 0046A3B3
Part of subcall function 0046A37C: AttachThreadInput.USER32(00000000), ref: 0046A3BA

GetFocus.USER32 ref: 0046A554

Part of subcall function 0046A3C5: GetParent.USER32(?), ref: 0046A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0046A59D
EnumChildWindows.USER32(?,0046A615), ref: 0046A5C5
__swprintf.LIBCMT ref: 0046A5DF

Strings

%s%d, xrefs: 0046A5D9

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 062cbcee7cfdde21311c906babe9ce7104fb780b53815128b28fbf0f8023618a
Instruction ID: 0f40c278fa62c2a0e80457179bec3d5831cba2e32b33d504d39336fdbb623f81
Opcode Fuzzy Hash: 062cbcee7cfdde21311c906babe9ce7104fb780b53815128b28fbf0f8023618a
Instruction Fuzzy Hash: F411B4712002087BDF107FA5DC85FEA7778AF48704F04407BBE08AA192DA7859A58F7E

Uniqueness

Uniqueness Score: -1.00%

Function 00472017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00472048

Strings

KEYS, xrefs: 0047205F
EXISTS, xrefs: 00472070
REMOVE, xrefs: 0047204E
APPEND, xrefs: 00472081

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 1fa917548b6be0b76f997813263e3b2719cd83f008d5b483289c054bf5350c18
Instruction ID: 3748c244b797061c7236ba2ad0d888b29994295bf1b078e536e9f4e02a62d54e
Opcode Fuzzy Hash: 1fa917548b6be0b76f997813263e3b2719cd83f008d5b483289c054bf5350c18
Instruction Fuzzy Hash: BB118E34900119CFCF00EFA4D9509EEB3B4FF15308F10856ED955A7351DB36590ACB58

Uniqueness

Uniqueness Score: -1.00%

Function 0048EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0048EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0048EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0048F07E
CloseHandle.KERNEL32(?), ref: 0048F0FF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 2d4d69ca02a864e9ba27ad8d023e49d2594b430200e997f669c0beeb42834316
Instruction ID: 36ba33137c816ae3a3d584bf8a86f3ba556f707c6922b3100c8966d2e01d132a
Opcode Fuzzy Hash: 2d4d69ca02a864e9ba27ad8d023e49d2594b430200e997f669c0beeb42834316
Instruction Fuzzy Hash: E381A371604300AFD720EF25C856F6EB7E5AF48714F14882EF999DB392DB74AC448B89

Uniqueness

Uniqueness Score: -1.00%

Function 004902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 004910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00490038,?,?), ref: 004910BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00490388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004903C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0049040E
RegCloseKey.ADVAPI32(?,?), ref: 0049043A
RegCloseKey.ADVAPI32(00000000), ref: 00490447

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 9c1b05b54f81cb7cb86fd0efdc1c604a8282e2fa3c8ca51f8283bd3aafabcece
Instruction ID: 5bf0dfac03b1ebcb6a3c454c237f4398705fdc71712958bc9cd289799667f165
Opcode Fuzzy Hash: 9c1b05b54f81cb7cb86fd0efdc1c604a8282e2fa3c8ca51f8283bd3aafabcece
Instruction Fuzzy Hash: 24514C31208205AFDB14EF55C881EAEBBE8FF84708F04892EF59587291DB38ED45CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0047E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0047E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0047E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0047E8F2

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0047E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0047E91F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ec3e1ab64f3fc51f7ba23d3a26d54caad1a5d29fa04a14986956d400546f2904
Instruction ID: 9c6077324915fffe50cf56e7e99bef07a55bb1da209457d4258ef04533695b03
Opcode Fuzzy Hash: ec3e1ab64f3fc51f7ba23d3a26d54caad1a5d29fa04a14986956d400546f2904
Instruction Fuzzy Hash: 60514B75A00205DFCF00EF65C991AAEBBF5EF08314B1480AAE849AB361CB35ED51CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0049A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976a5511cf3f58bd60f58ccc7d0358aff4ef298e034855506bcccf04fa0c0bf6
Instruction ID: acada8c1f637c3ec6ec93af3e69faeb32cb9f090a2e226db70bb610cfb4b58d3
Opcode Fuzzy Hash: 976a5511cf3f58bd60f58ccc7d0358aff4ef298e034855506bcccf04fa0c0bf6
Instruction Fuzzy Hash: B241C135900214ABDB20DB28CC48FAABFA4EB09310F154177FC55A72E1D778AD619A9A

Uniqueness

Uniqueness Score: -1.00%

Function 00412344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00412357
ScreenToClient.USER32(004D67B0,?), ref: 00412374
GetAsyncKeyState.USER32(00000001), ref: 00412399
GetAsyncKeyState.USER32(00000002), ref: 004123A7

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1089170d65666417bf8191055bbff1b94cf6928472bd0fdc786806df49a6568f
Instruction ID: b6ac7c92bd78f32c96b8de4202845a9e97b3c86428e67018b0915dd509ab6525
Opcode Fuzzy Hash: 1089170d65666417bf8191055bbff1b94cf6928472bd0fdc786806df49a6568f
Instruction Fuzzy Hash: 9141A131A04119FFDF158F65C884AEABB74FB05364F10436BF834D2290C7B859A4DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00466920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0046695D
TranslateAcceleratorW.USER32(?,?,?), ref: 004669A9
TranslateMessage.USER32(?), ref: 004669D2
DispatchMessageW.USER32(?), ref: 004669DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004669EB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 3e5e22a7ed7514dc53793539bcdc0d7aabde16709232c296f3d7b4384bd2c6ca
Instruction ID: 2e884d1f61d5a28c4b6aa6059dd4c78daf86e5e3f9c89891980c4d1025daeab3
Opcode Fuzzy Hash: 3e5e22a7ed7514dc53793539bcdc0d7aabde16709232c296f3d7b4384bd2c6ca
Instruction Fuzzy Hash: 1931A771501246ABDB20DFB4DC44BB77BBCAB12304F16417BE825D2261F738988ADB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00468F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00468F12
PostMessageW.USER32(?,00000201,00000001), ref: 00468FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00468FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00468FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00468FDA

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7333d6288737838e453c2f72ba7448636bb1cca73cc334f8f91b7530bf841143
Instruction ID: 39d9c8cd45df322672647464cf7318d10c8355aa1f2964f894acdbbc06839a23
Opcode Fuzzy Hash: 7333d6288737838e453c2f72ba7448636bb1cca73cc334f8f91b7530bf841143
Instruction Fuzzy Hash: A1310E71500219EFDF08CFA8D94CA9E3BB6EB54315F10422AF924EB2D0DBB49D14CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0046B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0046B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0046B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0046B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0046B742
_wcsstr.LIBCMT ref: 0046B74C

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 467937484432f1950ea497fbf1dcf83ee694b5b3c49c137602656a8837108601
Instruction ID: 7f778ee20dda0e5cb2506a3e84dd6590f9ffa74873111e2823ada04696b1d1fb
Opcode Fuzzy Hash: 467937484432f1950ea497fbf1dcf83ee694b5b3c49c137602656a8837108601
Instruction Fuzzy Hash: 9121DA31204204BAEB155B35DC49E7B7BA8DF49711F00407FFD05DA261FB69DC81969A

Uniqueness

Uniqueness Score: -1.00%

Function 0049B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

GetWindowLongW.USER32(?,000000F0), ref: 0049B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0049B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0049B489
GetSystemMetrics.USER32(00000004), ref: 0049B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00481184,00000000), ref: 0049B4D0

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: d25b9451a89220030596b5fbaf1a84109bf7df38d8e3b0d8d4c0fc3a7c0aea88
Instruction ID: a1eef0c0f21cab886303390ead61da99174c38999f7bbe403e443fc3ee35aa23
Opcode Fuzzy Hash: d25b9451a89220030596b5fbaf1a84109bf7df38d8e3b0d8d4c0fc3a7c0aea88
Instruction Fuzzy Hash: 1D219171610255AFCF109F38AD04A6A3BA4EB15724F11473AF926D62E2E7349811EBC8

Uniqueness

Uniqueness Score: -1.00%

Function 004697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00469802

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00469834
__itow.LIBCMT ref: 0046984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00469874
__itow.LIBCMT ref: 00469885

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: a409433453f017601eb8f70aedfc71487ece233adf94d6e8c67799fe4097bcdd
Instruction ID: dbcd5fb8ae041b2324e73ff113996bf278a60274db28f65404068ead02288c9f
Opcode Fuzzy Hash: a409433453f017601eb8f70aedfc71487ece233adf94d6e8c67799fe4097bcdd
Instruction Fuzzy Hash: AF21B631700308ABDB10ABA58C86EEE7BACEF49714F04403BF904DB251E6B88D45979A

Uniqueness

Uniqueness Score: -1.00%

Function 004112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0041134D
SelectObject.GDI32(?,00000000), ref: 0041135C
BeginPath.GDI32(?), ref: 00411373
SelectObject.GDI32(?,00000000), ref: 0041139C

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 58f9ff91d22f5c5d07988cd2012abd5afdb55ed6a79bd720d700085351a13743
Instruction ID: 965d58ac2135f8a8cf75eeb5af2d62e70c62157521e1ea4f98e728bbaf33a9e5
Opcode Fuzzy Hash: 58f9ff91d22f5c5d07988cd2012abd5afdb55ed6a79bd720d700085351a13743
Instruction Fuzzy Hash: 7E217170802308EFEB10AF65EC047AA7BB8FB10321F154237F924962B4D3759895EB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0046C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0046C176
_memcmp.LIBCMT ref: 0046C194
_memcmp.LIBCMT ref: 0046C1A7
_memcmp.LIBCMT ref: 0046C1BF
_memcmp.LIBCMT ref: 0046C1D7

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1217e3eae8400ef10543ca543439cfb1a7e01650aec6a3f227b9c1c199c8b3a5
Instruction ID: a7826df77500cbf1de3605bb88085fe11bfc5093eb597516cf0c237e7675df02
Opcode Fuzzy Hash: 1217e3eae8400ef10543ca543439cfb1a7e01650aec6a3f227b9c1c199c8b3a5
Instruction Fuzzy Hash: 8001F9716051057BE204A6255D82FFB735C9B273A8F144017FD0596353FA5CEE1186EE

Uniqueness

Uniqueness Score: -1.00%

Function 00474D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00474D5C
__beginthreadex.LIBCMT ref: 00474D7A
MessageBoxW.USER32(?,?,?,?), ref: 00474D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00474DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00474DAC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 2cb18314967c89cb29a0e94e9ac62837a9342590563dc880c39ffcef17451d7c
Instruction ID: c04a613edcbf8d989a1e4843ba64ffd1782052b0f589f33046e248daac32c397
Opcode Fuzzy Hash: 2cb18314967c89cb29a0e94e9ac62837a9342590563dc880c39ffcef17451d7c
Instruction Fuzzy Hash: 6C11E572905244AFC711ABA89C04AEB7BACEB85320F1482B7F918D3351D6798D4487A4

Uniqueness

Uniqueness Score: -1.00%

Function 0046874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00468766
GetLastError.KERNEL32(?,0046822A,?,?,?), ref: 00468770
GetProcessHeap.KERNEL32(00000008,?,?,0046822A,?,?,?), ref: 0046877F
HeapAlloc.KERNEL32(00000000,?,0046822A,?,?,?), ref: 00468786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0046879D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 701f96c41387317766b03064c787f85c5bccf060919572d505d1394e72ba019b
Instruction ID: b9f45747af9a7916e492f35485924a4882a2a58e7a4c79c76e3fc25c4d8293ce
Opcode Fuzzy Hash: 701f96c41387317766b03064c787f85c5bccf060919572d505d1394e72ba019b
Instruction Fuzzy Hash: 26016D75200204FFDB204FA6DC88D6B7BACFF99356720053AF849D2260EA318C04CA64

Uniqueness

Uniqueness Score: -1.00%

Function 004754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00475502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00475510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00475518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00475522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0047555E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: fc4d90a56fc74226bcce7b1a212d89760b34f022146c305bc23829a575fe0b05
Instruction ID: f2edd426f93fab930faa855b00f829a0df3d8c6a3b0aff0ea1f2f66bf3a740f0
Opcode Fuzzy Hash: fc4d90a56fc74226bcce7b1a212d89760b34f022146c305bc23829a575fe0b05
Instruction Fuzzy Hash: 64015B31C00A19EBCF00EFE8E8496EDBB79FB09701F044567E905F6244DB749A54C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00467652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?,?,?,0046799D), ref: 0046766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?,?), ref: 0046768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?,?), ref: 00467698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?), ref: 004676A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0046758C,80070057,?,?), ref: 004676B4

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 04d07f951b59a4cdb650a86ca486955153d9d817169d311a0598707c42446734
Instruction ID: ddd0cc3b2487ab611c4423f2bdf95a450298e6a815104bd71d47fe15f12a64c4
Opcode Fuzzy Hash: 04d07f951b59a4cdb650a86ca486955153d9d817169d311a0598707c42446734
Instruction Fuzzy Hash: B701D472600604BBDB109F58DC48BAA7BACEB44B65F10013AFD05D2211F775DD5187A5

Uniqueness

Uniqueness Score: -1.00%

Function 004685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00468608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00468612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00468621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00468628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0046863E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5d5411cf980d7217cecc150d73d99299335d034af9e90fc423e52f33b72c3966
Instruction ID: 42f0a1cf6154f3b76d015faeb79468bac8be148d2ccd37d550bc53f7ba6ae544
Opcode Fuzzy Hash: 5d5411cf980d7217cecc150d73d99299335d034af9e90fc423e52f33b72c3966
Instruction Fuzzy Hash: DEF0AF30200304AFEB100FA4DC8AE6F3BACEF89754B00423AF905C2260DB649C45DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00468652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00468669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00468673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00468682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00468689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0046869F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0898aa33bd85d267c28e0eb61d9d6f842d5bbcaf73fe4658353a1043185a37cb
Instruction ID: f3844adead92488cf7d41819c5af698bf39a07effd2c746d39c45786b399e7cc
Opcode Fuzzy Hash: 0898aa33bd85d267c28e0eb61d9d6f842d5bbcaf73fe4658353a1043185a37cb
Instruction Fuzzy Hash: 28F0C270200304BFEB211FA4EC89E6B3BACEF89758B10013BF905C2250DB75DC14DA69

Uniqueness

Uniqueness Score: -1.00%

Function 0046C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0046C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0046C6D1
MessageBeep.USER32(00000000), ref: 0046C6E9
KillTimer.USER32(?,0000040A), ref: 0046C705
EndDialog.USER32(?,00000001), ref: 0046C71F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4e19b0608ee1df1a0e9eaf0855ef79e34a24b155919a7b1dd01f4c116518d5d1
Instruction ID: d23658f70ebdf18b55bf2e4bcba4283a96e9dce8bd30c6b23abd04ec3d6750af
Opcode Fuzzy Hash: 4e19b0608ee1df1a0e9eaf0855ef79e34a24b155919a7b1dd01f4c116518d5d1
Instruction Fuzzy Hash: CD01847050030497EB205B60EC8EFA67778BB10705F04057BB582E10E0EBE8A9598A49

Uniqueness

Uniqueness Score: -1.00%

Function 004113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004113BF
StrokeAndFillPath.GDI32(?,?,0044BAD8,00000000,?), ref: 004113DB
SelectObject.GDI32(?,00000000), ref: 004113EE
DeleteObject.GDI32 ref: 00411401
StrokePath.GDI32(?), ref: 0041141C

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 294d60b59ad5646142658ec47ba03b0684ef72ec037eb08cc52ab9d5ea4ca07e
Instruction ID: 3f468896b302dccdc45076615cca1fc9c1c144c97da2cc597735bbe56658e129
Opcode Fuzzy Hash: 294d60b59ad5646142658ec47ba03b0684ef72ec037eb08cc52ab9d5ea4ca07e
Instruction Fuzzy Hash: 22F01430002308EBDB116FA6EC4C7993BA8AB10326F058237F929841F1D73589A9EF58

Uniqueness

Uniqueness Score: -1.00%

Function 00422E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00430FF6: std::exception::exception.LIBCMT ref: 0043102C
Part of subcall function 00430FF6: __CxxThrowException@8.LIBCMT ref: 00431041

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 00417BB1: _memmove.LIBCMT ref: 00417C0B

__swprintf.LIBCMT ref: 0042302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00422EC6

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 01d6b8d0bccbbb5a4cc90744d7b38846709ec035195ab8b7c0803cfaf8d6d159
Instruction ID: 59b12b9bef8de0b15e9da8982de5b5434bc4c56b8c5626dc1ff402f73ead6c9e
Opcode Fuzzy Hash: 01d6b8d0bccbbb5a4cc90744d7b38846709ec035195ab8b7c0803cfaf8d6d159
Instruction Fuzzy Hash: 52918D716082119FC718EF25D885CAFB7B4EF85744F40091FF845972A2DB28EE48CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0046B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0046B981

Strings

Container, xrefs: 0046B8FE
AutoIt3GUI, xrefs: 0046B8F9
%J, xrefs: 0046BA24

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%J
API String ID: 3565006973-1684562136
Opcode ID: 175e99a9b8f4bfe4ea9cf49e0b522d909f278cf93a6f738b57de33ee3536fa06
Instruction ID: 8d3504a74bb9b654e4f610dcf76b892ad197b11c4c5f4ede2b4b380a33148208
Opcode Fuzzy Hash: 175e99a9b8f4bfe4ea9cf49e0b522d909f278cf93a6f738b57de33ee3536fa06
Instruction Fuzzy Hash: 00915C74600201AFDB64DF68C884B6AB7E8FF48710F24856EF945CB391EB74E881CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0043524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004352DD

Part of subcall function 00440340: __87except.LIBCMT ref: 0044037B

Strings

pow, xrefs: 004352B5, 004352D2

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 72f7d91213709491012f9c43056c25ac65b775b28447347312f91dcd1189e4b5
Instruction ID: 64a1d0cb7af07afcc83d983a4063652ea73d3e94f50caf593ca6474c54fed64f
Opcode Fuzzy Hash: 72f7d91213709491012f9c43056c25ac65b775b28447347312f91dcd1189e4b5
Instruction Fuzzy Hash: E6519D71A0DA0197E7107B25CD0137F2B909B04750F209DABEAD5823E6EF7C8CE49A4E

Uniqueness

Uniqueness Score: -1.00%

Function 0043023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00430277
#, xrefs: 00430280

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 768b6a87b16ee8885e9395e3bb18ccfb11550d83e35f0e2954e00a23334f1121
Instruction ID: 0a3d0b72a240bc0f4e2e01aa198dce384d27bdb41b13fd062952846d217e97f2
Opcode Fuzzy Hash: 768b6a87b16ee8885e9395e3bb18ccfb11550d83e35f0e2954e00a23334f1121
Instruction Fuzzy Hash: 0C510F751042468FCF259F28C4986FE7BA4EF59310F188057EC919B3E0E7389C86CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00423297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004233D7
_memmove.LIBCMT ref: 00423470
_free.LIBCMT ref: 00423496
_memmove.LIBCMT ref: 00423549

Strings

OaB, xrefs: 00423482

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$_free
String ID: OaB
API String ID: 2620147621-1622370741
Opcode ID: d09a3bcfdf6b78544200fad44b19d5b14590aa03ae863c2fd7f985b49d860832
Instruction ID: f2295e6d22042ec09e076f0eb004a032fd5476c219ed9228cdd2b6a64c14218b
Opcode Fuzzy Hash: d09a3bcfdf6b78544200fad44b19d5b14590aa03ae863c2fd7f985b49d860832
Instruction Fuzzy Hash: 095167B16083519FDB24CF28D450B2BBBF5BF89304F44492EE88987351DB39E941CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004263A8
_memmove.LIBCMT ref: 00426446
_memset.LIBCMT ref: 0042646A

Strings

ERCP, xrefs: 00426313

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 46656fcebece90f5b2c61ecd565f9efc836079cf1279068553c6789d40f86a70
Instruction ID: 1c9bf351a4227531156c93ba15473f3132d8cef1d391438ea6b8e638ce314486
Opcode Fuzzy Hash: 46656fcebece90f5b2c61ecd565f9efc836079cf1279068553c6789d40f86a70
Instruction Fuzzy Hash: 3751E671A00319DBCB24DF55D8817ABBBF4EF08314F20856FE98AC7240E7399980CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00497648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 004976D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004976E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00497708

Strings

SysMonthCal32, xrefs: 0049769B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9a9d4356b0d5ca12a4d86150ad0080ffe4def94bee67f232a33e84c2eb775195
Instruction ID: f57ca304248be4e962495a624e6ef4c1c274f9ba8801769b1855a293ac7e922f
Opcode Fuzzy Hash: 9a9d4356b0d5ca12a4d86150ad0080ffe4def94bee67f232a33e84c2eb775195
Instruction Fuzzy Hash: 8B21AD32510218ABDF118FA4CC46FEB3F69EF48724F110265FE15AB1D0D6B9AC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00496F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00496FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00496FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00496FDF

Strings

Listbox, xrefs: 00496F77

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0278aa031ba494c4b24ddb72cd16a4dc8014d5f9f96e9cdc0d2b9858a4f13a8a
Instruction ID: 60aa201e65fad14a5dbefecb7df01e245abdf38230a980038ee93383a5a1bc34
Opcode Fuzzy Hash: 0278aa031ba494c4b24ddb72cd16a4dc8014d5f9f96e9cdc0d2b9858a4f13a8a
Instruction Fuzzy Hash: 3B21C232610118BFDF118F54EC85FAB3BAAEF89754F02813AF9049B290C675AC518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0049797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004979E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004979F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00497A03

Strings

msctls_trackbar32, xrefs: 004979B8

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5d004afaa75079c7ed70f7205c69ea9193b6938e349b8586bc076f9d69e745f2
Instruction ID: 95129acca41474f183e0226a051c7edbcab18aed419eb59acd83772236adf118
Opcode Fuzzy Hash: 5d004afaa75079c7ed70f7205c69ea9193b6938e349b8586bc076f9d69e745f2
Instruction Fuzzy Hash: 72112372250208BFEF109F60CC05FEB3BADEF89764F02052EFA00A2190D275A811CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00414C2E), ref: 00414CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00414CB5

Strings

GetNativeSystemInfo, xrefs: 00414CAF
kernel32.dll, xrefs: 00414C9E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 13816db200a813d65bbf9308619944e8910f879b7ab698206d2df4039ac4de97
Instruction ID: 4dbe27d6590b1204338799e99a464c471376fc4cc3f4ac9c899203b3a785a8ee
Opcode Fuzzy Hash: 13816db200a813d65bbf9308619944e8910f879b7ab698206d2df4039ac4de97
Instruction Fuzzy Hash: 1AD0C230500323CFCB208F30D90964276D4AF01790B21883B9885C2250E678D8C4CA98

Uniqueness

Uniqueness Score: -1.00%

Function 00414D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00414D2E,?,00414F4F,?,004D62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00414D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00414D81

Strings

kernel32.dll, xrefs: 00414D6A
Wow64DisableWow64FsRedirection, xrefs: 00414D7B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 8ff4802007dfdc14990ca80a89de7ef060e2de175b1df9447bf1331c18251279
Instruction ID: 6a4cc40c2ae4d989e57410f2b0edec5c17c810ec98d42dfec4b03c933beb07f0
Opcode Fuzzy Hash: 8ff4802007dfdc14990ca80a89de7ef060e2de175b1df9447bf1331c18251279
Instruction Fuzzy Hash: BBD01730650713CFDB209F31E809B5676E8AF25362B21893FD486D6660E678D8C4CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00414D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00414CE1,?), ref: 00414DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00414DB4

Strings

kernel32.dll, xrefs: 00414D9D
Wow64RevertWow64FsRedirection, xrefs: 00414DAE

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 90178754abd4ede40e8f34462d742d250c276ac69b82522fe3dad63a2f8f81e4
Instruction ID: a6cc26547e7a70d7344547eebfb700dda6cda9979306a4977b2cd4b6896a09c8
Opcode Fuzzy Hash: 90178754abd4ede40e8f34462d742d250c276ac69b82522fe3dad63a2f8f81e4
Instruction Fuzzy Hash: 2ED01731650713CFDB209F31E809B8676E4AF16355B21883FD8C6D6660E778D8C4CA99

Uniqueness

Uniqueness Score: -1.00%

Function 00491072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,004912C1), ref: 00491080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00491092

Strings

RegDeleteKeyExW, xrefs: 0049108C
advapi32.dll, xrefs: 0049107B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: d9eb70901936bca4b6c8e15fbc3bbb26c5377d912f8e1937c9e7437f5289daa3
Instruction ID: a8182a84169c9d934531f1ac72574e92a4a9a478f1ff014502d06b4284c12092
Opcode Fuzzy Hash: d9eb70901936bca4b6c8e15fbc3bbb26c5377d912f8e1937c9e7437f5289daa3
Instruction Fuzzy Hash: 56D0EC34510713CFD7205B35D81AA1776E4EF15362B118D7FA489D6660D778C8C08695

Uniqueness

Uniqueness Score: -1.00%

Function 004893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00489009,?,0049F910), ref: 00489403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00489415

Strings

kernel32.dll, xrefs: 004893FE
GetModuleHandleExW, xrefs: 0048940F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 054ba1547739ad6fdfced72553547820ce1c1969154704523d9a4fee3465696e
Instruction ID: 289554ef4eb823d6e934733cc0991b2011181bc5be9e30acc5ba724591f40237
Opcode Fuzzy Hash: 054ba1547739ad6fdfced72553547820ce1c1969154704523d9a4fee3465696e
Instruction Fuzzy Hash: A5D0C734604B23CFCB20AF30D909A0B76E4AF11741B24CC3FA486C2A60E678CC84CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858092c91619a792d881e297abe028087a156a8f06a58b1ffbaf72462e1a08f5
Instruction ID: b9e0f546f2f592aa04834bea373ef1257af90facd505633308eef252f49592d7
Opcode Fuzzy Hash: 858092c91619a792d881e297abe028087a156a8f06a58b1ffbaf72462e1a08f5
Instruction Fuzzy Hash: DCC17B74A04216EFDB14CFA4C884AAEB7F5FF48318B10859AE805EB350E734ED81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0048E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0048E3D2
CharLowerBuffW.USER32(?,?), ref: 0048E415

Part of subcall function 0048DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0048DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0048E615
_memmove.LIBCMT ref: 0048E628

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: c37360cf0fde1c9d096b57a2de3a71bde0f4af6e5c6ea195c32254099b2d153e
Instruction ID: accbc2e37c55d3d3f12df7bd0b0873855f6b4828e19db51d2c0fe6f1e603becf
Opcode Fuzzy Hash: c37360cf0fde1c9d096b57a2de3a71bde0f4af6e5c6ea195c32254099b2d153e
Instruction Fuzzy Hash: E3C179716083019FC714EF29C49096ABBE4FF88718F14896EF8999B351D738ED46CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004883D8
CoUninitialize.OLE32 ref: 004883E3

Part of subcall function 0046DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0046DAC5

VariantInit.OLEAUT32(?), ref: 004883EE
VariantClear.OLEAUT32(?), ref: 004886BF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 1e6d731778f6402754c1cfd48d46a8dfd6327daed2e74ab03cc94a14ae73e8bf
Instruction ID: 8b2ed37796bdbc2fa274d41e76faf6cfe908a580e5d7e0f32d63dc723f896e80
Opcode Fuzzy Hash: 1e6d731778f6402754c1cfd48d46a8dfd6327daed2e74ab03cc94a14ae73e8bf
Instruction Fuzzy Hash: 8EA115756047019FCB10EF15C891A5EB7E4BF88318F44485EF99AAB3A1DB38ED44CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00466DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00466E04
SysAllocString.OLEAUT32(00000000), ref: 00466EAD
VariantCopy.OLEAUT32 ref: 00466EDC
VariantClear.OLEAUT32(?), ref: 00466F03

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 32f135415cbbec52c869a80c4dcfee7a4324c7d2c53ebef4c197961881a23cd4
Instruction ID: 2ad81b7ef7fd33d562dae0ba189fc8c3016a99cd3c2dd9c3c39e4f0fdd2399de
Opcode Fuzzy Hash: 32f135415cbbec52c869a80c4dcfee7a4324c7d2c53ebef4c197961881a23cd4
Instruction Fuzzy Hash: A251CA306043019ADB249F66D491A6EB3E5AF58318F30881FE556CB291FB789C80DB1F

Uniqueness

Uniqueness Score: -1.00%

Function 00499A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F3E660,?), ref: 00499AD2
ScreenToClient.USER32(00000002,00000002), ref: 00499B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00499B72

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: cc57048b0cf6ba00b76dfa4a94bdf3455ecc87b2b97314e73eb6b7a743e24b6b
Instruction ID: 84b343399dbe194deaf8b271980c2b8aecf6a6d34b825181dc8d4a49ef86ac59
Opcode Fuzzy Hash: cc57048b0cf6ba00b76dfa4a94bdf3455ecc87b2b97314e73eb6b7a743e24b6b
Instruction Fuzzy Hash: 14513C34A01249AFCF10DF68D8809AE7BB5FB55320F14817EF8159B390D738AD81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00486CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00486CE4
WSAGetLastError.WSOCK32(00000000), ref: 00486CF4

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00486D58
WSAGetLastError.WSOCK32(00000000), ref: 00486D64

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: aa9b91f958dd491d0fe25a723be2258e9258cf301b1f37eb3b99172ca1adfe9f
Instruction ID: 4ea37b900b8d0032beba34d3c8a5280d5cfbcebdf332ef16ab352762a532017b
Opcode Fuzzy Hash: aa9b91f958dd491d0fe25a723be2258e9258cf301b1f37eb3b99172ca1adfe9f
Instruction Fuzzy Hash: E1419074740200AFEB10AF25DC86F7A77E5AB04B14F44842EFA599B2C2DB789C418799

Uniqueness

Uniqueness Score: -1.00%

Function 0048672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0049F910), ref: 004867BA
_strlen.LIBCMT ref: 004867EC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e254b618f652614ca323e34a57eb22e811e98a1b7c73268245f8c51953b75084
Instruction ID: 2b486c480b9332fb8be107ea0f38ae6a913a1e257922d775093b54af6d31edad
Opcode Fuzzy Hash: e254b618f652614ca323e34a57eb22e811e98a1b7c73268245f8c51953b75084
Instruction Fuzzy Hash: CC41D430A00104ABCB14FB65DCD5FEEB3A9AF48318F15856FF81997291DB38AD40C799

Uniqueness

Uniqueness Score: -1.00%

Function 0047BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0047BB09
GetLastError.KERNEL32(?,00000000), ref: 0047BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0047BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0047BB80

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 43220cf8dc3325bcac32734ae9930e5da2c1adffede4ed14b37fc76a4f08f237
Instruction ID: 1df8fe0d428c0afeed387ec121d0a5823a05a03707be2258c9e7439a0050382e
Opcode Fuzzy Hash: 43220cf8dc3325bcac32734ae9930e5da2c1adffede4ed14b37fc76a4f08f237
Instruction Fuzzy Hash: 89412839200610DFCB11EF15C594A9DBBE1EF49314B09849EEC4A9B762CB38FD41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00498AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00498B4D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 1623891c94a23deeb7f980f15178e86920708b98d2932dac8a28c7d4328915c5
Instruction ID: 49e49d558fcab7955311e6badca2f2527d2d981b1e2abc4f56314357bf81ca24
Opcode Fuzzy Hash: 1623891c94a23deeb7f980f15178e86920708b98d2932dac8a28c7d4328915c5
Instruction Fuzzy Hash: D831B3B4600204BEEF209A1CCC59FAA3FA4EB07314F58453BFA55D73A1CE38B9409A4D

Uniqueness

Uniqueness Score: -1.00%

Function 0049ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0049AE1A
GetWindowRect.USER32(?,?), ref: 0049AE90
PtInRect.USER32(?,?,0049C304), ref: 0049AEA0
MessageBeep.USER32(00000000), ref: 0049AF11

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 25fbd56daa9b41da640796bd6a5068ffe9f25fa7a3c874c97d05f0d96007d5cf
Instruction ID: 93424c259675b40fdcf8af2bef36d950baf6d7a626ba6587792e92df2fd89671
Opcode Fuzzy Hash: 25fbd56daa9b41da640796bd6a5068ffe9f25fa7a3c874c97d05f0d96007d5cf
Instruction Fuzzy Hash: DE419A70601219DFCF11DF58C884AAABBF5FB49340F2980BAE814CB355C734A812DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00470FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00471037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00471053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 004710B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0047110B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8c097f10a5e50a0eb84b84ea267aa1a504d28d419ceabbf7c05b1e14cf7fb8a8
Instruction ID: 1f8f711dbab69960a472ee52d2fe72edd8099894c570046661d43bd794d18e72
Opcode Fuzzy Hash: 8c097f10a5e50a0eb84b84ea267aa1a504d28d419ceabbf7c05b1e14cf7fb8a8
Instruction Fuzzy Hash: 1F313D30E406C8AEFB308A6D8C05BFABBA5AB45310F04C22BE58952AF1C37D49C5975D

Uniqueness

Uniqueness Score: -1.00%

Function 00471121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00471176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00471192
PostMessageW.USER32(00000000,00000101,00000000), ref: 004711F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00471243

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6c8ce0c8bf6858061862756a46490c42db0f0c1c91c62cfd188e3ca32d5a7ad5
Instruction ID: de028a5dbf13a6c8a84207912db98b854198485420fd57b026dd791c7674ea30
Opcode Fuzzy Hash: 6c8ce0c8bf6858061862756a46490c42db0f0c1c91c62cfd188e3ca32d5a7ad5
Instruction Fuzzy Hash: B1310930940648AAEF208A6D8805BFB7B69EB49310F54C36BE588962E1C33C4D599759

Uniqueness

Uniqueness Score: -1.00%

Function 00446415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044644B
__isleadbyte_l.LIBCMT ref: 00446479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004464A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 004464DD

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 64bcd122ef918534f6dedc73d54c79b13f3e171fa16dfa1a336cb97d0df2a919
Instruction ID: b3351f97ec7bcb681d411ec04e65e27504b7db457c09c14e899b94b70cfcfb4b
Opcode Fuzzy Hash: 64bcd122ef918534f6dedc73d54c79b13f3e171fa16dfa1a336cb97d0df2a919
Instruction Fuzzy Hash: C431C431600246AFEF258F65CC45BAB7BA9FF42310F16402AF85487291DB39DC91DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00495175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00495189

Part of subcall function 0047387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00473897
Part of subcall function 0047387D: GetCurrentThreadId.KERNEL32 ref: 0047389E
Part of subcall function 0047387D: AttachThreadInput.USER32(00000000,?,004752A7), ref: 004738A5

GetCaretPos.USER32(?), ref: 0049519A
ClientToScreen.USER32(00000000,?), ref: 004951D5
GetForegroundWindow.USER32 ref: 004951DB

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3b4383df3c5308a0fbee9f16b4537b4b664bd8b08d84b38b1fe853716e458578
Instruction ID: 734c6a951c29015285ea707d70db22a646e9dd4073ebddc0f93da4fef025cf48
Opcode Fuzzy Hash: 3b4383df3c5308a0fbee9f16b4537b4b664bd8b08d84b38b1fe853716e458578
Instruction Fuzzy Hash: 0D312F72900108AFDB04EFA6C8459EFB7FDEF98304F11406BE415E7241EA799E45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0049C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

GetCursorPos.USER32(?), ref: 0049C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0044BBFB,?,?,?,?,?), ref: 0049C7D7
GetCursorPos.USER32(?), ref: 0049C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0044BBFB,?,?,?), ref: 0049C85E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9af2939cf8221bdc53dda0856c9a63d05344164beee5bb5764a77875cbaa4eeb
Instruction ID: cce2d4cfa05d252aa373dc4a182ba2dc77cb2dd91ee13e854c2a0b7ad92ad2c8
Opcode Fuzzy Hash: 9af2939cf8221bdc53dda0856c9a63d05344164beee5bb5764a77875cbaa4eeb
Instruction Fuzzy Hash: 55315C75600018AFCF15DF59C898EEA7FAAEB49321F0440BAF9058B261C7399951DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00430BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00430BF2

Part of subcall function 00415B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00477B20,?,?,00000000), ref: 00415B8C
Part of subcall function 00415B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00477B20,?,?,00000000,?,?), ref: 00415BB0

_fprintf.LIBCMT ref: 00430C29
OutputDebugStringW.KERNEL32(?), ref: 00466331

Part of subcall function 00434CDA: _flsall.LIBCMT ref: 00434CF3

__setmode.LIBCMT ref: 00430C5E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: ae3304612f6dc896a7732147e734a218cac79ae8ebb7162f1cb317c22d184bf5
Instruction ID: e1e3b8ac071f10a06e456e8bcd8c8a9579579d5f333c9a77d34d477639d70e00
Opcode Fuzzy Hash: ae3304612f6dc896a7732147e734a218cac79ae8ebb7162f1cb317c22d184bf5
Instruction Fuzzy Hash: E7116A72904208BACB0473B69C47AFE7B689F89324F14115FF204572D1EF2C2D82439D

Uniqueness

Uniqueness Score: -1.00%

Function 00468B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00468652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00468669
Part of subcall function 00468652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00468673
Part of subcall function 00468652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00468682
Part of subcall function 00468652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00468689
Part of subcall function 00468652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0046869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00468BEB
_memcmp.LIBCMT ref: 00468C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00468C44
HeapFree.KERNEL32(00000000), ref: 00468C4B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3ba5abf587c6ed91251a89a959040d3c246bcfd74f14848afc2f7aea6d0100a2
Instruction ID: e092d78a4bdd8b6ea7b98c76c012e334166b4ec06a6cc2c0007794618e2f4a78
Opcode Fuzzy Hash: 3ba5abf587c6ed91251a89a959040d3c246bcfd74f14848afc2f7aea6d0100a2
Instruction Fuzzy Hash: 2621BD71E01208EFCB10CFA4C945BEEB7B8EF44344F14416EE454A7240EB35AE06CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00481A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00481A97

Part of subcall function 00481B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00481B40
Part of subcall function 00481B21: InternetCloseHandle.WININET(00000000), ref: 00481BDD

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 0fc3d0b3b4440b0dc1fb9d715f2ab8d9e5892be9c17cf3cdebceaffaadf9187c
Instruction ID: a89958864d0da61e010dfa59729a102ad5eaeba887b054722d15173a56362646
Opcode Fuzzy Hash: 0fc3d0b3b4440b0dc1fb9d715f2ab8d9e5892be9c17cf3cdebceaffaadf9187c
Instruction Fuzzy Hash: 9B21B035201600BFDB15AF61CC00FBFB7ADFB54701F10082BF90196660E775E8169B98

Uniqueness

Uniqueness Score: -1.00%

Function 0046E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0046E1C4,?,?,?,0046EFB7,00000000,000000EF,00000119,?,?), ref: 0046F5BC
Part of subcall function 0046F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0046F5E2
Part of subcall function 0046F5AD: lstrcmpiW.KERNEL32(00000000,?,0046E1C4,?,?,?,0046EFB7,00000000,000000EF,00000119,?,?), ref: 0046F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0046EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0046E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0046E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0046EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0046E237

Strings

cdecl, xrefs: 0046E22E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: bb195a181662d9318ae1757b04c6ea518437f048d82903fefca494e9bd378a73
Instruction ID: c3fd2619f8bc42c619576f2786f901f1b810e1aa569d3e3f9c26f5674a35602e
Opcode Fuzzy Hash: bb195a181662d9318ae1757b04c6ea518437f048d82903fefca494e9bd378a73
Instruction Fuzzy Hash: D411B13A200341EFCB25AF65D845E7A77A9FF44310B40407BE806CB264FB759C558799

Uniqueness

Uniqueness Score: -1.00%

Function 00445332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00445351

Part of subcall function 0043594C: __FF_MSGBANNER.LIBCMT ref: 00435963
Part of subcall function 0043594C: __NMSG_WRITE.LIBCMT ref: 0043596A
Part of subcall function 0043594C: RtlAllocateHeap.NTDLL(00F20000,00000000,00000001,00000000,?,?,?,00431013,?), ref: 0043598F

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6e3f525a281af30dd4ed68db9811ae260a91ece866d893d62665dc8b12ef0eb1
Instruction ID: 91d131f734200359deb4c11b13ad1973218096ccd42fca26bb7751c62930a9cc
Opcode Fuzzy Hash: 6e3f525a281af30dd4ed68db9811ae260a91ece866d893d62665dc8b12ef0eb1
Instruction Fuzzy Hash: 7C11CE32504B15AFEF312F71A80566A7798AF183A4F20143FFD44DA292DABD8D41869C

Uniqueness

Uniqueness Score: -1.00%

Function 00414531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00414560

Part of subcall function 0041410D: _memset.LIBCMT ref: 0041418D
Part of subcall function 0041410D: _wcscpy.LIBCMT ref: 004141E1
Part of subcall function 0041410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004141F1

KillTimer.USER32(?,00000001,?,?), ref: 004145B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004145C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0044D6CE

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 6ae2a4437d922a8f8d5c75370c2a8213a485e9b8335907501f3cc3e08c7ae69d
Instruction ID: 8f8bbc7b01a965ed9cfe5fb1213a5c756d53e31ed57cc56df1c4dade84d3ce50
Opcode Fuzzy Hash: 6ae2a4437d922a8f8d5c75370c2a8213a485e9b8335907501f3cc3e08c7ae69d
Instruction Fuzzy Hash: E821D770904794AFFB328B24DC45BE7BBED9F51308F0400AFE69E96242C7785A858B59

Uniqueness

Uniqueness Score: -1.00%

Function 004740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004740D1
_memset.LIBCMT ref: 004740F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00474144
CloseHandle.KERNEL32(00000000), ref: 0047414D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 21418f7ed4d41ed5d0158161141197cac2afeb5544ab750cda2ea5c85f6e0612
Instruction ID: 7ce5d07f194124303a3027fbe6e1eab96ab4664b217f858adcbe064f9b7eba81
Opcode Fuzzy Hash: 21418f7ed4d41ed5d0158161141197cac2afeb5544ab750cda2ea5c85f6e0612
Instruction Fuzzy Hash: 0011AB759012287AD7309BA59C4DFEBBB7CEF84760F1041ABF908D7180D6744E848BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0048667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00415B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00477B20,?,?,00000000), ref: 00415B8C
Part of subcall function 00415B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00477B20,?,?,00000000,?,?), ref: 00415BB0

gethostbyname.WSOCK32(?,?,?), ref: 004866AC
WSAGetLastError.WSOCK32(00000000), ref: 004866B7
_memmove.LIBCMT ref: 004866E4
inet_ntoa.WSOCK32(?), ref: 004866EF

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 750431b679f49c1afc3b2927c3e629b0e0a473e6b2a0afba5f9a38bc8d8de14e
Instruction ID: 679274d6bbcc64476a0cd9d1ee6a148e0812acf03a1de8c53933e8e18ebb13c2
Opcode Fuzzy Hash: 750431b679f49c1afc3b2927c3e629b0e0a473e6b2a0afba5f9a38bc8d8de14e
Instruction Fuzzy Hash: F4117C75500108AFCB00FBA5D996DEEB7B8AF54314B14406AF502A7261EB34AE44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00469023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00469043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00469055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0046906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00469086

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01543a727ceb1c33c0a56d114485e446dd9742f2368d51cc7aaf18e7412eb85d
Instruction ID: a556ffbe5a59c253439e728cb1a4b2f9b2e97eccd9340b46f4a702e51beea65b
Opcode Fuzzy Hash: 01543a727ceb1c33c0a56d114485e446dd9742f2368d51cc7aaf18e7412eb85d
Instruction Fuzzy Hash: D3115E79900218FFDB10DFA5CD84E9EBBB8FB48310F2040A6EA04B7250D6716E11DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00411290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00412612: GetWindowLongW.USER32(?,000000EB), ref: 00412623

DefDlgProcW.USER32(?,00000020,?), ref: 004112D8
GetClientRect.USER32(?,?), ref: 0044B84B
GetCursorPos.USER32(?), ref: 0044B855
ScreenToClient.USER32(?,?), ref: 0044B860

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 39f8a0e5d95dbce109662ad7f034cccfd59189dcfea8e19acb1afcf271452d73
Instruction ID: 5aa2edf1b74bf8203b94994324f42552ede045c1a3171b73e5a94cd524556df0
Opcode Fuzzy Hash: 39f8a0e5d95dbce109662ad7f034cccfd59189dcfea8e19acb1afcf271452d73
Instruction Fuzzy Hash: 25112B35601159AFCF10EF94D8859EE77B8FB05301F1004A7FA01E7251C738AA968BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00471652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004701FD,?,00471250,?,00008000), ref: 0047166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,004701FD,?,00471250,?,00008000), ref: 00471694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004701FD,?,00471250,?,00008000), ref: 0047169E
Sleep.KERNEL32(?,?,?,?,?,?,?,004701FD,?,00471250,?,00008000), ref: 004716D1

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 883d13f389b146527e742ed80ed90e97ff3089e6aa5aa602a03294722a471b8e
Instruction ID: 21a2d736932525d34442b0096e2d0eccfc7d5c5e3c339285520a0101b8fc8a2b
Opcode Fuzzy Hash: 883d13f389b146527e742ed80ed90e97ff3089e6aa5aa602a03294722a471b8e
Instruction Fuzzy Hash: 9A115E31C0051DDBCF009FA9D949AEEBB78FF59751F09806BE988B6250CB3459608BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00447207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0044722B

Part of subcall function 00447912: __fltout2.LIBCMT ref: 0044793B

__cftog_l.LIBCMT ref: 00447251
__cftoe_l.LIBCMT ref: 00447283

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 1c76fc11a1ac6a978e3f6b324164d2b57c47ebf4b0eb2d4a97ee08b7ad392ace
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0801927204414EBBDF125F84CC01CEE3F22BF19345B498656FA1858131C37BC9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0049B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0049B59E
ScreenToClient.USER32(?,?), ref: 0049B5B6
ScreenToClient.USER32(?,?), ref: 0049B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0049B5F5

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d9e059b1ee2cd17685a30f8cd85100eb1d5897779933c6b02932e0f0217182b6
Instruction ID: fd6b0725e69229980d4ee93be96a98e622ee81556439453260a5633e48ec98bd
Opcode Fuzzy Hash: d9e059b1ee2cd17685a30f8cd85100eb1d5897779933c6b02932e0f0217182b6
Instruction Fuzzy Hash: D41146B5D00209EFDB41CF99D544AEEFBB5FB18310F104166E914E3620D735AA558F94

Uniqueness

Uniqueness Score: -1.00%

Function 0049B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0049B8FE
_memset.LIBCMT ref: 0049B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004D7F20,004D7F64), ref: 0049B93C
CloseHandle.KERNEL32 ref: 0049B94E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 636ec04844f8a09ccc7c148b7a48cd566a7cf83de35f2340f9c1a53168fc13da
Instruction ID: f3f1a94eab94cbcd6fc8e09b70a1bf62d692d7a7fa30ce0043c71d490db84622
Opcode Fuzzy Hash: 636ec04844f8a09ccc7c148b7a48cd566a7cf83de35f2340f9c1a53168fc13da
Instruction Fuzzy Hash: A6F05EB26453007BE2206B71AC45FBB3B5CEB08358F40403BFB08D5296E779590087AC

Uniqueness

Uniqueness Score: -1.00%

Function 00476E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00476E88

Part of subcall function 0047794E: _memset.LIBCMT ref: 00477983

_memmove.LIBCMT ref: 00476EAB
_memset.LIBCMT ref: 00476EB8
LeaveCriticalSection.KERNEL32(?), ref: 00476EC8

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c57408d618ce4e53794926341b1251bc59ed5841fd9ff633b18d999a026ffc97
Instruction ID: 9d000cdcff605dcbc40989e287bf9bb8bd0b12cc132eb45c1e164621f5aa4dc3
Opcode Fuzzy Hash: c57408d618ce4e53794926341b1251bc59ed5841fd9ff633b18d999a026ffc97
Instruction Fuzzy Hash: 7EF0547A100200ABCF016F55DC85B8ABB29EF49324F04C066FE089E22AC735A911CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0049C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0041134D
Part of subcall function 004112F3: SelectObject.GDI32(?,00000000), ref: 0041135C
Part of subcall function 004112F3: BeginPath.GDI32(?), ref: 00411373
Part of subcall function 004112F3: SelectObject.GDI32(?,00000000), ref: 0041139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0049C030
LineTo.GDI32(00000000,?,?), ref: 0049C03D
EndPath.GDI32(00000000), ref: 0049C04D
StrokePath.GDI32(00000000), ref: 0049C05B

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3c576b33fbfd304328e8af43d8152bb419a8eaf96bf3d16ec672b28ede6f1b70
Instruction ID: b0f3d724dfa572fdce441d75524374518632b43bae4ad40a70a49ed044a8de85
Opcode Fuzzy Hash: 3c576b33fbfd304328e8af43d8152bb419a8eaf96bf3d16ec672b28ede6f1b70
Instruction Fuzzy Hash: 21F0BE31002259BBDB122F91AC0AFCE3F58AF16310F044032FA11A10E2C7790664DBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0046A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0046A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0046A3AC
GetCurrentThreadId.KERNEL32 ref: 0046A3B3
AttachThreadInput.USER32(00000000), ref: 0046A3BA

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 058ffb5e2814522e98e06d3b243c7b38d2507c51906ba56bdbb469380ca5786d
Instruction ID: 96e8d9d6830157f477f7b18f15083e8ef997c394e6960fd57d9afa80f5043219
Opcode Fuzzy Hash: 058ffb5e2814522e98e06d3b243c7b38d2507c51906ba56bdbb469380ca5786d
Instruction Fuzzy Hash: 20E03972141328BADB201BA2DC0DEDB3F1CEF267A1F008036FA09D4160D6758995CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00412218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00412231
SetTextColor.GDI32(?,000000FF), ref: 0041223B
SetBkMode.GDI32(?,00000001), ref: 00412250
GetStockObject.GDI32(00000005), ref: 00412258
GetWindowDC.USER32(?,00000000), ref: 0044C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0044C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0044C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0044C112
GetPixel.GDI32(00000000,?,?), ref: 0044C132
ReleaseDC.USER32(?,00000000), ref: 0044C13D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d82ba1f6084f48a5840c1b33e836376d020322e805f91896810f82a32314bae2
Instruction ID: 5e459e99174d4f50202fc5fbfd46ae67b6591a9623a7a4fdb9f6c0c72b8c843a
Opcode Fuzzy Hash: d82ba1f6084f48a5840c1b33e836376d020322e805f91896810f82a32314bae2
Instruction Fuzzy Hash: D4E06D32200244EBEB215FA4FC4EBD93B10EB25332F148377FAA9880E287B14994DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00468C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00468C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0046882E), ref: 00468C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0046882E), ref: 00468C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0046882E), ref: 00468C7E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3049774021ddebe9ce2d698268176294fd397fdf51d4acd1bb028b4039025a9e
Instruction ID: 3d20bfc4748c41d0712818ff70fe7e6aea88517d0101b90fad59cbd184daccea
Opcode Fuzzy Hash: 3049774021ddebe9ce2d698268176294fd397fdf51d4acd1bb028b4039025a9e
Instruction Fuzzy Hash: 7BE08676642211DBE7205FB06D0DB573BACEF60792F14493AB645D9080EA788449CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00452187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00452187
GetDC.USER32(00000000), ref: 00452191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004521B1
ReleaseDC.USER32(?), ref: 004521D2

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7a1178a023310c290c68c7d012a11eb2d7d3827936b3584e7423b577def15766
Instruction ID: 0fd2369918e36d75f7221c428f64f7b617123aac892350950d7a288e720ba719
Opcode Fuzzy Hash: 7a1178a023310c290c68c7d012a11eb2d7d3827936b3584e7423b577def15766
Instruction Fuzzy Hash: 7EE0E575840704EFDB019FA0C808A9D7BB5EB6C351F20843BF95AD7260CB7889869F49

Uniqueness

Uniqueness Score: -1.00%

Function 0045219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0045219B
GetDC.USER32(00000000), ref: 004521A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004521B1
ReleaseDC.USER32(?), ref: 004521D2

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 736a5b36feb1fc64c45151d1410552b400893211000ea7472e53b1c1928ca5ef
Instruction ID: fe1ee9156eb1727e6863c8aafa70f716f9844f1b8c2c8fc90e1d3c1e279faed0
Opcode Fuzzy Hash: 736a5b36feb1fc64c45151d1410552b400893211000ea7472e53b1c1928ca5ef
Instruction Fuzzy Hash: CEE0E575840304AFCB019FA0C80869D7BA5AB6C350F20843AF95AD7260CB7899469F48

Uniqueness

Uniqueness Score: -1.00%

Function 004163A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%J, xrefs: 004163AE

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: %J
API String ID: 0-2597055733
Opcode ID: 77a9aad80af20e9ba64f9649f4b2dee54195986101fbb7b4798f463da4b153de
Instruction ID: 63fcc3af52de2a2111dd3b147ddb4b10921a1aff500d9699c303b2460fa19092
Opcode Fuzzy Hash: 77a9aad80af20e9ba64f9649f4b2dee54195986101fbb7b4798f463da4b153de
Instruction Fuzzy Hash: 2DB19E71900209AACF14EF99C4819EEB7B9FF44314F51402BE906A7295EB38DEC6CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0048B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0048B2C3

Strings

xrM, xrefs: 0048B2F9
xrM, xrefs: 0048B325

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __itow_s
String ID: xrM$xrM
API String ID: 3653519197-3300153048
Opcode ID: dc7522ddbb0af6e4211340f3c6268c8b2a3964b47f14cf57735193f0a1e902cc
Instruction ID: 32352b945208a9663cf0c2488db3ef96cc626910bf98e472c89e55ee70172d94
Opcode Fuzzy Hash: dc7522ddbb0af6e4211340f3c6268c8b2a3964b47f14cf57735193f0a1e902cc
Instruction Fuzzy Hash: 90B18170A00205AFCB14EF55C891EEEB7B9FF58304F14885AF9459B352E778E981CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0047B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0042FEC6: _wcscpy.LIBCMT ref: 0042FEE9

Part of subcall function 00419997: __itow.LIBCMT ref: 004199C2
Part of subcall function 00419997: __swprintf.LIBCMT ref: 00419A0C

__wcsnicmp.LIBCMT ref: 0047B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0047B361

Strings

LPT, xrefs: 0047B292

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 25e3d3e437ab73c0071ef39c048d625bbbb9c7f653607046e8fe23316c8eb4db
Instruction ID: fe0f4f68773ddd77c6de87dc5f6e55717a640340df1f0c81d137758620c876d4
Opcode Fuzzy Hash: 25e3d3e437ab73c0071ef39c048d625bbbb9c7f653607046e8fe23316c8eb4db
Instruction Fuzzy Hash: 4A617F75A00215AFCB14DB54C895FEEB7B4EB08310F11806FF84AAB351D778AE84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00458A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00458B1E
_memmove.LIBCMT ref: 00458B78

Strings

OaB, xrefs: 00458BF2, 0045E39A, 0045E3B6

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID: OaB
API String ID: 4104443479-1622370741
Opcode ID: d62031f434f87b40a7678ca39b081cd17c78b6499f6ab3fc33e88c17b71fb5f3
Instruction ID: a3ebb1e992e7fb2ec95904cc24b0c8140e1f2dd238bfafa6d474ad17f8ba41b7
Opcode Fuzzy Hash: d62031f434f87b40a7678ca39b081cd17c78b6499f6ab3fc33e88c17b71fb5f3
Instruction Fuzzy Hash: D8519EB0A006199FCB24CF69C880AAEBBF5FF44305F10452EE85AE7341EB34A959CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00422AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00422AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00422AE1

Strings

@, xrefs: 00422AD5

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f4e2e0225eb45dab7e8798987dc6ea3c42f5160d3f0f07ad8bbdbc8132180ddc
Instruction ID: 1aed08fcc8fc8337cb910a895e6e893bdf2363da5b45005225c4eb6c427dadc5
Opcode Fuzzy Hash: f4e2e0225eb45dab7e8798987dc6ea3c42f5160d3f0f07ad8bbdbc8132180ddc
Instruction Fuzzy Hash: 33518C715187449BD320AF11DC96BAFBBF8FF84314F42485EF2D9410A2DB349868CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 004799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0041506B: __fread_nolock.LIBCMT ref: 00415089

_wcscmp.LIBCMT ref: 00479AAE
_wcscmp.LIBCMT ref: 00479AC1

Strings

FILE, xrefs: 004799FA

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 1e59681b9aff24fcd00b446f0772cb63180f0c03ccc3f4af5ffa788963d86e47
Instruction ID: 4c494f6623939dc4253e3f32718acacf27bdd9c5588ad7eea8093eb3107062f9
Opcode Fuzzy Hash: 1e59681b9aff24fcd00b446f0772cb63180f0c03ccc3f4af5ffa788963d86e47
Instruction Fuzzy Hash: 7A41FB71A00609BADF109EA1CC45FDFBBBDDF49714F00406FB904B7181D679AD4487A5

Uniqueness

Uniqueness Score: -1.00%

Function 0045099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 004509A9

Strings

DtM, xrefs: 0041A2B1
DtM, xrefs: 0041A477

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClearVariant
String ID: DtM$DtM
API String ID: 1473721057-101040529
Opcode ID: 4db3d00844d67e93dba983020a24d9847321d390ef16676c8bade5f0e90195b0
Instruction ID: b69e90d473399a74d4c25c3193656d1b3a5ef099ff41f3bb214926c66a8d5de0
Opcode Fuzzy Hash: 4db3d00844d67e93dba983020a24d9847321d390ef16676c8bade5f0e90195b0
Instruction Fuzzy Hash: 1F51F5786093418FC754CF19C180A5ABBE1BF99354F54885EE9858B321E339EC95CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00482882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00482892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004828C8

Strings

|, xrefs: 00482899

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: dd7b708d903d434bdf71523d64311f80dd6bb245288e8766df8ccbbbff7fd0c8
Instruction ID: a86deb28fdbeb4a055fa2a604f757c01dbfbaf8b001c467c960b98d838067341
Opcode Fuzzy Hash: dd7b708d903d434bdf71523d64311f80dd6bb245288e8766df8ccbbbff7fd0c8
Instruction Fuzzy Hash: 2E315071900119AFCF01EFA1CC85EEEBFB9FF08304F10406AF819A6265DB355A96DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00496CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00496D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00496DC2

Strings

static, xrefs: 00496D22

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e8951fe849876f52a6250d4d269da0645f9cedaccbc7207c8b3f6710b52b0137
Instruction ID: 28a937460861f3dc8e4a1720ef17414ae4dd4a3499bfbca5512f27cd2876e43e
Opcode Fuzzy Hash: e8951fe849876f52a6250d4d269da0645f9cedaccbc7207c8b3f6710b52b0137
Instruction Fuzzy Hash: F8319071200604AEDF109F64DC40AFB77B9FF48724F11862EF9A9C7190CA39AC95CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00472D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00472E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00472E3B

Strings

0, xrefs: 00472DF9

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 156496b83bbffd6164e9fc83f4c8831948377a6819ee7b28d2fbfe9feee66129
Instruction ID: 956ba0a9ec1bcc27c4a9f8540994576b53f5110ac86597e9a04c5b319adb695b
Opcode Fuzzy Hash: 156496b83bbffd6164e9fc83f4c8831948377a6819ee7b28d2fbfe9feee66129
Instruction Fuzzy Hash: 9831D731600315ABEB24CF59CA457DFBBB9EF05350F14802FE9C9962A0D7F89A44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00496943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004969D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004969DB

Strings

Combobox, xrefs: 0049699D

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 49bfda2da4785025dcf69d8668ee82bca49c9e0305a700d72a31884e6d9e1c11
Instruction ID: 640d839a03c607168e11328668c583e1779b724db9a1e2a28dc80400e82b9fe2
Opcode Fuzzy Hash: 49bfda2da4785025dcf69d8668ee82bca49c9e0305a700d72a31884e6d9e1c11
Instruction Fuzzy Hash: 6711B6B16002086FEF119F14CC90FEB3B6EEB993A4F12013AF95897390D6799C5187A4

Uniqueness

Uniqueness Score: -1.00%

Function 00496E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00411D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00411D73
Part of subcall function 00411D35: GetStockObject.GDI32(00000011), ref: 00411D87
Part of subcall function 00411D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00411D91

GetWindowRect.USER32(00000000,?), ref: 00496EE0
GetSysColor.USER32(00000012), ref: 00496EFA

Strings

static, xrefs: 00496EBD

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 94ecb9182b9ba60a5e9c4b58f7cd23e63b388fd51acd061cdc30bcb3a1422c64
Instruction ID: 2f9fbbd06e4bcf54eeaccdb0a88173822bb4c4479e6bbafb3045a1275296beb8
Opcode Fuzzy Hash: 94ecb9182b9ba60a5e9c4b58f7cd23e63b388fd51acd061cdc30bcb3a1422c64
Instruction Fuzzy Hash: 3221567261020AAFDF04DFA8DD45EEA7BB8FB08314F01462AFD55D3250E638E8619B64

Uniqueness

Uniqueness Score: -1.00%

Function 00496B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00496C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00496C20

Strings

edit, xrefs: 00496BF5

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a0106e30ce8f968527a9517fa6827ec22292ad74c43c56f4d53c05e8dc93d4ac
Instruction ID: 5e0762fec94c483003a9d4cd44d53bdc8f1d57ff48909a7df75bd18678dbe48c
Opcode Fuzzy Hash: a0106e30ce8f968527a9517fa6827ec22292ad74c43c56f4d53c05e8dc93d4ac
Instruction Fuzzy Hash: A0119D71100218ABEF108E649C45EEB3B6DEB14378F624736F960D72E0D639EC919B68

Uniqueness

Uniqueness Score: -1.00%

Function 00472E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00472F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00472F30

Strings

0, xrefs: 00472F07

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4f9e2dc5c60f668ec7ee2100bb2d362154ed2e1c644864137550ce5fa31d4062
Instruction ID: 391f78057d48fa80227c2ce297952db8a4551510641ef80d5a456304209e7e8c
Opcode Fuzzy Hash: 4f9e2dc5c60f668ec7ee2100bb2d362154ed2e1c644864137550ce5fa31d4062
Instruction Fuzzy Hash: B811D031901114ABDB20EF58DE04BDA73B9EB06310F1580B7E848A73A0D7F8AD0497D9

Uniqueness

Uniqueness Score: -1.00%

Function 004824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00482520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00482549

Strings

<local>, xrefs: 00482511

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a92b7ca9e7bc9f249ddc8842856409b3b0b0540305c2cf40f003a0d765bba9e9
Instruction ID: 3f6e29fe8cf73ec53556350fca62876189a819d5c9da2ca1a204604860055641
Opcode Fuzzy Hash: a92b7ca9e7bc9f249ddc8842856409b3b0b0540305c2cf40f003a0d765bba9e9
Instruction Fuzzy Hash: 6F1132B0540225BADB24AF518D98EBFFF68FF06764F10852BF90492140D2B86945CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 004880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0048830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,004880C8,?,00000000,?,?), ref: 00488322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 004880CB
htons.WSOCK32(00000000,?,00000000), ref: 00488108

Strings

255.255.255.255, xrefs: 004880E3

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 65645ee9cdb9257d3bef06afc121d8cf9ae02cd92290d27205005c9a940df221
Instruction ID: 09dc34da1dbac0cb672cf1feaa817c68132918e509d628d3b1d6dda92875b5bd
Opcode Fuzzy Hash: 65645ee9cdb9257d3bef06afc121d8cf9ae02cd92290d27205005c9a940df221
Instruction Fuzzy Hash: 6F118274600205ABDB20AFA4CC46FEEB364EF55314F10892FE91197292DF76A815879A

Uniqueness

Uniqueness Score: -1.00%

Function 00420A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00413C26,004D62F8,?,?,?), ref: 00420ACE

Part of subcall function 00417D2C: _memmove.LIBCMT ref: 00417D66

_wcscat.LIBCMT ref: 004550E1

Strings

cM, xrefs: 00420B0E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: cM
API String ID: 257928180-2727121365
Opcode ID: 4b9b8472926a1dbbb2bfbd3ee400b8eaef28321b92c72baa4835eeaf67be979a
Instruction ID: 44f93f9843116d3bc71193764c7a7d8266660cc7510cc8404991f4073b2c453a
Opcode Fuzzy Hash: 4b9b8472926a1dbbb2bfbd3ee400b8eaef28321b92c72baa4835eeaf67be979a
Instruction Fuzzy Hash: 1C116935A0421C9B8B10EBA5EC41ED977F8EF08354B5140ABB948D7252EE7CEAC8871D

Uniqueness

Uniqueness Score: -1.00%

Function 004692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 0046B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0046B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00469355

Strings

ListBox, xrefs: 0046931F
ComboBox, xrefs: 004692F4

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5f92e08dde80f19cfc313e4ed4741c21aa06bac0fc836f6a9e4281ac307296b7
Instruction ID: 8b7598f950dc14533c073d844873de98bdf6d81ce4b3ecf28d14f20778e7493b
Opcode Fuzzy Hash: 5f92e08dde80f19cfc313e4ed4741c21aa06bac0fc836f6a9e4281ac307296b7
Instruction Fuzzy Hash: B301CC71A41214AB8B04EBA1CC919FE776DAF0A320B10061EF822973D1EB395C88865A

Uniqueness

Uniqueness Score: -1.00%

Function 004691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 0046B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0046B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0046924D

Strings

ListBox, xrefs: 00469217
ComboBox, xrefs: 004691EC

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fa9a30aa8b978694b7b92f3f0dc79e7bee64b02e0605541e0339bf3942155959
Instruction ID: 53f30ecf293a0536cb3b11ae3cd680378832b8ef7876a59589efde526acbd92d
Opcode Fuzzy Hash: fa9a30aa8b978694b7b92f3f0dc79e7bee64b02e0605541e0339bf3942155959
Instruction Fuzzy Hash: 1A01D871A4120477CB04E7A1C892EFF77ACDF45340F14005FB51263281EA685E0C82BA

Uniqueness

Uniqueness Score: -1.00%

Function 00469264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F41: _memmove.LIBCMT ref: 00417F82

Part of subcall function 0046B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0046B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 004692D0

Strings

ListBox, xrefs: 0046929C
ComboBox, xrefs: 00469271

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ab540f0cebf60fdc02f74446254f310c4daec1520da60bd471b4fc7ccf0ad45e
Instruction ID: b531a99701629e5e34fa16f71b78e252c51dd609b58b881dab1574d903291caa
Opcode Fuzzy Hash: ab540f0cebf60fdc02f74446254f310c4daec1520da60bd471b4fc7ccf0ad45e
Instruction Fuzzy Hash: 2401F7B1A81104B7CB00E6A1C892EFF77AC9F10340F24005FB802A32C1EA395E0C927E

Uniqueness

Uniqueness Score: -1.00%

Function 00436DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00436DD0
__calloc_crt.LIBCMT ref: 00436DE9

Strings

@RM, xrefs: 00436E00

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: __calloc_crt
String ID: @RM
API String ID: 3494438863-255546921
Opcode ID: ffaa6d2c2eb65fd21584b6a120230596c68c290885d7548b0e898b7ea6637fe0
Instruction ID: 86ffd47762fc3930b09dc387bc7fc63cc60823e1dd3d8d9f8fe0ed3b07612afb
Opcode Fuzzy Hash: ffaa6d2c2eb65fd21584b6a120230596c68c290885d7548b0e898b7ea6637fe0
Instruction Fuzzy Hash: 5FF04F71309717ABE724AB5AFD01B626795E718724F12947FE500CA290EB3C9885868D

Uniqueness

Uniqueness Score: -1.00%

Function 004751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004751E8
_wcscmp.LIBCMT ref: 004751FA

Strings

#32770, xrefs: 004751F4

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 5380acc6f563f27be27ee5774cc6ce6a13f26963c29afa2eaa1784f81da89f98
Instruction ID: c42ecdcf398edf81c153bf8069d8c390a572a01b12b1f41a635f93e60fa68d6e
Opcode Fuzzy Hash: 5380acc6f563f27be27ee5774cc6ce6a13f26963c29afa2eaa1784f81da89f98
Instruction Fuzzy Hash: A6E0613250022C27D3109A95AC05F97F7ECEB44771F0000BBFD14D7140E56499148BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004681CA

Part of subcall function 00433598: _doexit.LIBCMT ref: 004335A2

Strings

Error allocating memory., xrefs: 004681C3
AutoIt, xrefs: 004681BE

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: efc699a26123c87fb7a3a81b71a23fd52c057aafe1f6331f82660b93b19fc8fd
Instruction ID: 9e68cb09e3ad63bc744084ca94fba3a53a6593e8ce3dc71c997876a01fe105a5
Opcode Fuzzy Hash: efc699a26123c87fb7a3a81b71a23fd52c057aafe1f6331f82660b93b19fc8fd
Instruction Fuzzy Hash: 8DD05B323C531836D21432A66C0BFC67B884B19B5BF10403FBB08955D38DDD59D242DD

Uniqueness

Uniqueness Score: -1.00%

Function 0044B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0044B564: _memset.LIBCMT ref: 0044B571

Part of subcall function 00430B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0044B540,?,?,?,0041100A), ref: 00430B89

IsDebuggerPresent.KERNEL32(?,?,?,0041100A), ref: 0044B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0041100A), ref: 0044B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0044B54E

Memory Dump Source

Source File: 00000000.00000002.1978739661.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true

Associated: 00000000.00000002.1978723634.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.000000000049F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978784978.00000000004C5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978850163.00000000004CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004D8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1978866403.00000000004E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_410000_RFQ-HL51L05.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 3ca4e0538889d024d1aab2f29db32d52209900cbbb9deea1fbf850ce64cb1f05
Instruction ID: 2ed21e5c1b5764d83b6c5e9d918395f25c5ae85eb665c2335adac33658f411a1
Opcode Fuzzy Hash: 3ca4e0538889d024d1aab2f29db32d52209900cbbb9deea1fbf850ce64cb1f05
Instruction Fuzzy Hash: 45E06D702003108BE720DF69E504382BBE0EB14788F00897FE446C2650D7FCE448CBA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ-HL51L05.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Charley

C:\Users\user\AppData\Local\Temp\aut31DC.tmp

C:\Users\user\AppData\Local\Temp\aut323A.tmp

C:\Users\user\AppData\Local\Temp\ophiolatrous

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
RFQ-HL51L05.exe

Function 00413B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00414FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00414AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 004793DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00413015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Function 00413041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 004171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00413633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00413A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00413778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00EB2640 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239
fileCOMMON

Function 0041F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00439D26 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 004139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00EB2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre